dfccb1658f
With udev now using /run for its data, the init script responsible for preparing the environment to start up udev needs to be able to setup this location as well. We here allow init scripts to create the /run/udev location (transitioning to udev_var_run_t) and manage this content (creating the /run/udev subdirectories). Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
883 lines
21 KiB
Plaintext
883 lines
21 KiB
Plaintext
policy_module(init, 1.18.4)
|
|
|
|
gen_require(`
|
|
class passwd rootok;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Enable support for upstart as the init program.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(init_upstart, false)
|
|
|
|
# used for direct running of init scripts
|
|
# by admin domains
|
|
attribute direct_run_init;
|
|
attribute direct_init;
|
|
attribute direct_init_entry;
|
|
|
|
attribute init_script_domain_type;
|
|
attribute init_script_file_type;
|
|
attribute init_run_all_scripts_domain;
|
|
|
|
# Mark process types as daemons
|
|
attribute daemon;
|
|
|
|
#
|
|
# init_t is the domain of the init process.
|
|
#
|
|
type init_t;
|
|
type init_exec_t;
|
|
domain_type(init_t)
|
|
domain_entry_file(init_t, init_exec_t)
|
|
kernel_domtrans_to(init_t, init_exec_t)
|
|
role system_r types init_t;
|
|
|
|
#
|
|
# init_var_run_t is the type for /var/run/shutdown.pid.
|
|
#
|
|
type init_var_run_t;
|
|
files_pid_file(init_var_run_t)
|
|
|
|
#
|
|
# initctl_t is the type of the named pipe created
|
|
# by init during initialization. This pipe is used
|
|
# to communicate with init.
|
|
#
|
|
type initctl_t;
|
|
files_type(initctl_t)
|
|
mls_trusted_object(initctl_t)
|
|
|
|
type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
|
|
type initrc_exec_t, init_script_file_type;
|
|
domain_type(initrc_t)
|
|
domain_entry_file(initrc_t, initrc_exec_t)
|
|
role system_r types initrc_t;
|
|
# should be part of the true block
|
|
# of the below init_upstart tunable
|
|
# but this has a typeattribute in it
|
|
corecmd_shell_entry_type(initrc_t)
|
|
|
|
type initrc_devpts_t;
|
|
term_pty(initrc_devpts_t)
|
|
files_type(initrc_devpts_t)
|
|
|
|
type initrc_state_t;
|
|
files_type(initrc_state_t)
|
|
|
|
type initrc_tmp_t;
|
|
files_tmp_file(initrc_tmp_t)
|
|
|
|
type initrc_var_log_t;
|
|
logging_log_file(initrc_var_log_t)
|
|
|
|
type initrc_var_run_t;
|
|
files_pid_file(initrc_var_run_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
type rc_exec_t;
|
|
domain_entry_file(initrc_t, rc_exec_t)
|
|
')
|
|
|
|
ifdef(`enable_mls',`
|
|
kernel_ranged_domtrans_to(init_t, init_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init local policy
|
|
#
|
|
|
|
# Use capabilities. old rule:
|
|
allow init_t self:capability ~sys_module;
|
|
# is ~sys_module really needed? observed:
|
|
# sys_boot
|
|
# sys_tty_config
|
|
# kill: now provided by domain_kill_all_domains()
|
|
# setuid (from /sbin/shutdown)
|
|
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
|
|
|
|
allow init_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
# Re-exec itself
|
|
can_exec(init_t, init_exec_t)
|
|
|
|
allow init_t initrc_t:unix_stream_socket connectto;
|
|
|
|
# For /var/run/shutdown.pid.
|
|
allow init_t init_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(init_t, init_var_run_t, file)
|
|
|
|
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
|
|
dev_filetrans(init_t, initctl_t, fifo_file)
|
|
|
|
# Modify utmp.
|
|
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
|
|
|
kernel_read_system_state(init_t)
|
|
kernel_share_state(init_t)
|
|
|
|
corecmd_exec_chroot(init_t)
|
|
corecmd_exec_bin(init_t)
|
|
|
|
dev_read_sysfs(init_t)
|
|
# Early devtmpfs
|
|
dev_rw_generic_chr_files(init_t)
|
|
|
|
domain_getpgid_all_domains(init_t)
|
|
domain_kill_all_domains(init_t)
|
|
domain_signal_all_domains(init_t)
|
|
domain_signull_all_domains(init_t)
|
|
domain_sigstop_all_domains(init_t)
|
|
domain_sigchld_all_domains(init_t)
|
|
|
|
files_read_etc_files(init_t)
|
|
files_rw_generic_pids(init_t)
|
|
files_dontaudit_search_isid_type_dirs(init_t)
|
|
files_manage_etc_runtime_files(init_t)
|
|
files_etc_filetrans_etc_runtime(init_t, file)
|
|
# Run /etc/X11/prefdm:
|
|
files_exec_etc_files(init_t)
|
|
# file descriptors inherited from the rootfs:
|
|
files_dontaudit_rw_root_files(init_t)
|
|
files_dontaudit_rw_root_chr_files(init_t)
|
|
|
|
fs_list_inotifyfs(init_t)
|
|
# cjp: this may be related to /dev/log
|
|
fs_write_ramfs_sockets(init_t)
|
|
|
|
mcs_process_set_categories(init_t)
|
|
mcs_killall(init_t)
|
|
|
|
mls_file_read_all_levels(init_t)
|
|
mls_file_write_all_levels(init_t)
|
|
mls_process_write_down(init_t)
|
|
mls_fd_use_all_levels(init_t)
|
|
|
|
selinux_set_all_booleans(init_t)
|
|
|
|
term_use_all_terms(init_t)
|
|
|
|
# Run init scripts.
|
|
init_domtrans_script(init_t)
|
|
|
|
libs_rw_ld_so_cache(init_t)
|
|
|
|
logging_send_syslog_msg(init_t)
|
|
logging_rw_generic_logs(init_t)
|
|
|
|
seutil_read_config(init_t)
|
|
|
|
miscfiles_read_localization(init_t)
|
|
|
|
ifdef(`distro_gentoo',`
|
|
allow init_t self:process { getcap setcap };
|
|
|
|
init_exec_rc(initrc_t)
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
fs_read_tmpfs_symlinks(init_t)
|
|
fs_rw_tmpfs_chr_files(init_t)
|
|
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
|
|
')
|
|
|
|
tunable_policy(`init_upstart',`
|
|
corecmd_shell_domtrans(init_t, initrc_t)
|
|
',`
|
|
# Run the shell in the sysadm role for single-user mode.
|
|
# causes problems with upstart
|
|
sysadm_shell_domtrans(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
auth_rw_login_records(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sssd_stream_connect(init_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(init_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Init script local policy
|
|
#
|
|
|
|
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
|
|
allow initrc_t self:capability ~{ sys_admin sys_module };
|
|
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
|
|
allow initrc_t self:passwd rootok;
|
|
allow initrc_t self:key manage_key_perms;
|
|
|
|
# Allow IPC with self
|
|
allow initrc_t self:unix_dgram_socket create_socket_perms;
|
|
allow initrc_t self:unix_stream_socket { create listen accept ioctl read getattr write setattr append bind connect getopt setopt shutdown connectto };
|
|
allow initrc_t self:tcp_socket create_stream_socket_perms;
|
|
allow initrc_t self:udp_socket create_socket_perms;
|
|
allow initrc_t self:fifo_file rw_file_perms;
|
|
|
|
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
|
|
term_create_pty(initrc_t, initrc_devpts_t)
|
|
|
|
# Going to single user mode
|
|
init_telinit(initrc_t)
|
|
|
|
can_exec(initrc_t, init_script_file_type)
|
|
|
|
domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
|
|
|
|
manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
|
|
|
allow initrc_t initrc_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
|
|
|
|
can_exec(initrc_t, initrc_tmp_t)
|
|
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
|
|
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
|
|
logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
|
|
|
|
init_write_initctl(initrc_t)
|
|
|
|
kernel_read_system_state(initrc_t)
|
|
kernel_read_software_raid_state(initrc_t)
|
|
kernel_read_network_state(initrc_t)
|
|
kernel_read_ring_buffer(initrc_t)
|
|
kernel_change_ring_buffer_level(initrc_t)
|
|
kernel_clear_ring_buffer(initrc_t)
|
|
kernel_get_sysvipc_info(initrc_t)
|
|
kernel_read_all_sysctls(initrc_t)
|
|
kernel_rw_all_sysctls(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
kernel_dontaudit_getattr_message_if(initrc_t)
|
|
|
|
files_create_lock_dirs(initrc_t)
|
|
files_pid_filetrans_lock_dir(initrc_t, "lock")
|
|
files_read_kernel_symbol_table(initrc_t)
|
|
files_setattr_lock_dirs(initrc_t)
|
|
|
|
corecmd_exec_all_executables(initrc_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(initrc_t)
|
|
corenet_all_recvfrom_netlabel(initrc_t)
|
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
|
corenet_udp_sendrecv_all_if(initrc_t)
|
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
|
corenet_tcp_connect_all_ports(initrc_t)
|
|
corenet_sendrecv_all_client_packets(initrc_t)
|
|
|
|
dev_read_rand(initrc_t)
|
|
dev_read_urand(initrc_t)
|
|
dev_write_kmsg(initrc_t)
|
|
dev_write_rand(initrc_t)
|
|
dev_write_urand(initrc_t)
|
|
dev_rw_sysfs(initrc_t)
|
|
dev_list_usbfs(initrc_t)
|
|
dev_read_framebuffer(initrc_t)
|
|
dev_write_framebuffer(initrc_t)
|
|
dev_read_realtime_clock(initrc_t)
|
|
dev_read_sound_mixer(initrc_t)
|
|
dev_write_sound_mixer(initrc_t)
|
|
dev_setattr_all_chr_files(initrc_t)
|
|
dev_rw_lvm_control(initrc_t)
|
|
dev_delete_lvm_control_dev(initrc_t)
|
|
dev_manage_generic_symlinks(initrc_t)
|
|
dev_manage_generic_files(initrc_t)
|
|
# Wants to remove udev.tbl:
|
|
dev_delete_generic_symlinks(initrc_t)
|
|
dev_getattr_all_blk_files(initrc_t)
|
|
dev_getattr_all_chr_files(initrc_t)
|
|
# Early devtmpfs
|
|
dev_rw_generic_chr_files(initrc_t)
|
|
|
|
domain_kill_all_domains(initrc_t)
|
|
domain_signal_all_domains(initrc_t)
|
|
domain_signull_all_domains(initrc_t)
|
|
domain_sigstop_all_domains(initrc_t)
|
|
domain_sigchld_all_domains(initrc_t)
|
|
domain_read_all_domains_state(initrc_t)
|
|
domain_getattr_all_domains(initrc_t)
|
|
domain_dontaudit_ptrace_all_domains(initrc_t)
|
|
domain_getsession_all_domains(initrc_t)
|
|
domain_use_interactive_fds(initrc_t)
|
|
# for lsof which is used by alsa shutdown:
|
|
domain_dontaudit_getattr_all_udp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
|
|
domain_dontaudit_getattr_all_pipes(initrc_t)
|
|
|
|
files_getattr_all_dirs(initrc_t)
|
|
files_getattr_all_files(initrc_t)
|
|
files_getattr_all_symlinks(initrc_t)
|
|
files_getattr_all_pipes(initrc_t)
|
|
files_getattr_all_sockets(initrc_t)
|
|
files_purge_tmp(initrc_t)
|
|
files_delete_all_locks(initrc_t)
|
|
files_read_all_pids(initrc_t)
|
|
files_delete_all_pids(initrc_t)
|
|
files_delete_all_pid_dirs(initrc_t)
|
|
files_read_etc_files(initrc_t)
|
|
files_manage_etc_runtime_files(initrc_t)
|
|
files_etc_filetrans_etc_runtime(initrc_t, file)
|
|
files_exec_etc_files(initrc_t)
|
|
files_read_usr_files(initrc_t)
|
|
files_manage_urandom_seed(initrc_t)
|
|
files_manage_generic_spool(initrc_t)
|
|
# Mount and unmount file systems.
|
|
# cjp: not sure why these are here; should use mount policy
|
|
files_list_isid_type_dirs(initrc_t)
|
|
files_mounton_isid_type_dirs(initrc_t)
|
|
files_list_default(initrc_t)
|
|
files_mounton_default(initrc_t)
|
|
|
|
fs_write_cgroup_files(initrc_t)
|
|
fs_list_inotifyfs(initrc_t)
|
|
fs_register_binary_executable_type(initrc_t)
|
|
# rhgb-console writes to ramfs
|
|
fs_write_ramfs_pipes(initrc_t)
|
|
# cjp: not sure why these are here; should use mount policy
|
|
fs_mount_all_fs(initrc_t)
|
|
fs_unmount_all_fs(initrc_t)
|
|
fs_remount_all_fs(initrc_t)
|
|
fs_getattr_all_fs(initrc_t)
|
|
|
|
# initrc_t needs to do a pidof which requires ptrace
|
|
mcs_ptrace_all(initrc_t)
|
|
mcs_killall(initrc_t)
|
|
mcs_process_set_categories(initrc_t)
|
|
|
|
mls_file_read_all_levels(initrc_t)
|
|
mls_file_write_all_levels(initrc_t)
|
|
mls_process_read_up(initrc_t)
|
|
mls_process_write_down(initrc_t)
|
|
mls_rangetrans_source(initrc_t)
|
|
mls_fd_share_all_levels(initrc_t)
|
|
|
|
selinux_get_enforce_mode(initrc_t)
|
|
|
|
storage_getattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_fixed_disk_dev(initrc_t)
|
|
storage_setattr_removable_dev(initrc_t)
|
|
|
|
term_use_all_terms(initrc_t)
|
|
term_reset_tty_labels(initrc_t)
|
|
|
|
auth_rw_login_records(initrc_t)
|
|
auth_setattr_login_records(initrc_t)
|
|
auth_rw_lastlog(initrc_t)
|
|
auth_read_pam_pid(initrc_t)
|
|
auth_delete_pam_pid(initrc_t)
|
|
auth_delete_pam_console_data(initrc_t)
|
|
auth_use_nsswitch(initrc_t)
|
|
|
|
libs_rw_ld_so_cache(initrc_t)
|
|
libs_exec_lib_files(initrc_t)
|
|
libs_exec_ld_so(initrc_t)
|
|
|
|
logging_send_audit_msgs(initrc_t)
|
|
logging_send_syslog_msg(initrc_t)
|
|
logging_manage_generic_logs(initrc_t)
|
|
logging_read_all_logs(initrc_t)
|
|
logging_append_all_logs(initrc_t)
|
|
logging_read_audit_config(initrc_t)
|
|
|
|
miscfiles_read_localization(initrc_t)
|
|
# slapd needs to read cert files from its initscript
|
|
miscfiles_read_generic_certs(initrc_t)
|
|
|
|
modutils_read_module_config(initrc_t)
|
|
modutils_domtrans_insmod(initrc_t)
|
|
|
|
seutil_read_config(initrc_t)
|
|
|
|
userdom_read_user_home_content_files(initrc_t)
|
|
# Allow access to the sysadm TTYs. Note that this will give access to the
|
|
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
|
|
# started from init should be placed in their own domain.
|
|
userdom_use_user_terminals(initrc_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
dev_setattr_generic_dirs(initrc_t)
|
|
|
|
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
|
|
|
|
# for storing state under /dev/shm
|
|
fs_setattr_tmpfs_dirs(initrc_t)
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_tmpfs_filetrans_fixed_disk(initrc_t)
|
|
|
|
files_setattr_etc_dirs(initrc_t)
|
|
')
|
|
|
|
ifdef(`distro_gentoo',`
|
|
kernel_dontaudit_getattr_core_if(initrc_t)
|
|
|
|
# seed udev /dev
|
|
allow initrc_t self:process setfscreate;
|
|
dev_create_null_dev(initrc_t)
|
|
dev_create_zero_dev(initrc_t)
|
|
dev_create_generic_dirs(initrc_t)
|
|
term_create_console_dev(initrc_t)
|
|
|
|
# unfortunately /sbin/rc does stupid tricks
|
|
# with /dev/.rcboot to decide if we are in
|
|
# early init
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_delete_generic_dirs(initrc_t)
|
|
|
|
# allow bootmisc to create /var/lock/.keep.
|
|
files_manage_generic_locks(initrc_t)
|
|
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
|
|
|
|
# openrc uses tmpfs for its state data
|
|
fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
|
|
files_mountpoint(initrc_state_t)
|
|
|
|
# init scripts touch this
|
|
clock_dontaudit_write_adjtime(initrc_t)
|
|
|
|
logging_send_audit_msgs(initrc_t)
|
|
|
|
# for integrated run_init to read run_init_type.
|
|
# happens during boot (/sbin/rc execs init scripts)
|
|
seutil_read_default_contexts(initrc_t)
|
|
|
|
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
|
|
sysnet_create_config(initrc_t)
|
|
sysnet_write_config(initrc_t)
|
|
sysnet_setattr_config(initrc_t)
|
|
|
|
optional_policy(`
|
|
alsa_read_lib(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
arpwatch_manage_data_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dhcpd_setattr_state_files(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
# this is from kmodule, which should get its own policy:
|
|
allow initrc_t self:capability sys_admin;
|
|
|
|
allow initrc_t self:process setfscreate;
|
|
|
|
# Red Hat systems seem to have a stray
|
|
# fd open from the initrd
|
|
kernel_dontaudit_use_fds(initrc_t)
|
|
files_dontaudit_read_root_files(initrc_t)
|
|
|
|
# These seem to be from the initrd
|
|
# during device initialization:
|
|
dev_create_generic_dirs(initrc_t)
|
|
dev_rwx_zero(initrc_t)
|
|
dev_rx_raw_memory(initrc_t)
|
|
dev_wx_raw_memory(initrc_t)
|
|
storage_raw_read_fixed_disk(initrc_t)
|
|
storage_raw_write_fixed_disk(initrc_t)
|
|
|
|
files_create_boot_dirs(initrc_t)
|
|
files_create_boot_flag(initrc_t)
|
|
files_rw_boot_symlinks(initrc_t)
|
|
# wants to read /.fonts directory
|
|
files_read_default_files(initrc_t)
|
|
files_mountpoint(initrc_tmp_t)
|
|
# Needs to cp localtime to /var dirs
|
|
files_write_var_dirs(initrc_t)
|
|
|
|
fs_read_tmpfs_symlinks(initrc_t)
|
|
fs_rw_tmpfs_chr_files(initrc_t)
|
|
|
|
storage_manage_fixed_disk(initrc_t)
|
|
storage_dev_filetrans_fixed_disk(initrc_t)
|
|
storage_getattr_removable_dev(initrc_t)
|
|
|
|
# readahead asks for these
|
|
auth_dontaudit_read_shadow(initrc_t)
|
|
|
|
# init scripts cp /etc/localtime over other directories localtime
|
|
miscfiles_rw_localization(initrc_t)
|
|
miscfiles_setattr_localization(initrc_t)
|
|
miscfiles_relabel_localization(initrc_t)
|
|
|
|
miscfiles_read_fonts(initrc_t)
|
|
miscfiles_read_hwdata(initrc_t)
|
|
|
|
optional_policy(`
|
|
alsa_manage_rw_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_manage_config_dirs(initrc_t)
|
|
bind_write_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
rpc_write_exports(initrc_t)
|
|
rpc_manage_nfs_state_data(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_rw_dhcp_config(initrc_t)
|
|
sysnet_manage_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_delete_log(initrc_t)
|
|
')
|
|
')
|
|
|
|
ifdef(`distro_suse',`
|
|
optional_policy(`
|
|
# set permissions on /tmp/.X11-unix
|
|
xserver_setattr_xdm_tmp_dirs(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
amavis_search_lib(initrc_t)
|
|
amavis_setattr_pid_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_rw_apm_bios(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_read_config(initrc_t)
|
|
apache_list_modules(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
asterisk_setattr_logs(initrc_t)
|
|
asterisk_setattr_pid_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_read_config(initrc_t)
|
|
|
|
# for chmod in start script
|
|
bind_setattr_pid_dirs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
bluetooth_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cgroup_stream_connect_cgred(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
clamav_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cpucontrol_stub(initrc_t)
|
|
dev_getattr_cpu_dev(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_getattr_printer_dev(initrc_t)
|
|
|
|
cups_read_log(initrc_t)
|
|
cups_read_rw_config(initrc_t)
|
|
#cups init script clears error log
|
|
cups_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_manage_svc(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(initrc_t)
|
|
dbus_system_bus_client(initrc_t)
|
|
dbus_read_config(initrc_t)
|
|
|
|
optional_policy(`
|
|
consolekit_dbus_chat(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
policykit_dbus_chat(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
|
|
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
|
|
# the directory. But we do not want to allow this.
|
|
# The master process of dovecot will manage this file.
|
|
dovecot_dontaudit_unlink_lib_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ftp_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpm_setattr_gpmctl(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hal_write_log(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dev_read_usbfs(initrc_t)
|
|
|
|
# init scripts run /etc/hotplug/usb.rc
|
|
hotplug_read_config(initrc_t)
|
|
|
|
modutils_read_module_deps(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inn_exec_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipsec_read_config(initrc_t)
|
|
ipsec_manage_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iscsi_stream_connect(initrc_t)
|
|
iscsi_read_lib_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ldap_read_config(initrc_t)
|
|
ldap_list_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
loadkeys_exec(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# in emergency/recovery situations use sulogin
|
|
locallogin_domtrans_sulogin(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# This is needed to permit chown to read /var/spool/lpd/lp.
|
|
# This is opens up security more than necessary; this means that ANYTHING
|
|
# running in the initrc_t domain can read the printer spool directory.
|
|
# Perhaps executing /etc/rc.d/init.d/lpd should transition
|
|
# to domain lpd_t, instead of waiting for executing lpd.
|
|
lpd_list_spool(initrc_t)
|
|
|
|
lpd_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
#allow initrc_t lvm_control_t:chr_file unlink;
|
|
|
|
dev_read_lvm_control(initrc_t)
|
|
dev_create_generic_chr_files(initrc_t)
|
|
|
|
lvm_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_list_data(initrc_t)
|
|
mailman_read_data_symlinks(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_read_config(initrc_t)
|
|
mta_dontaudit_read_spool_symlinks(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ifdef(`distro_redhat',`
|
|
mysql_manage_db_dirs(initrc_t)
|
|
')
|
|
|
|
mysql_stream_connect(initrc_t)
|
|
mysql_write_log(initrc_t)
|
|
mysql_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_list_var_yp(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
openvpn_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_manage_db(initrc_t)
|
|
postgresql_read_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postfix_list_spool(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
puppet_rw_tmp(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
quota_manage_flags(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_manage_mdadm_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
fs_write_ramfs_sockets(initrc_t)
|
|
fs_search_ramfs(initrc_t)
|
|
|
|
rhgb_rw_stream_sockets(initrc_t)
|
|
rhgb_stream_connect(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_read_exports(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# bash tries to access a block device in the initrd
|
|
kernel_dontaudit_getattr_unlabeled_blk_files(initrc_t)
|
|
|
|
# for a bug in rm
|
|
files_dontaudit_write_all_pids(initrc_t)
|
|
|
|
# bash tries ioctl for some reason
|
|
files_dontaudit_ioctl_all_pids(initrc_t)
|
|
|
|
# why is this needed:
|
|
rpm_manage_db(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_rw_config(initrc_t)
|
|
samba_read_winbind_pid(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# shorewall-init script run /var/lib/shorewall/firewall
|
|
shorewall_lib_domtrans(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
squid_read_config(initrc_t)
|
|
squid_manage_logs(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# allow init scripts to su
|
|
su_restricted_domain_template(initrc, initrc_t, system_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_dontaudit_read_server_keys(initrc_t)
|
|
ssh_setattr_key_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_read_dhcpc_state(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_rw_db(initrc_t)
|
|
udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
|
|
udev_manage_pid_files(initrc_t)
|
|
udev_manage_pid_dirs(initrc_t)
|
|
udev_manage_rules_files(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
uml_setattr_util_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_stream_connect(initrc_t)
|
|
virt_manage_svirt_cache(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(initrc_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
# system-config-services causes avc messages that should be dontaudited
|
|
unconfined_dontaudit_rw_pipes(daemon)
|
|
')
|
|
|
|
optional_policy(`
|
|
mono_domtrans(initrc_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
vmware_read_system_config(initrc_t)
|
|
vmware_append_system_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
miscfiles_manage_fonts(initrc_t)
|
|
|
|
# cjp: is this really needed?
|
|
xfs_read_sockets(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Set device ownerships/modes.
|
|
xserver_setattr_console_pipes(initrc_t)
|
|
|
|
# init script wants to check if it needs to update windowmanagerlist
|
|
xserver_read_xdm_rw_config(initrc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
zebra_read_config(initrc_t)
|
|
')
|