selinux-refpolicy/refpolicy/policy/modules/system/init.te

416 lines
12 KiB
Plaintext

policy_module(init,1.0)
########################################
#
# Declarations
#
#
# init_t is the domain of the init process.
#
type init_t;
domain_make_domain(init_t)
role system_r types init_t;
#
# init_exec_t is the type of the init program.
#
type init_exec_t;
kernel_userland_entry(init_t,init_exec_t)
domain_make_entrypoint_file(init_t,init_exec_t)
#
# init_var_run_t is the type for /var/run/shutdown.pid.
#
type init_var_run_t;
files_make_daemon_runtime_file(init_var_run_t)
#
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
#
type initctl_t;
files_make_file(initctl_t)
type initrc_t;
domain_make_domain(initrc_t)
role system_r types initrc_t;
type initrc_exec_t;
domain_make_entrypoint_file(initrc_t,initrc_exec_t)
type initrc_devpts_t;
fs_associate(initrc_devpts_t)
fs_associate_noxattr(initrc_devpts_t)
term_pty(initrc_devpts_t)
type initrc_var_run_t;
files_make_daemon_runtime_file(initrc_var_run_t)
type initrc_state_t;
files_make_file(initrc_state_t)
type initrc_tmp_t;
files_make_temporary_file(initrc_tmp_t)
########################################
#
# Init local policy
#
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
allow init_t self:fifo_file rw_file_perms;
# Re-exec itself
allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
# For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
files_create_daemon_runtime_data(init_t,init_var_run_t)
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
fs_associate_tmpfs(initctl_t)
dev_create_dev_node(init_t,initctl_t,fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
# Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_set_boolean(init_t)
kernel_read_system_state(init_t)
kernel_read_hardware_state(init_t)
kernel_share_state(init_t)
term_use_all_terms(init_t)
corecommands_chroot(init_t)
corecommands_execute_general_programs(init_t)
corecommands_execute_system_programs(init_t)
domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t)
files_read_general_system_config(init_t)
files_modify_system_runtime_data(init_t)
files_ignore_search_isid_type_dir(init_t)
files_manage_runtime_system_config(init_t)
# Run /etc/X11/prefdm:
files_execute_system_config_script(init_t)
# file descriptors inherited from the rootfs:
files_ignore_modify_rootfs_file(init_t)
files_ignore_modify_rootfs_device(init_t)
libraries_use_dynamic_loader(init_t)
libraries_use_shared_libraries(init_t)
libraries_modify_dynamic_loader_cache(init_t)
logging_send_system_log_message(init_t)
logging_modify_system_logs(init_t)
selinux_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(init_t)
fs_create_tmpfs_data(init_t,initctl_t,fifo_file)
')
optional_policy(`authlogin.te',`
authlogin_modify_login_records(init_t)
')
# Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',`
userdomain_sysadm_shell_transition(init_t)
')
########################################
#
# Init script local policy
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
allow initrc_t self:passwd rootok;
# Allow IPC with self
allow initrc_t self:unix_dgram_socket create_socket_perms;
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
allow initrc_t self:tcp_socket create_stream_socket_perms;
allow initrc_t self:udp_socket create_socket_perms;
allow initrc_t self:fifo_file rw_file_perms;
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t init_t:fd use;
allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
allow initrc_t initrc_state_t:dir create_dir_perms;
allow initrc_t initrc_state_t:file create_file_perms;
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
allow initrc_t initrc_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(initrc_t,initrc_var_run_t)
allow initrc_t initrc_tmp_t:file create_file_perms;
allow initrc_t initrc_tmp_t:dir create_dir_perms;
files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir })
kernel_read_system_state(initrc_t)
kernel_read_software_raid_state(initrc_t)
kernel_read_network_state(initrc_t)
kernel_read_ring_buffer(initrc_t)
kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_hardware_state(initrc_t)
kernel_rw_hardware_config_option(initrc_t)
kernel_read_all_sysctl(initrc_t)
kernel_rw_all_sysctl(initrc_t)
kernel_get_selinux_enforcement_mode(initrc_t)
kernel_list_usb_hardware(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
bootloader_read_kernel_symbol_table(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_raw_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
corenet_raw_sendrecv_all_nodes(initrc_t)
corenet_udp_sendrecv_all_nodes(initrc_t)
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_bind_all_nodes(initrc_t)
corenet_udp_bind_all_nodes(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
dev_read_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_snd_mixer_dev(initrc_t)
dev_write_snd_mixer_dev(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_read_lvm_control(initrc_t)
dev_delete_lvm_control(initrc_t)
# Wants to remove udev.tbl:
dev_del_generic_symlinks(initrc_t)
fs_register_binary_executable_type(initrc_t)
# cjp: not sure why these are here; should use mount policy
fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
storage_getattr_fixed_disk(initrc_t)
storage_setattr_fixed_disk(initrc_t)
storage_set_removable_device_attributes(initrc_t)
term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
authlogin_modify_login_records(initrc_t)
authlogin_modify_last_login_log(initrc_t)
authlogin_pam_read_runtime_data(initrc_t)
authlogin_pam_remove_runtime_data(initrc_t)
authlogin_pam_console_read_runtime_data_dir(initrc_t)
corecommands_execute_general_programs(initrc_t)
corecommands_execute_system_programs(initrc_t)
corecommands_execute_shell(initrc_t)
corecommands_execute_ls(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t)
domain_get_all_domains_session_id(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t)
# for lsof which is used by alsa shutdown:
domain_ignore_get_all_domains_udp_socket_attributes(initrc_t)
domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t)
domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t)
domain_ignore_get_all_domains_pipe_attributes(initrc_t)
files_get_all_file_attributes(initrc_t)
files_remove_all_tmp_data(initrc_t)
files_remove_all_lock_files(initrc_t)
files_read_all_daemon_runtime_data(initrc_t)
files_remove_all_daemon_runtime_data(initrc_t)
files_read_general_system_config(initrc_t)
files_manage_runtime_system_config(initrc_t)
files_manage_system_lock_files(initrc_t)
files_execute_system_config_script(initrc_t)
files_read_general_application_resources(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t)
files_manage_system_spools(initrc_t)
libraries_modify_dynamic_loader_cache(initrc_t)
libraries_use_dynamic_loader(initrc_t)
libraries_use_shared_libraries(initrc_t)
libraries_execute_library_scripts(initrc_t)
logging_send_system_log_message(initrc_t)
logging_modify_system_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
miscfiles_read_localization(initrc_t)
modutils_read_kernel_module_loading_config(initrc_t)
selinux_read_config(initrc_t)
sysnetwork_read_network_config(initrc_t)
udev_modify_database(initrc_t)
userdomain_read_all_users_data(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
userdomain_use_admin_terminals(initrc_t)
ifdef(`distro_debian', `
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
')
ifdef(`distro_redhat',`
# this is from kmodule, which should get its own policy:
allow initrc_t self:capability sys_admin;
# Red Hat systems seem to have a stray
# fd open from the initrd
kernel_dontaudit_use_fd(initrc_t)
files_ignore_read_rootfs_file(initrc_t)
kernel_set_enforcement_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time.
bootloader_create_runtime_data(initrc_t)
bootloader_modify_bootloader_data_directory_symbolic_links(initrc_t)
# These seem to be from the initrd
# during device initialization:
dev_create_dir(initrc_t)
dev_rwx_zero_dev(initrc_t)
dev_rx_raw_memory(initrc_t)
dev_wx_raw_memory(initrc_t)
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
fs_use_tmpfs_character_devices(initrc_t)
files_create_boot_flag(initrc_t)
# readahead asks for these
mta_read_mail_aliases(initrc_t)
')
optional_policy(`hotplug.te',`
kernel_read_usb_hardware_state(initrc_t)
# init scripts run /etc/hotplug/usb.rc
hotplug_read_config(initrc_t)
modutils_read_kernel_module_dependencies(initrc_t)
')
optional_policy(`lvm.te',`
#allow initrc_t lvm_control_t:chr_file unlink;
dev_read_lvm_control(initrc_t)
dev_create_generic_chr_file(initrc_t)
')
optional_policy(`rhgb.te',`
corecommands_make_shell_entrypoint(initrc_t)
')
optional_policy(`rpm.te',`
# bash tries to access a block device in the initrd
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
# for a bug in rm
files_ignore_write_all_daemon_runtime_data(initrc_t)
# bash tries ioctl for some reason
files_ignore_ioctl_all_daemon_runtime_data(initrc_t)
# why is this needed:
rpm_manage_package_database(initrc_t)
') dnl end rpm.te
ifdef(`TODO',`
# Mount and unmount file systems.
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
# Set device ownerships/modes.
allow initrc_t xconsole_device_t:fifo_file setattr;
# for lsof in shutdown scripts
can_kerberos(initrc_t)
dontaudit initrc_t krb5_conf_t:file write;
allow initrc_t krb5_conf_t:file r_file_perms;
#
# These rules are here to allow init scripts to su
#
optional_policy(`su.te', `
su_restricted_domain(initrc,system)
role system_r types initrc_su_t;
')
ifdef(`distro_debian', `
allow initrc_t { etc_t device_t }:dir setattr;
# for storing state under /dev/shm
allow initrc_t tmpfs_t:dir setattr;
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
')
ifdef(`distro_redhat', `
# readahead asks for these
allow initrc_t var_lib_nfs_t:file r_file_perms;
')
ifdef(`targeted_policy', `
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
')
#
# Shutting down xinet causes these
#
# Rsync
dontaudit initrc_t mail_spool_t:lnk_file read;
') dnl end TODO