From: russell@coker.com.au (Russell Coker)
Date: Mon, 6 Feb 2017 16:13:15 +1100
Subject: [refpolicy] [PATCH] mon policy again
Message-ID: <20170206051315.byxad4lugupfwykp@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Here is another version of the mon policy including requested changes.
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if
--- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000
+++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100
@@ -38,6 +38,7 @@
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1,11 @@
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1 @@
+## mon network monitoring daemon.
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100
@@ -0,0 +1,213 @@
+policy_module(mon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+corecmd_exec_bin(mon_t)
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+logging_search_logs(mon_t)
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+libs_exec_ld_so(mon_t)
+libs_exec_lib_files(mon_t)
+
+logging_send_syslog_msg(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+corecmd_exec_shell(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+fs_getattr_xattr_fs(mon_net_test_t)
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+sysnet_read_config(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+files_read_usr_files(mon_net_test_t)
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+netutils_domtrans_ping(mon_net_test_t)
+
+optional_policy(`
+ bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+auth_use_nsswitch(mon_local_test_t)
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+domain_read_all_domains_state(mon_local_test_t)
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+fs_search_auto_mountpoints(mon_local_test_t)
+getattr_init_fifo(mon_local_test_t)
+logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_localization(mon_local_test_t)
+rpc_read_nfs_content(mon_local_test_t)
+sysnet_read_config(mon_local_test_t)
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+optional_policy(`
+ files_list_boot(mon_local_test_t)
+')
+
+optional_policy(`
+ sudo_role_template(system, system_r, mon_local_test_t)
+ corecmd_bin_entry_type(mon_local_test_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+ xserver_rw_console(mon_local_test_t)
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
--- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100
+++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100
@@ -176,6 +176,7 @@
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(milter) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
network_port(monit, tcp,2812,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if 2016-12-04 23:04:21.264949806 +1100
+++ /tmp/pol-git/policy/modules/system/init.if 2017-02-06 16:11:04.966188329 +1100
@@ -2504,3 +2504,22 @@
allow $1 systemdunit:service reload;
')
+
+########################################
+##
+## stat /run/systemd/initctl/fifo
+##
+##
+##
+## domain
+##
+##
+#
+interface(`getattr_init_fifo',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:fifo_file getattr;
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig
--- /home/rjc/src/pol-git/policy/modules/system/init.if.orig 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/system/init.if.orig 2016-12-04 23:04:21.264949806 +1100
@@ -0,0 +1,2506 @@
+## System initialization programs (init and init scripts).
+
+########################################
+##
+## Create a file type used for init scripts.
+##
+##
+##
+## Create a file type used for init scripts. It can not be
+## used in conjunction with init_script_domain(). These
+## script files are typically stored in the /etc/init.d directory.
+##
+##
+## Typically this is used to constrain what services an
+## admin can start/stop. For example, a policy writer may want
+## to constrain a web administrator to only being able to
+## restart the web server, not other services. This special type
+## will help address that goal.
+##
+##
+## This also makes the type usable for files; thus an
+## explicit call to files_type() is redundant.
+##
+##
+##
+##
+## Type to be used for a script file.
+##
+##
+##
+#
+interface(`init_script_file',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type, init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_file_type;
+
+ domain_entry_file(initrc_t, $1)
+
+ domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+##
+## Make the specified type usable for
+## systemd unit files.
+##
+##
+##
+## Type to be used for systemd unit files.
+##
+##
+#
+interface(`init_unit_file',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunit;
+')
+
+########################################
+##
+## Create a domain used for init scripts.
+##
+##
+##
+## Create a domain used for init scripts.
+## Can not be used in conjunction with
+## init_script_file().
+##
+##
+##
+##
+## Type to be used as an init script domain.
+##
+##
+##
+##
+## Type of the script file used as an entry point to this domain.
+##
+##
+#
+interface(`init_script_domain',`
+ gen_require(`
+ attribute init_script_domain_type, init_script_file_type;
+ attribute init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_domain_type;
+ typeattribute $2 init_script_file_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+##
+## Create a domain which can be started by init.
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`init_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
+')
+
+########################################
+##
+## Create a domain which can be started by init,
+## with a range transition.
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+##
+## Range for the domain.
+##
+##
+#
+interface(`init_ranged_domain',`
+ gen_require(`
+ type init_t;
+ ')
+
+ init_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+##
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts.
+##
+##
+##
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts. Short running processes
+## should use the init_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+##
+##
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+##
+##
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_daemon_domain() should be used instead.
+##
+##
+##
+##
+## Type to be used as a daemon domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+#
+interface(`init_daemon_domain',`
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ attribute daemon;
+ ')
+
+ typeattribute $1 daemon;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t, $2, $1)
+
+ # daemons started from init will
+ # inherit fds from init for the console
+ init_dontaudit_use_fds($1)
+ term_dontaudit_use_console($1)
+
+ # init script ptys are the stdin/out/err
+ # when using run_init
+ init_use_script_ptys($1)
+
+ ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_user_terminals($1)
+ ')
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ # this may be because of late labelling
+ kernel_dgram_send($1)
+ ')
+
+ optional_policy(`
+ nscd_use($1)
+ ')
+')
+
+########################################
+##
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts,
+## running at a specified MLS/MCS range.
+##
+##
+##
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts, running at a specified
+## MLS/MCS range. Short running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+##
+##
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+##
+##
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_daemon_domain().
+##
+##
+##
+##
+## Type to be used as a daemon domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+##
+## MLS/MCS range for the domain.
+##
+##
+##
+#
+interface(`init_ranged_daemon_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_daemon_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+')
+
+#########################################
+##
+## Abstract socket service activation (systemd).
+##
+##
+##
+## The domain to be started by systemd socket activation.
+##
+##
+#
+interface(`init_abstract_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ ')
+')
+
+#########################################
+##
+## Named socket service activation (systemd).
+##
+##
+##
+## The domain to be started by systemd socket activation.
+##
+##
+##
+##
+## The domain socket file type.
+##
+##
+#
+interface(`init_named_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $2:dir manage_dir_perms;
+ allow init_t $2:fifo_file manage_fifo_file_perms;
+ allow init_t $2:sock_file manage_sock_file_perms;
+ ')
+')
+
+########################################
+##
+## Create a domain for short running processes
+## which are started by init scripts.
+##
+##
+##
+## Create a domain for short running processes
+## which are started by init scripts. These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes, such as daemons/services
+## should use the init_daemon_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+##
+##
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+##
+##
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_system_domain() should be used instead.
+##
+##
+##
+##
+## Type to be used as a system domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+#
+interface(`init_system_domain',`
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ ')
+
+ application_domain($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ ')
+')
+
+########################################
+##
+## Create a domain for short running processes
+## which are started by init scripts.
+##
+##
+##
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts.
+## These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+##
+##
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+##
+##
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_system_domain().
+##
+##
+##
+##
+## Type to be used as a system domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+##
+##
+## Range for the domain.
+##
+##
+##
+#
+interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_system_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+')
+
+########################################
+##
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
+##
+##
+##
+## Type to mark as a daemon pid file
+##
+##
+##
+##
+## Class on which the type is applied
+##
+##
+##
+##
+## Filename of the file that the init script creates
+##
+##
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+##
+## Mark the file type as a daemon run dir, allowing initrc_t
+## to create it
+##
+##
+##
+## Type to mark as a daemon run dir
+##
+##
+##
+##
+## Filename of the directory that the init script creates
+##
+##
+#
+interface(`init_daemon_run_dir',`
+ gen_require(`
+ attribute daemonrundir;
+ type initrc_t;
+ ')
+
+ refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
+ init_daemon_pid_file($1, dir, $2)
+')
+
+########################################
+##
+## Execute init (/sbin/init) with a domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`init_domtrans',`
+ gen_require(`
+ type init_t, init_exec_t;
+ ')
+
+ domtrans_pattern($1, init_exec_t, init_t)
+')
+
+########################################
+##
+## Execute the init program in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_exec',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
+')
+
+########################################
+##
+## Execute the rc application in the caller domain.
+##
+##
+##
+## This is only applicable to Gentoo or distributions that use the OpenRC
+## init system.
+##
+##
+## The OpenRC /sbin/rc binary is used for both init scripts as well as
+## management applications and tools. When used for management purposes,
+## calling /sbin/rc should never cause a transition to initrc_t.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_exec_rc',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rc_exec_t)
+')
+
+########################################
+##
+## Get the process group of init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getpgid',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process getpgid;
+')
+
+########################################
+##
+## Send init a null signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_signull',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signull;
+')
+
+########################################
+##
+## Send init a SIGCHLD signal.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_sigchld',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process sigchld;
+')
+
+########################################
+##
+## Connect to init with a unix socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_stream_connect',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## Inherit and use file descriptors from init.
+##
+##
+##
+## Allow the specified domain to inherit file
+## descriptors from the init program (process ID 1).
+## Typically the only file descriptors to be
+## inherited from init are for the console.
+## This does not allow the domain any access to
+## the object to which the file descriptors references.
+##
+##
+## Related interfaces:
+##
+##
+## - init_dontaudit_use_fds()
+## - term_dontaudit_use_console()
+## - term_use_console()
+##
+##
+## Example usage:
+##
+##
+## init_use_fds(mydomain_t)
+## term_use_console(mydomain_t)
+##
+##
+## Normally, processes that can inherit these file
+## descriptors (usually services) write messages to the
+## system log instead of writing to the console.
+## Therefore, in many cases, this access should
+## dontaudited instead.
+##
+##
+## Example dontaudit usage:
+##
+##
+## init_dontaudit_use_fds(mydomain_t)
+## term_dontaudit_use_console(mydomain_t)
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit file
+## descriptors from init.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:fd use;
+')
+
+########################################
+##
+## Send messages to init unix datagram sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+##
+## Allow the specified domain to read/write to
+## init with unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+##
+## Send UDP network traffic to init. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Get all service status (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_get_system_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+##
+## Enable all systemd services (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_enable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system enable;
+')
+
+########################################
+##
+## Disable all services (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_disable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system disable;
+')
+
+########################################
+##
+## Reload all services (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_reload',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reload;
+')
+
+########################################
+##
+## Reboot the system (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_reboot_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reboot;
+')
+
+########################################
+##
+## Shutdown (halt) the system (systemd).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_shutdown_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system halt;
+')
+
+########################################
+##
+## Allow specified domain to get init status
+##
+##
+##
+## Domain to allow access.
+##
+##
+#
+interface(`init_service_status',`
+ gen_require(`
+ type init_t;
+ class service status;
+ ')
+
+ allow $1 init_t:service status;
+')
+
+########################################
+##
+## Allow specified domain to get init start
+##
+##
+##
+## Domain to allow access.
+##
+##
+#
+interface(`init_service_start',`
+ gen_require(`
+ type init_t;
+ class service start;
+ ')
+
+ allow $1 init_t:service start;
+')
+
+########################################
+##
+## Send and receive messages from
+## systemd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type init_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Manage files in /var/lib/systemd/.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created
+##
+##
+##
+##
+## The object class.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`init_manage_var_lib_files',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+##
+## Create files in /var/lib/systemd
+## with an automatic type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of object to be created
+##
+##
+##
+##
+## The object class.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`init_var_lib_filetrans',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+##
+## Create files in an init PID directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created
+##
+##
+##
+##
+## The object class.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+##
+## Get the attributes of initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+##
+## Do not audit attempts to get the
+## attributes of initctl.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+##
+## Write to initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+##
+## Use telinit (Read and write initctl).
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+ init_exec($1)
+
+ tunable_policy(`init_upstart',`
+ gen_require(`
+ type init_t;
+ ')
+
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+')
+
+########################################
+##
+## Read and write initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and
+## write initctl.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+##
+## Make init scripts an entry point for
+## the specified domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ domain_entry_file($1, initrc_exec_t)
+')
+
+########################################
+##
+## Execute init scripts with a specified domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`init_spec_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+ ifdef(`distro_gentoo',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ domtrans_pattern($1, rc_exec_t, initrc_t)
+ ')
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initrc_exec_t:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+##
+## Execute init scripts with an automatic domain transition.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`init_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initrc_exec_t:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+##
+## Execute a init script in a specified domain.
+##
+##
+##
+## Execute a init script in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_transition_pattern($1, initrc_exec_t, $2)
+')
+
+########################################
+##
+## Transition to the init script domain
+## on a specified labeled init script.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Labeled init script file.
+##
+##
+#
+interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ domtrans_pattern($1, $2, initrc_t)
+ files_search_etc($1)
+')
+
+#########################################
+##
+## Transition to the init script domain
+## for all labeled init script types
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`init_all_labeled_script_domtrans',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ init_labeled_script_domtrans($1, init_script_file_type)
+')
+
+########################################
+##
+## Allow the role to start and stop
+## labeled services.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be performing this action.
+##
+##
+##
+##
+## Type to be used as a daemon domain.
+##
+##
+##
+##
+## Labeled init script file.
+##
+##
+##
+##
+## Systemd unit file type.
+##
+##
+#
+interface(`init_startstop_service',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ ifdef(`distro_gentoo',`
+ # for OpenRC
+ seutil_labeled_init_script_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+
+ ifdef(`init_systemd',`
+ # This ifelse condition is temporary, until
+ # all callers are updated to provide unit files.
+ ifelse(`$5',`',`',`
+ gen_require(`
+ class service { start stop };
+ ')
+
+ allow $1 $5:service { start stop };
+ ')
+ ')
+ ')
+')
+
+########################################
+##
+## Start and stop daemon programs directly.
+##
+##
+##
+## Start and stop daemon programs directly
+## in the traditional "/etc/init.d/daemon start"
+## style, and do not require run_init.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be performing this action.
+##
+##
+#
+interface(`init_run_daemon',`
+ gen_require(`
+ attribute init_script_file_type;
+ role system_r;
+ ')
+
+ allow $2 system_r;
+
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
+')
+
+########################################
+##
+## Read the process state (/proc/pid) of init.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_state',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+##
+## Ptrace init
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`init_ptrace',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+##
+## Write an init script unnamed pipe.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_write_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+##
+## Get the attribute of init script entrypoint files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+##
+## Read init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+##
+## Execute init scripts in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_exec_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, initrc_exec_t)
+')
+
+########################################
+##
+## Get the attribute of all init script entrypoint files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+##
+## Read all init script files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_search_etc($1)
+ allow $1 init_script_file_type:file read_file_perms;
+')
+
+#######################################
+##
+## Dontaudit read all init script files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+##
+## Execute all init scripts in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_exec_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, init_script_file_type)
+')
+
+########################################
+##
+## Read the process state (/proc/pid) of the init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_script_state',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ kernel_search_proc($1)
+ read_files_pattern($1, initrc_t, initrc_t)
+ read_lnk_files_pattern($1, initrc_t, initrc_t)
+ list_dirs_pattern($1, initrc_t, initrc_t)
+
+ # should move this to separate interface
+ allow $1 initrc_t:process getattr;
+')
+
+########################################
+##
+## Inherit and use init script file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fd use;
+')
+
+########################################
+##
+## Do not audit attempts to inherit
+## init script file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+##
+## Search init script keys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_search_script_keys',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:key search;
+')
+
+########################################
+##
+## Get the process group ID of init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getpgid_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process getpgid;
+')
+
+########################################
+##
+## Send SIGCHLD signals to init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_sigchld_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigchld;
+')
+
+########################################
+##
+## Send generic signals to init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_signal_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signal;
+')
+
+########################################
+##
+## Send null signals to init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signull;
+')
+
+########################################
+##
+## Read and write init script unnamed pipes.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+##
+## Send UDP network traffic to init scripts. (Deprecated)
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_udp_send_script',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+##
+## Allow the specified domain to connect to
+## init scripts with a unix socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+##
+## Allow the specified domain to read/write to
+## init scripts with a unix domain stream sockets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_script_stream_sockets',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+##
+## Dont audit the specified domain connecting to
+## init scripts with a unix domain stream socket.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+########################################
+##
+## Send messages to init scripts over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_dbus_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+')
+
+########################################
+##
+## Send and receive messages from
+## init scripts over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_dbus_chat_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+##
+## Read and write the init script pty.
+##
+##
+##
+## Read and write the init script pty. This
+## pty is generally opened by the open_init_pty
+## portion of the run_init program so that the
+## daemon does not require direct access to
+## the administrator terminal.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+##
+## Read and write inherited init script ptys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_use_inherited_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+
+ init_use_fds($1)
+')
+
+########################################
+##
+## Do not audit attempts to read and
+## write the init script pty.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+##
+## Get the attributes of init script
+## status files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+##
+## Do not audit attempts to read init script
+## status files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_read_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ dontaudit $1 initrc_state_t:dir search_dir_perms;
+ dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+######################################
+##
+## Search the /run/systemd directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_search_run',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Read init script temporary data.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+##
+## Read and write init script temporary data.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+##
+## Create files in a init script
+## temporary data directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created
+##
+##
+##
+##
+## The object class.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`init_script_tmp_filetrans',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
+')
+
+########################################
+##
+## Get the attributes of init script process id files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+##
+## Read utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to write utmp.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+##
+## Write to utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file { getattr open write };
+')
+
+########################################
+##
+## Do not audit attempts to lock
+## init script pid files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_lock_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+##
+## Read and write utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write utmp.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+')
+
+########################################
+##
+## Create, read, write, and delete utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_manage_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file manage_file_perms;
+')
+
+########################################
+##
+## Create files in /var/run with the
+## utmp file type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_pid_filetrans_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+')
+
+########################################
+##
+## Allow the specified domain to connect to daemon with a tcp socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+##
+## Allow the specified domain to connect to daemon with a udp socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_udp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+')
+
+######################################
+##
+## Search systemd unit dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_search_units',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+ files_search_etc($1)
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ fs_search_tmpfs($1)
+')
+
+########################################
+##
+## Get status of generic systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_get_generic_units_status',`
+ gen_require(`
+ type systemd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_unit_t:service status;
+')
+
+########################################
+##
+## Start generic systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_start_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_unit_t:service start;
+')
+
+########################################
+##
+## Stop generic systemd units.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_stop_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+##
+## Reload generic systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_reload_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+##
+## Get status of all systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_get_all_units_status',`
+ gen_require(`
+ attribute systemdunit;
+ class service status;
+ ')
+
+ allow $1 systemdunit:service status;
+')
+
+########################################
+##
+## Start all systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_start_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service start;
+ ')
+
+ allow $1 systemdunit:service start;
+')
+
+########################################
+##
+## Stop all systemd units.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_stop_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service stop;
+ ')
+
+ allow $1 systemdunit:service stop;
+')
+
+#######################################
+##
+## Reload all systemd units.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_reload_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service reload;
+ ')
+
+ allow $1 systemdunit:service reload;
+')