System initialization programs (init and init scripts).

###################################### ##

## initrc stub interface. No access allowed. ##

## ##

## Domain allowed access ##

## # interface(`init_stub_initrc',` gen_require(` type initrc_t; ') ') ######################################## ##

## Create a file type used for init scripts. ##

## ##

## Create a file type used for init scripts. It can not be ## used in conjunction with init_script_domain(). These ## script files are typically stored in the /etc/init.d directory. ##

## Typically this is used to constrain what services an ## admin can start/stop. For example, a policy writer may want ## to constrain a web administrator to only being able to ## restart the web server, not other services. This special type ## will help address that goal. ##

## This also makes the type usable for files; thus an ## explicit call to files_type() is redundant. ##

## ## ##

## Type to be used for a script file. ##

## ## # interface(`init_script_file',` gen_require(` type initrc_t; attribute init_script_file_type, init_run_all_scripts_domain; ') typeattribute $1 init_script_file_type; domain_entry_file(initrc_t, $1) domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) ') ######################################## ##

## Create a domain used for init scripts. ##

## ##

## Create a domain used for init scripts. ## Can not be used in conjunction with ## init_script_file(). ##

## ## ##

## Type to be used as an init script domain. ##

## ## ##

## Type of the script file used as an entry point to this domain. ##

## # interface(`init_script_domain',` gen_require(` attribute init_script_domain_type, init_script_file_type; attribute init_run_all_scripts_domain; ') typeattribute $1 init_script_domain_type; typeattribute $2 init_script_file_type; domain_type($1) domain_entry_file($1, $2) domtrans_pattern(init_run_all_scripts_domain, $2, $1) ') ######################################## ##

## Create a domain which can be started by init. ##

## ##

## Type to be used as a domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## # interface(`init_domain',` gen_require(` type init_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(init_t, $2, $1) allow init_t $1:unix_stream_socket create_stream_socket_perms; allow $1 init_t:unix_dgram_socket sendto; allow init_t $1:process2 { nnp_transition nosuid_transition }; ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') ') ') ######################################## ##

## Allow SELinux Domain trasition from sytemd ## into confined domain with NoNewPrivileges ## Systemd Security feature. ##

## ##

## Domain allowed access. ##

## # interface(`init_nnp_daemon_domain',` gen_require(` type init_t; ') allow init_t $1:process2 { nnp_transition nosuid_transition }; ') ######################################## ##

## Create a domain which can be started by init, ## with a range transition. ##

## ##

## Type to be used as a domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## ## ##

## Range for the domain. ##

## # interface(`init_ranged_domain',` gen_require(` type init_t; ') init_domain($1, $2) ifdef(`enable_mcs',` range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition init_t $2:process $3; mls_rangetrans_target($1) ') ') ######################################## ##

## Create a domain for long running processes ## (daemons/services) which are started by init scripts. ##

## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts. Short running processes ## should use the init_system_domain() interface instead. ## Typically all long running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface. ##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

## If the process must also run in a specific MLS/MCS level, ## the init_ranged_daemon_domain() should be used instead. ##

## ## ##

## Type to be used as a daemon domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## ## # interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type init_t; role system_r; attribute daemon; attribute initrc_transition_domain; attribute initrc_domain; ') typeattribute $1 daemon; typeattribute $2 direct_init_entry; domain_type($1) domain_entry_file($1, $2) type_transition initrc_domain $2:process $1; ifdef(`direct_sysadm_daemon',` type_transition direct_run_init $2:process $1; typeattribute $1 direct_init; ') optional_policy(` systemd_connectto_socket_proxyd_unix_sockets($1) ') ') ####################################### ##

## Create initrc domain. ##

## ##

## Type to be used as a initrc daemon domain. ##

## # interface(`init_initrc_domain',` gen_require(` attribute initrc_domain; ') typeattribute $1 initrc_domain; ') ######################################## ##

## Create a domain for long running processes ## (daemons/services) which are started by init scripts, ## running at a specified MLS/MCS range. ##

## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts, running at a specified ## MLS/MCS range. Short running processes ## should use the init_ranged_system_domain() interface instead. ## Typically all long running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface if they need to run in a specific MLS/MCS range. ##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

## If the policy build option TYPE is standard (MLS and MCS disabled), ## this interface has the same behavior as init_daemon_domain(). ##

## ## ##

## Type to be used as a daemon domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## ## ##

## MLS/MCS range for the domain. ##

## ## # interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; type init_t; ') # init_daemon_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; mls_rangetrans_target($1) range_transition init_t $2:process $3; ') ') ######################################## ##

## Create a domain for short running processes ## which are started by init scripts. ##

## ##

## Create a domain for short running processes ## which are started by init scripts. These are generally applications that ## are used to initialize the system during boot. ## Long running processes, such as daemons/services ## should use the init_daemon_domain() interface instead. ## Typically all short running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface. ##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

## If the process must also run in a specific MLS/MCS level, ## the init_ranged_system_domain() should be used instead. ##

## ## ##

## Type to be used as a system domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## ## # interface(`init_system_domain',` gen_require(` type init_t; role system_r; attribute initrc_transition_domain; attribute systemprocess, systemprocess_entry; attribute initrc_domain; ') typeattribute $1 systemprocess; application_domain($1, $2) role system_r types $1; typeattribute $2 systemprocess_entry; type_transition initrc_domain $2:process $1; ') ######################################## ##

## Create a domain for short running processes ## which are started by init scripts. ##

## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts. ## These are generally applications that ## are used to initialize the system during boot. ## Long running processes ## should use the init_ranged_system_domain() interface instead. ## Typically all short running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface if they need to run in a specific MLS/MCS range. ##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

## If the policy build option TYPE is standard (MLS and MCS disabled), ## this interface has the same behavior as init_system_domain(). ##

## ## ##

## Type to be used as a system domain. ##

## ## ##

## Type of the program to be used as an entry point to this domain. ##

## ## ##

## Range for the domain. ##

## ## # interface(`init_ranged_system_domain',` gen_require(` type initrc_t; type init_t; ') init_system_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; mls_rangetrans_target($1) ') ') ###################################### ##

## Allow domain dyntransition to init_t domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`init_dyntrans',` gen_require(` type init_t; ') dyntrans_pattern($1, init_t) domain_dyntrans_type($1) ') ######################################## ##

## Mark the file type as a daemon run dir, allowing initrc_t ## to create it ##

## ##

## Type to mark as a daemon run dir ##

## ## ##

## Filename of the directory that the init script creates ##

## # interface(`init_daemon_run_dir',` gen_require(` attribute daemonrundir; type initrc_t; ') typeattribute $1 daemonrundir; files_pid_filetrans(initrc_t, $1, dir, $2) ') ######################################## ##

## Execute init (/sbin/init) with a domain transition. ##

## ##

## Domain allowed to transition. ##

## # interface(`init_domtrans',` gen_require(` type init_t, init_exec_t; ') domtrans_pattern($1, init_exec_t, init_t) allow $1 init_exec_t:file map; ') ######################################## ##

## Allow any file point to be the entrypoint of this domain. ##

## ##

## Domain allowed access. ##

## # interface(`init_entrypoint_exec',` gen_require(` type init_exec_t; ') allow $1 init_exec_t:file entrypoint; ') ######################################## ##

## Execute the init program in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`init_exec',` gen_require(` type init_exec_t; ') corecmd_search_bin($1) can_exec($1, init_exec_t) optional_policy(` systemd_exec_systemctl($1) ') ') ####################################### ##

## Check access to the init/systemd executable. ##

## ##

## Domain allowed access. ##

## # interface(`init_access_check',` gen_require(` type init_exec_t; ') corecmd_search_bin($1) allow $1 init_exec_t:file { getattr_file_perms execute }; ') ####################################### ##

## Dontaudit getattr on the init program. ##

## ##

## Domain allowed access. ##

## ## # interface(`init_dontaudit_getattr_exec',` gen_require(` type init_exec_t; ') dontaudit $1 init_exec_t:file getattr; ') ######################################## ##

## Execute the rc application in the caller domain. ##

## ##

## This is only applicable to Gentoo or distributions that use the OpenRC ## init system. ##

## The OpenRC /sbin/rc binary is used for both init scripts as well as ## management applications and tools. When used for management purposes, ## calling /sbin/rc should never cause a transition to initrc_t. ##

## ## ##

## Domain allowed access. ##

## # interface(`init_exec_rc',` gen_require(` type rc_exec_t; ') corecmd_search_bin($1) can_exec($1, rc_exec_t) ') ######################################## ##

## Get the process group of init. ##

## ##

## Domain allowed access. ##

## # interface(`init_getpgid',` gen_require(` type init_t; ') allow $1 init_t:process getpgid; ') ######################################## ##

## Send init a null signal. ##

## ##

## Domain allowed access. ##

## # interface(`init_signull',` gen_require(` type init_t; ') allow $1 init_t:process signull; ') ######################################## ##

## Send init a SIGCHLD signal. ##

## ##

## Domain allowed access. ##

## # interface(`init_sigchld',` gen_require(` type init_t; ') allow $1 init_t:process sigchld; ') ######################################## ##

## Send generic signals to init. ##

## ##

## Domain allowed access. ##

## # interface(`init_signal',` gen_require(` type init_t; ') allow $1 init_t:process signal; ') ######################################## ##

## Create objects in the init_var_lib_t directories ##

## ##

## Domain allowed access. ##

## ## ##

## The type of the object to be created ##

## ## ##

## The object class. ##

## ## ##

## The name of the object being created. ##

## # interface(`init_var_lib_filetrans',` gen_require(` type init_var_lib_t; ') files_search_var_lib($1) filetrans_pattern($1, init_var_lib_t, $2, $3, $4) ') ######################################### ##

## Abstract socket service activation (systemd). ##

## ##

## The domain to be started by systemd socket activation. ##

## # interface(`init_abstract_socket_activation',` gen_require(` type init_t; ') allow init_t $1:unix_stream_socket create_stream_socket_perms; allow init_t $1:tcp_socket create_stream_socket_perms; ') ######################################### ##

## Named socket service activation (systemd). ##

## ##

## The domain to be started by systemd socket activation. ##

## ## ##

## The domain socket file type. ##

## ## ##

## The name of the object being created. ##

## # interface(`init_named_socket_activation',` gen_require(` type init_t; ') allow init_t $1:unix_dgram_socket create_socket_perms; allow init_t $1:unix_stream_socket create_stream_socket_perms; allow init_t $2:dir manage_dir_perms; allow init_t $2:fifo_file manage_fifo_file_perms; allow init_t $2:sock_file manage_sock_file_perms; allow init_t $2:lnk_file manage_lnk_file_perms; files_pid_filetrans(init_t, $2, { dir lnk_file sock_file fifo_file }, $3) ') ######################################## ##

## Connect to init with a unix socket. ##

## ##

## Domain allowed access. ##

## # interface(`init_stream_connect',` gen_require(` type init_t, init_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) allow $1 init_t:unix_stream_socket getattr; ') ######################################## ##

## Connect to init with a unix socket. ##

## ##

## Domain allowed access. ##

## # interface(`init_stream_connectto',` gen_require(` type init_t; ') files_search_pids($1) allow $1 init_t:unix_stream_socket connectto; ') ####################################### ##

## Dontaudit Connect to init with a unix socket. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_stream_connect',` gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket connectto; ') ###################################### ##

## Dontaudit getattr to init with a unix socket. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_getattr_stream_socket',` gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket getattr; ') ###################################### ##

## Dontaudit read and write to init with a unix socket. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_rw_stream_socket',` gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl }; ') ######################################## ##

## Inherit and use file descriptors from init. ##

## ##

## Allow the specified domain to inherit file ## descriptors from the init program (process ID 1). ## Typically the only file descriptors to be ## inherited from init are for the console. ## This does not allow the domain any access to ## the object to which the file descriptors references. ##

## Related interfaces: ##

init_dontaudit_use_fds()
term_dontaudit_use_console()
term_use_console()

## Example usage: ##

## init_use_fds(mydomain_t) ## term_use_console(mydomain_t) ##

## Normally, processes that can inherit these file ## descriptors (usually services) write messages to the ## system log instead of writing to the console. ## Therefore, in many cases, this access should ## dontaudited instead. ##

## Example dontaudit usage: ##

## init_dontaudit_use_fds(mydomain_t) ## term_dontaudit_use_console(mydomain_t) ##

## ## ##

## Domain allowed access. ##

## ## # interface(`init_use_fds',` gen_require(` type init_t; ') allow $1 init_t:fd use; ') ######################################## ##

## Do not audit attempts to inherit file ## descriptors from init. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_use_fds',` gen_require(` type init_t; ') dontaudit $1 init_t:fd use; ') ######################################## ##

## Send UDP network traffic to init. (Deprecated) ##

## ##

## Domain allowed access. ##

## # interface(`init_udp_send',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ##

## Get the attributes of initctl. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_initctl',` gen_require(` type initctl_t; ') allow $1 initctl_t:fifo_file getattr; ') ######################################## ##

## Do not audit attempts to get the ## attributes of initctl. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_getattr_initctl',` gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file getattr; ') ######################################## ##

## Write to initctl. ##

## ##

## Domain allowed access. ##

## # interface(`init_write_initctl',` gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file write; ') ######################################## ##

## Use telinit (Read and write initctl). ##

## ##

## Domain allowed access. ##

## ## # interface(`init_telinit',` gen_require(` type initctl_t; type init_t; ') corecmd_exec_bin($1) dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) ps_process_pattern($1, init_t) allow $1 init_t:process signal; dontaudit $1 self:capability net_admin; # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; #576913 allow $1 init_t:unix_stream_socket connectto; ') ######################################## ##

## Read and write initctl. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_initctl',` gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; ') ######################################## ##

## Do not audit attempts to read and ## write initctl. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_rw_initctl',` gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file { read write }; ') ######################################## ##

## Make init scripts an entry point for ## the specified domain. ##

## ##

## Domain allowed access. ##

## # cjp: added for gentoo integrated run_init interface(`init_script_file_entry_type',` gen_require(` type initrc_exec_t; ') domain_entry_file($1, initrc_exec_t) ') ######################################## ##

## Execute init scripts with a specified domain transition. ##

## ##

## Domain allowed to transition. ##

## # interface(`init_spec_domtrans_script',` gen_require(` type initrc_t; attribute init_script_file_type; ') files_list_etc($1) spec_domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`distro_gentoo',` gen_require(` type rc_exec_t; ') domtrans_pattern($1, rc_exec_t, initrc_t) ') ifdef(`enable_mcs',` range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') ######################################## ##

## Execute init scripts with an automatic domain transition. ##

## ##

## Domain allowed to transition. ##

## # interface(`init_domtrans_script',` gen_require(` type initrc_t; attribute init_script_file_type; attribute initrc_transition_domain; ') typeattribute $1 initrc_transition_domain; files_list_etc($1) domtrans_pattern($1, init_script_file_type, initrc_t) allow $1 initrc_t:process2 { nnp_transition nosuid_transition }; ifdef(`enable_mcs',` range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') ') ######################################## ##

## Execute init scripts with a domain transition ## and allow the specified role the init script type ##

## ##

## Domain allowed to transition. ##

## ## ##

## Role allowed access. ##

## ## # interface(`init_run_script',` gen_require(` type initrc_t; ') init_domtrans_script($1) role $2 types initrc_t; ') ######################################## ##

## Execute a file in a bin directory ## in the initrc_t domain ##

## ##

## Domain allowed access. ##

## # interface(`init_bin_domtrans_spec',` gen_require(` type initrc_t; ') corecmd_bin_domtrans($1, initrc_t) ') ######################################## ##

## Execute a init script in a specified domain. ##

## ##

## Execute a init script in a specified domain. ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Domain allowed to transition. ##

## ## ##

## Domain to transition to. ##

## # cjp: added for gentoo integrated run_init interface(`init_script_file_domtrans',` gen_require(` type initrc_exec_t; ') files_list_etc($1) domain_auto_trans($1, initrc_exec_t, $2) ') ######################################## ##

## Transition to the init script domain ## on a specified labeled init script. ##

## ##

## Domain allowed to transition. ##

## ## ##

## Labeled init script file. ##

## # interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; attribute initrc_transition_domain; ') typeattribute $1 initrc_transition_domain; # service script searches all filesystems via mountpoint fs_search_all($1) domtrans_pattern($1, $2, initrc_t) allow $1 $2:file ioctl; files_search_etc($1) ') ######################################### ##

## Transition to the init script domain ## for all labeled init script types ##

## ##

## Domain allowed to transition. ##

## # interface(`init_all_labeled_script_domtrans',` gen_require(` attribute init_script_file_type; ') init_labeled_script_domtrans($1, init_script_file_type) ') ######################################## ##

## Start and stop daemon programs directly. ##

## ##

## Start and stop daemon programs directly ## in the traditional "/etc/init.d/daemon start" ## style, and do not require run_init. ##

## ## ##

## Domain allowed access. ##

## ## ##

## The role to be performing this action. ##

## # interface(`init_run_daemon',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; role system_r; ') typeattribute $1 direct_run_init; role_transition $2 direct_init_entry system_r; ') ######################################## ##

## Allow execute all init daemon executables type without transition. ##

## ##

## Domain allowed access. ##

## # interface(`init_exec_notrans_direct_init_entry',` gen_require(` attribute direct_init_entry; ') allow $1 direct_init_entry:file execute_no_trans; ') ######################################## ##

## Read the process state (/proc/pid) of init. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_state',` gen_require(` type init_t; ') allow $1 init_t:dir search_dir_perms; allow $1 init_t:file read_file_perms; allow $1 init_t:lnk_file read_lnk_file_perms; ') ######################################## ##

## Dontaudit read the process state (/proc/pid) of init. ##

## ##

## Domain allowed access. ##

## # interface(`init_dontaudit_read_state',` gen_require(` type init_t; ') dontaudit $1 init_t:dir search_dir_perms; dontaudit $1 init_t:file read_file_perms; dontaudit $1 init_t:lnk_file read_lnk_file_perms; ') ######################################## ##

## Read the process keyring of init. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_key',` gen_require(` type init_t; ') allow $1 init_t:key read; ') ######################################## ##

## Allow view the init key ring. ##

## ##

## Domain allowed access. ##

## # interface(`init_view_key',` gen_require(` type init_t; ') allow $1 init_t:key view; ') ######################################## ##

## Write the process keyring of init. ##

## ##

## Domain allowed access. ##

## # interface(`init_write_key',` gen_require(` type init_t; ') allow $1 init_t:key read; ') ######################################## ##

## Ptrace init ##

## ##

## Domain allowed access. ##

## ## # interface(`init_ptrace',` gen_require(` type init_t; ') tunable_policy(`deny_ptrace',`',` allow $1 init_t:process ptrace; ') ') ######################################## ##

## Write an init script unnamed pipe. ##

## ##

## Domain allowed access. ##

## # interface(`init_write_script_pipes',` gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file write; ') ######################################## ##

## Get the attribute of init script entrypoint files. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_script_files',` gen_require(` type initrc_exec_t; ') files_list_etc($1) allow $1 initrc_exec_t:file getattr; ') ######################################## ##

## Read init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_script_files',` gen_require(` type initrc_exec_t; ') files_search_etc($1) allow $1 initrc_exec_t:file read_file_perms; ') ######################################## ##

## Execute init scripts in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`init_exec_script_files',` gen_require(` type initrc_exec_t; ') files_list_etc($1) can_exec($1, initrc_exec_t) ') ######################################## ##

## Get the attribute of all init script entrypoint files. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_all_script_files',` gen_require(` attribute init_script_file_type; ') files_list_etc($1) allow $1 init_script_file_type:file getattr; ') ######################################## ##

## Allow the specified domain to modify the systemd configuration of ## all init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_config_all_script_files',` gen_require(` attribute init_script_file_type; ') allow $1 init_script_file_type:service all_service_perms; ') ######################################## ##

## Allow the specified domain to modify the systemd configuration of ## transient scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_config_transient_files',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:service all_service_perms; ') ######################################## ##

## Allow the specified domain to modify the systemd configuration of ## transient scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_manage_config_transient_files',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:service manage_service_perms; ') ######################################## ##

## Read all init script files. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_all_script_files',` gen_require(` attribute init_script_file_type; ') files_search_etc($1) allow $1 init_script_file_type:file read_file_perms; ') ######################################## ##

## Get the status all init script files. ##

## ##

## Domain allowed access. ##

## # interface(`init_status_all_script_files',` gen_require(` attribute init_script_file_type; ') files_search_etc($1) allow $1 init_script_file_type:service status; ') ####################################### ##

## Dontaudit getattr all init script files. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_getattr_all_script_files',` gen_require(` attribute init_script_file_type; ') dontaudit $1 init_script_file_type:file getattr; ') ####################################### ##

## Dontaudit read all init script files. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_read_all_script_files',` gen_require(` attribute init_script_file_type; ') dontaudit $1 init_script_file_type:file read_file_perms; ') ######################################## ##

## Execute all init scripts in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`init_exec_all_script_files',` gen_require(` attribute init_script_file_type; ') files_list_etc($1) can_exec($1, init_script_file_type) ') ######################################## ##

## Read the process state (/proc/pid) of the init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_script_state',` gen_require(` type initrc_t; ') kernel_search_proc($1) ps_process_pattern($1, initrc_t) ') ######################################## ##

## Inherit and use init script file descriptors. ##

## ##

## Domain allowed access. ##

## # interface(`init_use_script_fds',` gen_require(` type initrc_t; ') allow $1 initrc_t:fd use; ') ######################################## ##

## Do not audit attempts to inherit ## init script file descriptors. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_use_script_fds',` gen_require(` type initrc_t; ') dontaudit $1 initrc_t:fd use; ') ######################################## ##

## Search init script keys. ##

## ##

## Domain allowed access. ##

## # interface(`init_search_script_keys',` gen_require(` type initrc_t; ') allow $1 initrc_t:key search; ') ######################################## ##

## Get the process group ID of init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_getpgid_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process getpgid; ') ######################################## ##

## Send SIGCHLD signals to init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_sigchld_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process sigchld; ') ######################################## ##

## Send generic signals to init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_signal_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signal; ') ######################################## ##

## Send kill signals to init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_sigkill_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process sigkill; ') ######################################## ##

## Send null signals to init scripts. ##

## ##

## Domain allowed access. ##

## # interface(`init_signull_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:process signull; ') ######################################## ##

## Read and write init script unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_script_pipes',` gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file { read write }; ') ######################################## ##

## Send UDP network traffic to init scripts. (Deprecated) ##

## ##

## Domain allowed access. ##

## # interface(`init_udp_send_script',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ##

## Allow the specified domain to connect to ## init scripts with a unix socket. ##

## ##

## Domain allowed access. ##

## # interface(`init_stream_connect_script',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket connectto; ') ######################################## ##

## Allow the specified domain to read/write to ## init scripts with a unix domain stream sockets. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_script_stream_sockets',` gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket rw_socket_perms; ') ######################################## ##

## Dont audit the specified domain connecting to ## init scripts with a unix domain stream socket. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_stream_connect_script',` gen_require(` type initrc_t; ') dontaudit $1 initrc_t:unix_stream_socket connectto; ') ######################################## ##

## Send messages to init scripts over dbus. ##

## ##

## Domain allowed access. ##

## # interface(`init_dbus_send_script',` gen_require(` type initrc_t; class dbus send_msg; ') allow $1 initrc_t:dbus send_msg; ') ######################################## ##

## Send and receive messages from ## init over dbus. ##

## ##

## Domain allowed access. ##

## # interface(`init_dbus_chat',` gen_require(` type init_t; class dbus send_msg; ') allow $1 init_t:dbus send_msg; allow init_t $1:dbus send_msg; ') ######################################## ##

## Dontaudit attempts to send dbus domains chat messages ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_dbus_chat',` gen_require(` type init_t; class dbus send_msg; ') dontaudit $1 init_t:dbus send_msg; dontaudit init_t $1:dbus send_msg; ') ######################################## ##

## Send and receive messages from ## init scripts over dbus. ##

## ##

## Domain allowed access. ##

## # interface(`init_dbus_chat_script',` gen_require(` type initrc_t; class dbus send_msg; ') allow $1 initrc_t:dbus send_msg; allow initrc_t $1:dbus send_msg; ') ######################################## ##

## Read and write the init script pty. ##

## ##

## Read and write the init script pty. This ## pty is generally opened by the open_init_pty ## portion of the run_init program so that the ## daemon does not require direct access to ## the administrator terminal. ##

## ## ##

## Domain allowed access. ##

## # interface(`init_use_script_ptys',` gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Read and write inherited init script ptys. ##

## ##

## Domain allowed access. ##

## # interface(`init_use_inherited_script_ptys',` gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; init_use_fds($1) ') ######################################## ##

## Do not audit attempts to read and ## write the init script pty. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_use_script_ptys',` gen_require(` type initrc_devpts_t; ') dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; ') ######################################## ##

## Get the attributes of init script ## status files. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_script_status_files',` gen_require(` type initrc_state_t; ') getattr_files_pattern($1, initrc_state_t, initrc_state_t) ') ######################################## ##

## Manage init script ## status files. ##

## ##

## Domain allowed access. ##

## # interface(`init_manage_script_status_files',` gen_require(` type initrc_state_t; ') manage_files_pattern($1, initrc_state_t, initrc_state_t) ') ######################################## ##

## Do not audit attempts to read init script ## status files. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_read_script_status_files',` gen_require(` type initrc_state_t; ') dontaudit $1 initrc_state_t:dir search_dir_perms; dontaudit $1 initrc_state_t:file read_file_perms; ') ######################################## ##

## Read init script temporary data. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_script_tmp_files',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') ######################################## ##

## Read and write init script temporary data. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_script_tmp_files',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) ') ######################################## ##

## Manage init script temporary data. ##

## ##

## Domain allowed access. ##

## # interface(`init_manage_script_tmp_files',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, initrc_tmp_t, initrc_tmp_t) manage_files_pattern($1, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern($1, initrc_tmp_t, initrc_tmp_t) allow $1 initrc_tmp_t:file map; ') ######################################## ##

## Allow caller doamin to write initrc_tmp_t pipes ##

## ##

## Domain to not audit. ##

## # interface(`init_write_initrc_tmp_pipes',` gen_require(` type initrc_tmp_t; ') allow $1 initrc_tmp_t:fifo_file write_fifo_file_perms; ') ######################################## ##

## Do not audit attempts to read initrc_tmp_t files ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_write_initrc_tmp',` gen_require(` type initrc_tmp_t; ') dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms; ') ######################################## ##

## Read and write init script inherited temporary data. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_inherited_script_tmp_files',` gen_require(` type initrc_tmp_t; ') allow $1 initrc_tmp_t:file rw_inherited_file_perms; ') ######################################## ##

## Create files in a init script ## temporary data directory. ##

## ##

## Domain allowed access. ##

## ## ##

## The type of the object to be created ##

## ## ##

## The object class. ##

## ## ##

## The name of the object being created. ##

## # interface(`init_script_tmp_filetrans',` gen_require(` type initrc_tmp_t; ') files_search_tmp($1) filetrans_pattern($1, initrc_tmp_t, $2, $3, $4) ') ######################################## ##

## Get the attributes of init script process id files. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_utmp',` gen_require(` type initrc_var_run_t; ') allow $1 initrc_var_run_t:file getattr; ') ######################################## ##

## Read utmp. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file read_file_perms; ') ######################################## ##

## Read utmp. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_machineid',` gen_require(` type machineid_t; ') files_search_etc($1) allow $1 machineid_t:file read_file_perms; ') ######################################## ##

## Do not audit attempts to read utmp. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_read_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file read_file_perms; ') ######################################## ##

## Do not audit attempts to write utmp. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_write_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file { write lock }; ') ######################################## ##

## Write to utmp. ##

## ##

## Domain allowed access. ##

## # interface(`init_write_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file { getattr open write }; ') ######################################## ##

## Do not audit attempts to lock ## init script pid files. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_lock_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file lock; ') ######################################## ##

## Read and write utmp. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_utmp',` gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; ') ######################################## ##

## Do not audit attempts to read and write utmp. ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_rw_utmp',` gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file rw_file_perms; ') ######################################## ##

## Watch the utmp file. ##

## ##

## Domain allowed access. ##

## # interface(`init_watch_utmp',` gen_require(` type initrc_var_run_t; ') files_search_pids($1) allow $1 initrc_var_run_t:file watch_file_perms; ') ######################################## ##

## Create, read, write, and delete utmp. ##

## ##

## Domain allowed access. ##

## # interface(`init_manage_utmp',` gen_require(` type initrc_var_run_t; ') files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; ') ######################################## ##

## Create files in /var/run with the ## utmp file type. ##

## ##

## Domain allowed access. ##

## # interface(`init_pid_filetrans_utmp',` gen_require(` type initrc_var_run_t; ') files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') ###################################### ##

## Allow search directory in the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_search_pid_dirs',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir search_dir_perms; ') ###################################### ##

## Allow listing of the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_list_pid_dirs',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir list_dir_perms; ') ####################################### ##

## Create a directory in the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_create_pid_dirs',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir list_dir_perms; create_dirs_pattern($1, init_var_run_t, init_var_run_t) ') ####################################### ##

## Remove entries from the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_delete_pid_dir_entry',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir del_entry_dir_perms; ') ####################################### ##

## Watch the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_watch_pid_dir',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir watch_dir_perms; ') ######################################## ##

## Get the attributes of block nodes in the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_pid_blk_file',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:blk_file getattr; ') ######################################## ##

## Get the attributes of character device nodes in the /run/systemd directory. ##

## ##

## Domain allowed access. ##

## # interface(`init_getattr_pid_chr_file',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:chr_file getattr; ') ####################################### ##

## Create objects in /run/systemd directory ## with an automatic type transition to ## a specified private type. ##

## ##

## Domain allowed access. ##

## ## ##

## The type of the object to create. ##

## ## ##

## The class of the object to be created. ##

## ## ##

## The name of the object being created. ##

## # interface(`init_pid_filetrans',` gen_require(` type init_var_run_t; ') files_search_pids($1) filetrans_pattern($1, init_var_run_t, $2, $3, $4) ') ####################################### ##

## Create objects in /run/systemd directory ## with an automatic type transition to ## a specified private type. ##

## ##

## Domain allowed access. ##

## ## ##

## The type of the object to create. ##

## ## ##

## The class of the object to be created. ##

## ## ##

## The name of the object being created. ##

## # interface(`init_named_pid_filetrans',` gen_require(` type init_var_run_t; ') files_search_pids($1) filetrans_pattern($1, init_var_run_t, $2, $3, $4) ') ######################################## ##

## Allow the specified domain to connect to daemon with a tcp socket ##

## ##

## Domain allowed access. ##

## # interface(`init_tcp_recvfrom_all_daemons',` gen_require(` attribute daemon; ') corenet_tcp_recvfrom_labeled($1, daemon) ') ######################################## ##

## Allow the specified domain to connect to daemon with a udp socket ##

## ##

## Domain allowed access. ##

## # interface(`init_udp_recvfrom_all_daemons',` gen_require(` attribute daemon; ') corenet_udp_recvfrom_labeled($1, daemon) ') ######################################## ##

## Transition to system_r when execute an init script ##

## ##

## Execute a init script in a specified role ##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

## ## ##

## Role to transition from. ##

## # interface(`init_script_role_transition',` gen_require(` attribute init_script_file_type; ') role_transition $1 init_script_file_type system_r; ') ######################################## ##

## dontaudit read and write an leaked init scrip file descriptors ##

## ##

## Domain to not audit. ##

## # interface(`init_dontaudit_script_leaks',` gen_require(` type initrc_t; ') dontaudit $1 initrc_t:socket_class_set { read write }; dontaudit $1 initrc_t:shm rw_shm_perms; init_dontaudit_use_script_ptys($1) init_dontaudit_use_script_fds($1) ') ####################################### ##

## Allow the specified domain to ioctl an ## init with a unix domain stream sockets. ##

## ##

## Domain allowed access. ##

## # interface(`init_ioctl_stream_sockets',` gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket ioctl; ') ######################################## ##

## Allow the specified domain to read/write to ## init with a unix domain stream sockets. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_stream_sockets',` gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket rw_stream_socket_perms; ') ######################################## ##

## Allow the specified domain to append to ## init unix domain stream sockets. ##

## ##

## Domain allowed access. ##

## # interface(`init_append_stream_sockets',` gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket append; ') ####################################### ##

## Allow the specified domain to write to ## init sock file. ##

## ##

## Domain allowed access. ##

## # interface(`init_write_pid_socket',` gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:sock_file write; ') ######################################## ##

## Send a message to init over a unix domain ## datagram socket. ##

## ##

## Domain allowed access. ##

## # interface(`init_dgram_send',` gen_require(` type init_t; ') allow $1 init_t:unix_dgram_socket sendto; ') ######################################## ##

## Send a message to init over a unix domain ## stream socket. ##

## ##

## Domain allowed access. ##

## # interface(`init_stream_send',` gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket sendto; ') ######################################## ##

## Create a file type used for init socket files. ##

## ##

## This defines a type that init can create sock_file within for ## impersonation purposes ##

## ## ##

## Type to be used for a sock file. ##

## ## # interface(`init_sock_file',` gen_require(` attribute init_sock_file_type; ') typeattribute $1 init_sock_file_type; ') ######################################## ##

## Read init pid files. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_pid_files',` gen_require(` type init_var_run_t; ') list_dirs_pattern($1, init_var_run_t, init_var_run_t) read_files_pattern($1, init_var_run_t, init_var_run_t) ') ######################################## ##

## Manage init pid files. ##

## ##

## Domain allowed access. ##

## # interface(`init_manage_pid_files',` gen_require(` type init_var_run_t; ') manage_files_pattern($1, init_var_run_t, init_var_run_t) ') ####################################### ##

## Read init pid lnk_files. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_pid_lnk_files',` gen_require(` type init_var_run_t; ') read_lnk_files_pattern($1, init_var_run_t, init_var_run_t) ') ######################################## ##

## Read init unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`init_read_pipes',` gen_require(` type init_var_run_t; ') read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) ') ######################################## ##

## Read/Write init unnamed pipes. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_pipes',` gen_require(` type init_var_run_t; ') rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t) ') ####################################### ##

## Read and write init TCP sockets. ##

## ##

## Domain allowed access. ##

## # interface(`init_rw_tcp_sockets',` gen_require(` type init_t; ') allow $1 init_t:tcp_socket { read write getattr }; ') ####################################### ##

## Use sd_notify ##

## ##

## Domain allowed access. ##

## # interface(`init_use_notify',` gen_require(` type init_t, init_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) allow $1 init_var_run_t:sock_file read_sock_file_perms; allow init_t $1:fifo_file write_fifo_file_perms; ') ######################################## ##

## Get the system status information from init ##

## ##

## Domain allowed access. ##

## # interface(`init_status',` gen_require(` type init_t; ') allow $1 init_t:system status; allow $1 init_t:service status; ') ######################################## ##

## Stop system from init ##

## ##

## Domain allowed access. ##

## # interface(`init_stop',` gen_require(` type init_t; ') allow $1 init_t:system stop; ') ######################################## ##

## Start system from init ##

## ##

## Domain allowed access. ##

## # interface(`init_start',` gen_require(` type init_t; ') allow $1 init_t:system start; ') ######################################## ##

## Tell init to reboot the system. ##

## ##

## Domain allowed access. ##

## # interface(`init_reboot',` gen_require(` type init_t; ') allow $1 init_t:system reboot; systemd_config_power_services($1) ') ######################################## ##

## Tell init to enable the services. ##

## ##

## Domain allowed access. ##

## # interface(`init_enable_services',` gen_require(` type init_t; ') allow $1 init_t:system enable; ') ######################################## ##

## Tell init to disable the services. ##

## ##

## Domain allowed access. ##

## # interface(`init_disable_services',` gen_require(` type init_t; ') allow $1 init_t:system disable; ') ######################################## ##

## Tell init to reload the services. ##

## ##

## Domain allowed access. ##

## # interface(`init_reload_services',` gen_require(` type init_t; ') allow $1 init_t:system reload; ') ######################################## ##

## Tell init to halt the system. ##

## ##

## Domain allowed access. ##

## # interface(`init_halt',` gen_require(` type init_t; ') allow $1 init_t:system halt; systemd_config_power_services($1) ') ######################################## ##