From: russell@coker.com.au (Russell Coker) Date: Mon, 6 Feb 2017 16:13:15 +1100 Subject: [refpolicy] [PATCH] mon policy again Message-ID: <20170206051315.byxad4lugupfwykp@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Here is another version of the mon policy including requested changes. diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if --- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000 +++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100 @@ -38,6 +38,7 @@ dev_list_all_dev_nodes($1) allow $1 gpmctl_t:sock_file getattr_sock_file_perms; + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms; ') ######################################## diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000 +++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100 @@ -0,0 +1,11 @@ + +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) + +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) + +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000 +++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100 @@ -0,0 +1 @@ +## mon network monitoring daemon. diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000 +++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100 @@ -0,0 +1,213 @@ +policy_module(mon, 1.12.0) + +######################################## +# +# Declarations +# + +type mon_t; +type mon_exec_t; +init_daemon_domain(mon_t, mon_exec_t) + +type mon_net_test_t; +typealias mon_net_test_t alias mon_test_t; +type mon_net_test_exec_t; +typealias mon_net_test_exec_t alias mon_test_exec_t; + +domain_type(mon_net_test_t) +domain_entry_file(mon_net_test_t, mon_net_test_exec_t) +role system_r types mon_net_test_t; +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t) + +type mon_local_test_t; +type mon_local_test_exec_t; + +domain_type(mon_local_test_t) +domain_entry_file(mon_local_test_t, mon_local_test_exec_t) +role system_r types mon_local_test_t; +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) + +type mon_var_run_t; +files_pid_file(mon_var_run_t) + +type mon_var_lib_t; +files_type(mon_var_lib_t) + +type mon_var_log_t; +logging_log_file(mon_var_log_t) + +type mon_tmp_t; +files_tmp_file(mon_tmp_t) + +######################################## +# +# Local policy +# mon_t is for the main mon process and for sending alerts +# + +corenet_tcp_bind_mon_port(mon_t) +corenet_udp_bind_mon_port(mon_t) +corenet_tcp_bind_generic_node(mon_t) +corenet_udp_bind_generic_node(mon_t) +allow mon_t self:tcp_socket create_stream_socket_perms; + +corenet_tcp_connect_jabber_client_port(mon_t) + +allow mon_t self:fifo_file rw_fifo_file_perms; + +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t) +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir }) + +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) +files_pid_filetrans(mon_t, mon_var_run_t, file) + +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) + +kernel_read_kernel_sysctls(mon_t) +kernel_read_network_state(mon_t) +kernel_read_system_state(mon_t) + +domain_use_interactive_fds(mon_t) + +corecmd_exec_bin(mon_t) +dev_read_urand(mon_t) +dev_read_sysfs(mon_t) +logging_search_logs(mon_t) +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) + +files_read_etc_files(mon_t) +files_read_etc_runtime_files(mon_t) +files_read_usr_files(mon_t) + +fs_getattr_all_fs(mon_t) +fs_search_auto_mountpoints(mon_t) + +term_dontaudit_search_ptys(mon_t) + +application_signull(mon_t) + +init_read_utmp(mon_t) + +libs_exec_ld_so(mon_t) +libs_exec_lib_files(mon_t) + +logging_send_syslog_msg(mon_t) + +miscfiles_read_localization(mon_t) + +sysnet_dns_name_resolve(mon_t) + +userdom_dontaudit_use_unpriv_user_fds(mon_t) +userdom_dontaudit_search_user_home_dirs(mon_t) + +corecmd_exec_shell(mon_t) + +optional_policy(` + mta_send_mail(mon_t) +') + +######################################## +# +# Local policy +# mon_net_test_t is for running tests that need network access +# + +allow mon_net_test_t self:fifo_file rw_file_perms; + +can_exec(mon_net_test_t, mon_net_test_exec_t) +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t) + +corenet_tcp_connect_all_ports(mon_net_test_t) +corenet_udp_bind_generic_node(mon_net_test_t) +fs_getattr_xattr_fs(mon_net_test_t) +kernel_dontaudit_getattr_core_if(mon_net_test_t) +kernel_getattr_proc(mon_net_test_t) +kernel_read_system_state(mon_net_test_t) +sysnet_read_config(mon_net_test_t) + +auth_use_nsswitch(mon_net_test_t) +corecmd_exec_bin(mon_net_test_t) +corecmd_exec_shell(mon_net_test_t) +dev_dontaudit_getattr_all_chr_files(mon_net_test_t) +dev_getattr_sysfs(mon_net_test_t) +dev_read_sysfs(mon_net_test_t) +dev_read_urand(mon_net_test_t) +files_read_usr_files(mon_net_test_t) +miscfiles_read_certs(mon_net_test_t) +miscfiles_read_localization(mon_net_test_t) +netutils_domtrans_ping(mon_net_test_t) + +optional_policy(` + bind_read_zone(mon_net_test_t) +') + +######################################## +# +# Local policy +# mon_local_test_t is for running tests that don't need network access +# this domain has much more access to the local system! +# +# try not to use dontaudit rules for this +# + +allow mon_local_test_t self:capability sys_admin; +allow mon_local_test_t self:fifo_file rw_file_perms; + +can_exec(mon_local_test_t, mon_local_test_exec_t) +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t) + +files_dontaudit_getattr_tmpfs_file(mon_local_test_t) +fs_getattr_nfs(mon_local_test_t) +fs_getattr_xattr_fs(mon_local_test_t) +fs_list_hugetlbfs(mon_local_test_t) +fs_list_tmpfs(mon_local_test_t) +fs_search_nfs(mon_local_test_t) +kernel_dontaudit_getattr_core_if(mon_local_test_t) +kernel_getattr_proc(mon_local_test_t) +kernel_read_software_raid_state(mon_local_test_t) +kernel_read_system_state(mon_local_test_t) +storage_getattr_fixed_disk_dev(mon_local_test_t) +storage_getattr_removable_dev(mon_local_test_t) + +application_exec_all(mon_local_test_t) +auth_use_nsswitch(mon_local_test_t) +corecmd_exec_bin(mon_local_test_t) +corecmd_exec_shell(mon_local_test_t) +dev_dontaudit_getattr_all_chr_files(mon_local_test_t) +dev_getattr_sysfs(mon_local_test_t) +dev_read_urand(mon_local_test_t) +dev_read_sysfs(mon_local_test_t) +domain_read_all_domains_state(mon_local_test_t) +files_read_usr_files(mon_local_test_t) +files_search_mnt(mon_local_test_t) +files_search_spool(mon_local_test_t) +fs_search_auto_mountpoints(mon_local_test_t) +getattr_init_fifo(mon_local_test_t) +logging_send_syslog_msg(mon_local_test_t) +miscfiles_read_localization(mon_local_test_t) +rpc_read_nfs_content(mon_local_test_t) +sysnet_read_config(mon_local_test_t) +term_getattr_generic_ptys(mon_local_test_t) +term_list_ptys(mon_local_test_t) + +optional_policy(` + files_list_boot(mon_local_test_t) +') + +optional_policy(` + sudo_role_template(system, system_r, mon_local_test_t) + corecmd_bin_entry_type(mon_local_test_t) +') + +optional_policy(` + gpm_getattr_gpmctl(mon_local_test_t) +') + +optional_policy(` + postfix_search_spool(mon_local_test_t) +') + +optional_policy(` + xserver_rw_console(mon_local_test_t) +') diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100 +++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100 @@ -176,6 +176,7 @@ network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(milter) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mon, tcp,2583,s0, udp,2583,s0) network_port(monit, tcp,2812,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if --- /home/rjc/src/pol-git/policy/modules/system/init.if 2016-12-04 23:04:21.264949806 +1100 +++ /tmp/pol-git/policy/modules/system/init.if 2017-02-06 16:11:04.966188329 +1100 @@ -2504,3 +2504,22 @@ allow $1 systemdunit:service reload; ') + +######################################## +## +## stat /run/systemd/initctl/fifo +## +## +## +## domain +## +## +# +interface(`getattr_init_fifo',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:fifo_file getattr; + allow $1 init_var_run_t:dir list_dir_perms; +') diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig --- /home/rjc/src/pol-git/policy/modules/system/init.if.orig 1970-01-01 10:00:00.000000000 +1000 +++ /tmp/pol-git/policy/modules/system/init.if.orig 2016-12-04 23:04:21.264949806 +1100 @@ -0,0 +1,2506 @@ +## System initialization programs (init and init scripts). + +######################################## +## +## Create a file type used for init scripts. +## +## +##

+## Create a file type used for init scripts. It can not be +## used in conjunction with init_script_domain(). These +## script files are typically stored in the /etc/init.d directory. +##

+##

+## Typically this is used to constrain what services an +## admin can start/stop. For example, a policy writer may want +## to constrain a web administrator to only being able to +## restart the web server, not other services. This special type +## will help address that goal. +##

+##

+## This also makes the type usable for files; thus an +## explicit call to files_type() is redundant. +##

+##
+## +## +## Type to be used for a script file. +## +## +## +# +interface(`init_script_file',` + gen_require(` + type initrc_t; + attribute init_script_file_type, init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_file_type; + + domain_entry_file(initrc_t, $1) + + domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) +') + +######################################## +## +## Make the specified type usable for +## systemd unit files. +## +## +## +## Type to be used for systemd unit files. +## +## +# +interface(`init_unit_file',` + gen_require(` + attribute systemdunit; + ') + + files_type($1) + typeattribute $1 systemdunit; +') + +######################################## +## +## Create a domain used for init scripts. +## +## +##

+## Create a domain used for init scripts. +## Can not be used in conjunction with +## init_script_file(). +##

+##
+## +## +## Type to be used as an init script domain. +## +## +## +## +## Type of the script file used as an entry point to this domain. +## +## +# +interface(`init_script_domain',` + gen_require(` + attribute init_script_domain_type, init_script_file_type; + attribute init_run_all_scripts_domain; + ') + + typeattribute $1 init_script_domain_type; + typeattribute $2 init_script_file_type; + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(init_run_all_scripts_domain, $2, $1) +') + +######################################## +## +## Create a domain which can be started by init. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`init_domain',` + gen_require(` + type init_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(init_t, $2, $1) + + ifdef(`init_systemd',` + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + ') +') + +######################################## +## +## Create a domain which can be started by init, +## with a range transition. +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +## +## +## Range for the domain. +## +## +# +interface(`init_ranged_domain',` + gen_require(` + type init_t; + ') + + init_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition init_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition init_t $2:process $3; + mls_rangetrans_target($1) + ') +') + +######################################## +## +## Create a domain for long running processes +## (daemons/services) which are started by init scripts. +## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts. Short running processes +## should use the init_system_domain() interface instead. +## Typically all long running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the process must also run in a specific MLS/MCS level, +## the init_ranged_daemon_domain() should be used instead. +##

+##
+## +## +## Type to be used as a daemon domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +## +# +interface(`init_daemon_domain',` + gen_require(` + type initrc_t; + role system_r; + attribute daemon; + ') + + typeattribute $1 daemon; + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(initrc_t, $2, $1) + + # daemons started from init will + # inherit fds from init for the console + init_dontaudit_use_fds($1) + term_dontaudit_use_console($1) + + # init script ptys are the stdin/out/err + # when using run_init + init_use_script_ptys($1) + + ifdef(`direct_sysadm_daemon',` + userdom_dontaudit_use_user_terminals($1) + ') + + ifdef(`init_systemd',` + init_domain($1, $2) + # this may be because of late labelling + kernel_dgram_send($1) + ') + + optional_policy(` + nscd_use($1) + ') +') + +######################################## +## +## Create a domain for long running processes +## (daemons/services) which are started by init scripts, +## running at a specified MLS/MCS range. +## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts, running at a specified +## MLS/MCS range. Short running processes +## should use the init_ranged_system_domain() interface instead. +## Typically all long running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface if they need to run in a specific MLS/MCS range. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the policy build option TYPE is standard (MLS and MCS disabled), +## this interface has the same behavior as init_daemon_domain(). +##

+##
+## +## +## Type to be used as a daemon domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +## +## +## MLS/MCS range for the domain. +## +## +## +# +interface(`init_ranged_daemon_domain',` + gen_require(` + type initrc_t; + ') + + ifdef(`init_systemd',` + init_ranged_domain($1, $2, $3) + ',` + init_daemon_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) + ') + ') +') + +######################################### +## +## Abstract socket service activation (systemd). +## +## +## +## The domain to be started by systemd socket activation. +## +## +# +interface(`init_abstract_socket_activation',` + ifdef(`init_systemd',` + gen_require(` + type init_t; + ') + + allow init_t $1:unix_stream_socket create_stream_socket_perms; + ') +') + +######################################### +## +## Named socket service activation (systemd). +## +## +## +## The domain to be started by systemd socket activation. +## +## +## +## +## The domain socket file type. +## +## +# +interface(`init_named_socket_activation',` + ifdef(`init_systemd',` + gen_require(` + type init_t; + ') + + allow init_t $1:unix_dgram_socket create_socket_perms; + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $2:dir manage_dir_perms; + allow init_t $2:fifo_file manage_fifo_file_perms; + allow init_t $2:sock_file manage_sock_file_perms; + ') +') + +######################################## +## +## Create a domain for short running processes +## which are started by init scripts. +## +## +##

+## Create a domain for short running processes +## which are started by init scripts. These are generally applications that +## are used to initialize the system during boot. +## Long running processes, such as daemons/services +## should use the init_daemon_domain() interface instead. +## Typically all short running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the process must also run in a specific MLS/MCS level, +## the init_ranged_system_domain() should be used instead. +##

+##
+## +## +## Type to be used as a system domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +## +# +interface(`init_system_domain',` + gen_require(` + type initrc_t; + role system_r; + ') + + application_domain($1, $2) + + role system_r types $1; + + domtrans_pattern(initrc_t, $2, $1) + + ifdef(`init_systemd',` + init_domain($1, $2) + ') +') + +######################################## +## +## Create a domain for short running processes +## which are started by init scripts. +## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts. +## These are generally applications that +## are used to initialize the system during boot. +## Long running processes +## should use the init_ranged_system_domain() interface instead. +## Typically all short running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface if they need to run in a specific MLS/MCS range. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the policy build option TYPE is standard (MLS and MCS disabled), +## this interface has the same behavior as init_system_domain(). +##

+##
+## +## +## Type to be used as a system domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +## +## +## Range for the domain. +## +## +## +# +interface(`init_ranged_system_domain',` + gen_require(` + type initrc_t; + ') + + ifdef(`init_systemd',` + init_ranged_domain($1, $2, $3) + ',` + init_system_domain($1, $2) + + ifdef(`enable_mcs',` + range_transition initrc_t $2:process $3; + ') + + ifdef(`enable_mls',` + range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) + ') + ') +') + +######################################## +## +## Mark the file type as a daemon pid file, allowing initrc_t +## to create it +## +## +## +## Type to mark as a daemon pid file +## +## +## +## +## Class on which the type is applied +## +## +## +## +## Filename of the file that the init script creates +## +## +# +interface(`init_daemon_pid_file',` + gen_require(` + attribute daemonpidfile; + type initrc_t; + ') + + typeattribute $1 daemonpidfile; + + files_pid_file($1) + files_pid_filetrans(initrc_t, $1, $2, $3) +') + +######################################## +## +## Mark the file type as a daemon run dir, allowing initrc_t +## to create it +## +## +## +## Type to mark as a daemon run dir +## +## +## +## +## Filename of the directory that the init script creates +## +## +# +interface(`init_daemon_run_dir',` + gen_require(` + attribute daemonrundir; + type initrc_t; + ') + + refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.') + init_daemon_pid_file($1, dir, $2) +') + +######################################## +## +## Execute init (/sbin/init) with a domain transition. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_domtrans',` + gen_require(` + type init_t, init_exec_t; + ') + + domtrans_pattern($1, init_exec_t, init_t) +') + +######################################## +## +## Execute the init program in the caller domain. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_exec',` + gen_require(` + type init_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, init_exec_t) +') + +######################################## +## +## Execute the rc application in the caller domain. +## +## +##

+## This is only applicable to Gentoo or distributions that use the OpenRC +## init system. +##

+##

+## The OpenRC /sbin/rc binary is used for both init scripts as well as +## management applications and tools. When used for management purposes, +## calling /sbin/rc should never cause a transition to initrc_t. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`init_exec_rc',` + gen_require(` + type rc_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rc_exec_t) +') + +######################################## +## +## Get the process group of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getpgid',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process getpgid; +') + +######################################## +## +## Send init a null signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signull',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process signull; +') + +######################################## +## +## Send init a SIGCHLD signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_sigchld',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process sigchld; +') + +######################################## +## +## Connect to init with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stream_connect',` + gen_require(` + type init_t, init_var_run_t; + ') + + stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) + files_search_pids($1) +') + +######################################## +## +## Inherit and use file descriptors from init. +## +## +##

+## Allow the specified domain to inherit file +## descriptors from the init program (process ID 1). +## Typically the only file descriptors to be +## inherited from init are for the console. +## This does not allow the domain any access to +## the object to which the file descriptors references. +##

+##

+## Related interfaces: +##

+##
    +##
  • init_dontaudit_use_fds()
  • +##
  • term_dontaudit_use_console()
  • +##
  • term_use_console()
  • +##
+##

+## Example usage: +##

+##

+## init_use_fds(mydomain_t) +## term_use_console(mydomain_t) +##

+##

+## Normally, processes that can inherit these file +## descriptors (usually services) write messages to the +## system log instead of writing to the console. +## Therefore, in many cases, this access should +## dontaudited instead. +##

+##

+## Example dontaudit usage: +##

+##

+## init_dontaudit_use_fds(mydomain_t) +## term_dontaudit_use_console(mydomain_t) +##

+##
+## +## +## Domain allowed access. +## +## +## +# +interface(`init_use_fds',` + gen_require(` + type init_t; + ') + + allow $1 init_t:fd use; +') + +######################################## +## +## Do not audit attempts to inherit file +## descriptors from init. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_use_fds',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:fd use; +') + +######################################## +## +## Send messages to init unix datagram sockets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_dgram_send',` + gen_require(` + type init_t, init_var_run_t; + ') + + dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) + files_search_pids($1) +') + +######################################## +## +## Allow the specified domain to read/write to +## init with unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_stream_sockets',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') + +######################################## +## +## Send UDP network traffic to init. (Deprecated) +## +## +## +## Domain allowed access. +## +## +# +interface(`init_udp_send',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## +## Get all service status (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_get_system_status',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system status; +') + +######################################## +## +## Enable all systemd services (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_enable',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system enable; +') + +######################################## +## +## Disable all services (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_disable',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system disable; +') + +######################################## +## +## Reload all services (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reload',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system reload; +') + +######################################## +## +## Reboot the system (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reboot_system',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system reboot; +') + +######################################## +## +## Shutdown (halt) the system (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_shutdown_system',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system halt; +') + +######################################## +## +## Allow specified domain to get init status +## +## +## +## Domain to allow access. +## +## +# +interface(`init_service_status',` + gen_require(` + type init_t; + class service status; + ') + + allow $1 init_t:service status; +') + +######################################## +## +## Allow specified domain to get init start +## +## +## +## Domain to allow access. +## +## +# +interface(`init_service_start',` + gen_require(` + type init_t; + class service start; + ') + + allow $1 init_t:service start; +') + +######################################## +## +## Send and receive messages from +## systemd over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_chat',` + gen_require(` + type init_t; + class dbus send_msg; + ') + + allow $1 init_t:dbus send_msg; + allow init_t $1:dbus send_msg; +') + +######################################## +## +## Manage files in /var/lib/systemd/. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_manage_var_lib_files',` + gen_require(` + type init_var_lib_t; + ') + + manage_files_pattern($1, init_var_lib_t, init_var_lib_t) + files_search_var_lib($1) +') + +######################################## +## +## Create files in /var/lib/systemd +## with an automatic type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_var_lib_filetrans',` + gen_require(` + type init_var_lib_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, init_var_lib_t, $2, $3, $4) +') + +######################################## +## +## Create files in an init PID directory. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_pid_filetrans',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, init_var_run_t, $2, $3, $4) +') + +######################################## +## +## Get the attributes of initctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_initctl',` + gen_require(` + type initctl_t; + ') + + allow $1 initctl_t:fifo_file getattr; +') + +######################################## +## +## Do not audit attempts to get the +## attributes of initctl. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_getattr_initctl',` + gen_require(` + type initctl_t; + ') + + dontaudit $1 initctl_t:fifo_file getattr; +') + +######################################## +## +## Write to initctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_initctl',` + gen_require(` + type initctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file write; +') + +######################################## +## +## Use telinit (Read and write initctl). +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_telinit',` + gen_require(` + type initctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file rw_fifo_file_perms; + + init_exec($1) + + tunable_policy(`init_upstart',` + gen_require(` + type init_t; + ') + + # upstart uses a datagram socket instead of initctl pipe + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 init_t:unix_dgram_socket sendto; + ') +') + +######################################## +## +## Read and write initctl. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_initctl',` + gen_require(` + type initctl_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 initctl_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Do not audit attempts to read and +## write initctl. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_rw_initctl',` + gen_require(` + type initctl_t; + ') + + dontaudit $1 initctl_t:fifo_file { read write }; +') + +######################################## +## +## Make init scripts an entry point for +## the specified domain. +## +## +## +## Domain allowed access. +## +## +# cjp: added for gentoo integrated run_init +interface(`init_script_file_entry_type',` + gen_require(` + type initrc_exec_t; + ') + + domain_entry_file($1, initrc_exec_t) +') + +######################################## +## +## Execute init scripts with a specified domain transition. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_spec_domtrans_script',` + gen_require(` + type initrc_t, initrc_exec_t; + ') + + files_list_etc($1) + spec_domtrans_pattern($1, initrc_exec_t, initrc_t) + + ifdef(`distro_gentoo',` + gen_require(` + type rc_exec_t; + ') + + domtrans_pattern($1, rc_exec_t, initrc_t) + ') + + ifdef(`enable_mcs',` + range_transition $1 initrc_exec_t:process s0; + ') + + ifdef(`enable_mls',` + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + ') +') + +######################################## +## +## Execute init scripts with an automatic domain transition. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_domtrans_script',` + gen_require(` + type initrc_t, initrc_exec_t; + ') + + files_list_etc($1) + domtrans_pattern($1, initrc_exec_t, initrc_t) + + ifdef(`enable_mcs',` + range_transition $1 initrc_exec_t:process s0; + ') + + ifdef(`enable_mls',` + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + ') +') + +######################################## +## +## Execute a init script in a specified domain. +## +## +##

+## Execute a init script in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Domain allowed to transition. +## +## +## +## +## Domain to transition to. +## +## +# cjp: added for gentoo integrated run_init +interface(`init_script_file_domtrans',` + gen_require(` + type initrc_exec_t; + ') + + files_list_etc($1) + domain_auto_transition_pattern($1, initrc_exec_t, $2) +') + +######################################## +## +## Transition to the init script domain +## on a specified labeled init script. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Labeled init script file. +## +## +# +interface(`init_labeled_script_domtrans',` + gen_require(` + type initrc_t; + ') + + domtrans_pattern($1, $2, initrc_t) + files_search_etc($1) +') + +######################################### +## +## Transition to the init script domain +## for all labeled init script types +## +## +## +## Domain allowed to transition. +## +## +# +interface(`init_all_labeled_script_domtrans',` + gen_require(` + attribute init_script_file_type; + ') + + init_labeled_script_domtrans($1, init_script_file_type) +') + +######################################## +## +## Allow the role to start and stop +## labeled services. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The role to be performing this action. +## +## +## +## +## Type to be used as a daemon domain. +## +## +## +## +## Labeled init script file. +## +## +## +## +## Systemd unit file type. +## +## +# +interface(`init_startstop_service',` + gen_require(` + role system_r; + ') + + ifndef(`direct_sysadm_daemon',` + ifdef(`distro_gentoo',` + # for OpenRC + seutil_labeled_init_script_run_runinit($1, $2, $4) + ',` + # rules for sysvinit / upstart + init_labeled_script_domtrans($1, $4) + domain_system_change_exemption($1) + role_transition $2 $4 system_r; + allow $2 system_r; + ') + + ifdef(`init_systemd',` + # This ifelse condition is temporary, until + # all callers are updated to provide unit files. + ifelse(`$5',`',`',` + gen_require(` + class service { start stop }; + ') + + allow $1 $5:service { start stop }; + ') + ') + ') +') + +######################################## +## +## Start and stop daemon programs directly. +## +## +##

+## Start and stop daemon programs directly +## in the traditional "/etc/init.d/daemon start" +## style, and do not require run_init. +##

+##
+## +## +## Domain allowed access. +## +## +## +## +## The role to be performing this action. +## +## +# +interface(`init_run_daemon',` + gen_require(` + attribute init_script_file_type; + role system_r; + ') + + allow $2 system_r; + + init_all_labeled_script_domtrans($1) + role_transition $2 init_script_file_type system_r; +') + +######################################## +## +## Read the process state (/proc/pid) of init. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_state',` + gen_require(` + type init_t; + ') + + allow $1 init_t:dir search_dir_perms; + allow $1 init_t:file read_file_perms; + allow $1 init_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Ptrace init +## +## +## +## Domain allowed access. +## +## +## +# +interface(`init_ptrace',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process ptrace; +') + +######################################## +## +## Write an init script unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_script_pipes',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:fifo_file write; +') + +######################################## +## +## Get the attribute of init script entrypoint files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_script_files',` + gen_require(` + type initrc_exec_t; + ') + + files_list_etc($1) + allow $1 initrc_exec_t:file getattr; +') + +######################################## +## +## Read init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_files',` + gen_require(` + type initrc_exec_t; + ') + + files_search_etc($1) + allow $1 initrc_exec_t:file read_file_perms; +') + +######################################## +## +## Execute init scripts in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_exec_script_files',` + gen_require(` + type initrc_exec_t; + ') + + files_list_etc($1) + can_exec($1, initrc_exec_t) +') + +######################################## +## +## Get the attribute of all init script entrypoint files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + allow $1 init_script_file_type:file getattr; +') + +######################################## +## +## Read all init script files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_search_etc($1) + allow $1 init_script_file_type:file read_file_perms; +') + +####################################### +## +## Dontaudit read all init script files. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_read_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + dontaudit $1 init_script_file_type:file read_file_perms; +') + +######################################## +## +## Execute all init scripts in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_exec_all_script_files',` + gen_require(` + attribute init_script_file_type; + ') + + files_list_etc($1) + can_exec($1, init_script_file_type) +') + +######################################## +## +## Read the process state (/proc/pid) of the init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_state',` + gen_require(` + type initrc_t; + ') + + kernel_search_proc($1) + read_files_pattern($1, initrc_t, initrc_t) + read_lnk_files_pattern($1, initrc_t, initrc_t) + list_dirs_pattern($1, initrc_t, initrc_t) + + # should move this to separate interface + allow $1 initrc_t:process getattr; +') + +######################################## +## +## Inherit and use init script file descriptors. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_use_script_fds',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:fd use; +') + +######################################## +## +## Do not audit attempts to inherit +## init script file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_use_script_fds',` + gen_require(` + type initrc_t; + ') + + dontaudit $1 initrc_t:fd use; +') + +######################################## +## +## Search init script keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_script_keys',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:key search; +') + +######################################## +## +## Get the process group ID of init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getpgid_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process getpgid; +') + +######################################## +## +## Send SIGCHLD signals to init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_sigchld_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process sigchld; +') + +######################################## +## +## Send generic signals to init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signal_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process signal; +') + +######################################## +## +## Send null signals to init scripts. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signull_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:process signull; +') + +######################################## +## +## Read and write init script unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_script_pipes',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:fifo_file { read write }; +') + +######################################## +## +## Send UDP network traffic to init scripts. (Deprecated) +## +## +## +## Domain allowed access. +## +## +# +interface(`init_udp_send_script',` + refpolicywarn(`$0($*) has been deprecated.') +') + +######################################## +## +## Allow the specified domain to connect to +## init scripts with a unix socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stream_connect_script',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:unix_stream_socket connectto; +') + +######################################## +## +## Allow the specified domain to read/write to +## init scripts with a unix domain stream sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_script_stream_sockets',` + gen_require(` + type initrc_t; + ') + + allow $1 initrc_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Dont audit the specified domain connecting to +## init scripts with a unix domain stream socket. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_stream_connect_script',` + gen_require(` + type initrc_t; + ') + + dontaudit $1 initrc_t:unix_stream_socket connectto; +') +######################################## +## +## Send messages to init scripts over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_send_script',` + gen_require(` + type initrc_t; + class dbus send_msg; + ') + + allow $1 initrc_t:dbus send_msg; +') + +######################################## +## +## Send and receive messages from +## init scripts over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_dbus_chat_script',` + gen_require(` + type initrc_t; + class dbus send_msg; + ') + + allow $1 initrc_t:dbus send_msg; + allow initrc_t $1:dbus send_msg; +') + +######################################## +## +## Read and write the init script pty. +## +## +##

+## Read and write the init script pty. This +## pty is generally opened by the open_init_pty +## portion of the run_init program so that the +## daemon does not require direct access to +## the administrator terminal. +##

+##
+## +## +## Domain allowed access. +## +## +# +interface(`init_use_script_ptys',` + gen_require(` + type initrc_devpts_t; + ') + + term_list_ptys($1) + allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; +') + +######################################## +## +## Read and write inherited init script ptys. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_use_inherited_script_ptys',` + gen_require(` + type initrc_devpts_t; + ') + + term_list_ptys($1) + allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; + + init_use_fds($1) +') + +######################################## +## +## Do not audit attempts to read and +## write the init script pty. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_use_script_ptys',` + gen_require(` + type initrc_devpts_t; + ') + + dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; +') + +######################################## +## +## Get the attributes of init script +## status files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_script_status_files',` + gen_require(` + type initrc_state_t; + ') + + getattr_files_pattern($1, initrc_state_t, initrc_state_t) +') + +######################################## +## +## Do not audit attempts to read init script +## status files. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_read_script_status_files',` + gen_require(` + type initrc_state_t; + ') + + dontaudit $1 initrc_state_t:dir search_dir_perms; + dontaudit $1 initrc_state_t:file read_file_perms; +') + +###################################### +## +## Search the /run/systemd directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_run',` + gen_require(` + type init_var_run_t; + ') + + files_search_pids($1) + allow $1 init_var_run_t:dir search_dir_perms; +') + +######################################## +## +## Read init script temporary data. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_script_tmp_files',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) +') + +######################################## +## +## Read and write init script temporary data. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_script_tmp_files',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) +') + +######################################## +## +## Create files in a init script +## temporary data directory. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created +## +## +## +## +## The object class. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`init_script_tmp_filetrans',` + gen_require(` + type initrc_tmp_t; + ') + + files_search_tmp($1) + filetrans_pattern($1, initrc_tmp_t, $2, $3, $4) +') + +######################################## +## +## Get the attributes of init script process id files. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + allow $1 initrc_var_run_t:file getattr; +') + +######################################## +## +## Read utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_read_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_list_pids($1) + allow $1 initrc_var_run_t:file read_file_perms; +') + +######################################## +## +## Do not audit attempts to write utmp. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_write_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + dontaudit $1 initrc_var_run_t:file { write lock }; +') + +######################################## +## +## Write to utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_write_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_list_pids($1) + allow $1 initrc_var_run_t:file { getattr open write }; +') + +######################################## +## +## Do not audit attempts to lock +## init script pid files. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_lock_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + dontaudit $1 initrc_var_run_t:file lock; +') + +######################################## +## +## Read and write utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_rw_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_list_pids($1) + allow $1 initrc_var_run_t:file rw_file_perms; +') + +######################################## +## +## Do not audit attempts to read and write utmp. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_rw_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; +') + +######################################## +## +## Create, read, write, and delete utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_manage_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_search_pids($1) + allow $1 initrc_var_run_t:file manage_file_perms; +') + +######################################## +## +## Create files in /var/run with the +## utmp file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_pid_filetrans_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") +') + +######################################## +## +## Allow the specified domain to connect to daemon with a tcp socket +## +## +## +## Domain allowed access. +## +## +# +interface(`init_tcp_recvfrom_all_daemons',` + gen_require(` + attribute daemon; + ') + + corenet_tcp_recvfrom_labeled($1, daemon) +') + +######################################## +## +## Allow the specified domain to connect to daemon with a udp socket +## +## +## +## Domain allowed access. +## +## +# +interface(`init_udp_recvfrom_all_daemons',` + gen_require(` + attribute daemon; + ') + corenet_udp_recvfrom_labeled($1, daemon) +') + +###################################### +## +## Search systemd unit dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_search_units',` + gen_require(` + type init_var_run_t, systemd_unit_t; + ') + + search_dirs_pattern($1, init_var_run_t, systemd_unit_t) + + # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd + files_search_etc($1) + files_search_usr($1) + libs_search_lib($1) + + fs_search_tmpfs($1) +') + +######################################## +## +## Get status of generic systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_get_generic_units_status',` + gen_require(` + type systemd_unit_t; + class service status; + ') + + allow $1 systemd_unit_t:service status; +') + +######################################## +## +## Start generic systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_start_generic_units',` + gen_require(` + type systemd_unit_t; + class service start; + ') + + allow $1 systemd_unit_t:service start; +') + +######################################## +## +## Stop generic systemd units. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_stop_generic_units',` + gen_require(` + type systemd_unit_t; + class service stop; + ') + + allow $1 systemd_unit_t:service stop; +') + +####################################### +## +## Reload generic systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reload_generic_units',` + gen_require(` + type systemd_unit_t; + class service reload; + ') + + allow $1 systemd_unit_t:service reload; +') + +######################################## +## +## Get status of all systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_get_all_units_status',` + gen_require(` + attribute systemdunit; + class service status; + ') + + allow $1 systemdunit:service status; +') + +######################################## +## +## Start all systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_start_all_units',` + gen_require(` + attribute systemdunit; + class service start; + ') + + allow $1 systemdunit:service start; +') + +######################################## +## +## Stop all systemd units. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_stop_all_units',` + gen_require(` + attribute systemdunit; + class service stop; + ') + + allow $1 systemdunit:service stop; +') + +####################################### +## +## Reload all systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_reload_all_units',` + gen_require(` + attribute systemdunit; + class service reload; + ') + + allow $1 systemdunit:service reload; +')