From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 7 Feb 2017 19:02:43 -0500 Subject: [refpolicy] [PATCH] mon policy again In-Reply-To: <20170206051315.byxad4lugupfwykp@athena.coker.com.au> References: <20170206051315.byxad4lugupfwykp@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/06/17 00:13, Russell Coker via refpolicy wrote: > Here is another version of the mon policy including requested changes. Did you include the wrong patch? I didn't do a side-by-side comparison, but it doesn't look any different than the one from Dec. 21, including the extra .orig files in the patch. > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if > --- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000 > +++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100 > @@ -38,6 +38,7 @@ > > dev_list_all_dev_nodes($1) > allow $1 gpmctl_t:sock_file getattr_sock_file_perms; > + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms; > ') > > ######################################## > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000 > +++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100 > @@ -0,0 +1,11 @@ > + > +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0) > +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) > +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) > +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0) > +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0) > + > +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0) > + > +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0) > +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0) > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000 > +++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100 > @@ -0,0 +1 @@ > +## mon network monitoring daemon. > diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te > --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000 > +++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100 > @@ -0,0 +1,213 @@ > +policy_module(mon, 1.12.0) > + > +######################################## > +# > +# Declarations > +# > + > +type mon_t; > +type mon_exec_t; > +init_daemon_domain(mon_t, mon_exec_t) > + > +type mon_net_test_t; > +typealias mon_net_test_t alias mon_test_t; > +type mon_net_test_exec_t; > +typealias mon_net_test_exec_t alias mon_test_exec_t; > + > +domain_type(mon_net_test_t) > +domain_entry_file(mon_net_test_t, mon_net_test_exec_t) > +role system_r types mon_net_test_t; > +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t) > + > +type mon_local_test_t; > +type mon_local_test_exec_t; > + > +domain_type(mon_local_test_t) > +domain_entry_file(mon_local_test_t, mon_local_test_exec_t) > +role system_r types mon_local_test_t; > +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) > + > +type mon_var_run_t; > +files_pid_file(mon_var_run_t) > + > +type mon_var_lib_t; > +files_type(mon_var_lib_t) > + > +type mon_var_log_t; > +logging_log_file(mon_var_log_t) > + > +type mon_tmp_t; > +files_tmp_file(mon_tmp_t) > + > +######################################## > +# > +# Local policy > +# mon_t is for the main mon process and for sending alerts > +# > + > +corenet_tcp_bind_mon_port(mon_t) > +corenet_udp_bind_mon_port(mon_t) > +corenet_tcp_bind_generic_node(mon_t) > +corenet_udp_bind_generic_node(mon_t) > +allow mon_t self:tcp_socket create_stream_socket_perms; > + > +corenet_tcp_connect_jabber_client_port(mon_t) > + > +allow mon_t self:fifo_file rw_fifo_file_perms; > + > +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) > +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t) > +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir }) > + > +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t) > +files_pid_filetrans(mon_t, mon_var_run_t, file) > + > +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t) > + > +kernel_read_kernel_sysctls(mon_t) > +kernel_read_network_state(mon_t) > +kernel_read_system_state(mon_t) > + > +domain_use_interactive_fds(mon_t) > + > +corecmd_exec_bin(mon_t) > +dev_read_urand(mon_t) > +dev_read_sysfs(mon_t) > +logging_search_logs(mon_t) > +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) > + > +files_read_etc_files(mon_t) > +files_read_etc_runtime_files(mon_t) > +files_read_usr_files(mon_t) > + > +fs_getattr_all_fs(mon_t) > +fs_search_auto_mountpoints(mon_t) > + > +term_dontaudit_search_ptys(mon_t) > + > +application_signull(mon_t) > + > +init_read_utmp(mon_t) > + > +libs_exec_ld_so(mon_t) > +libs_exec_lib_files(mon_t) > + > +logging_send_syslog_msg(mon_t) > + > +miscfiles_read_localization(mon_t) > + > +sysnet_dns_name_resolve(mon_t) > + > +userdom_dontaudit_use_unpriv_user_fds(mon_t) > +userdom_dontaudit_search_user_home_dirs(mon_t) > + > +corecmd_exec_shell(mon_t) > + > +optional_policy(` > + mta_send_mail(mon_t) > +') > + > +######################################## > +# > +# Local policy > +# mon_net_test_t is for running tests that need network access > +# > + > +allow mon_net_test_t self:fifo_file rw_file_perms; > + > +can_exec(mon_net_test_t, mon_net_test_exec_t) > +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t) > + > +corenet_tcp_connect_all_ports(mon_net_test_t) > +corenet_udp_bind_generic_node(mon_net_test_t) > +fs_getattr_xattr_fs(mon_net_test_t) > +kernel_dontaudit_getattr_core_if(mon_net_test_t) > +kernel_getattr_proc(mon_net_test_t) > +kernel_read_system_state(mon_net_test_t) > +sysnet_read_config(mon_net_test_t) > + > +auth_use_nsswitch(mon_net_test_t) > +corecmd_exec_bin(mon_net_test_t) > +corecmd_exec_shell(mon_net_test_t) > +dev_dontaudit_getattr_all_chr_files(mon_net_test_t) > +dev_getattr_sysfs(mon_net_test_t) > +dev_read_sysfs(mon_net_test_t) > +dev_read_urand(mon_net_test_t) > +files_read_usr_files(mon_net_test_t) > +miscfiles_read_certs(mon_net_test_t) > +miscfiles_read_localization(mon_net_test_t) > +netutils_domtrans_ping(mon_net_test_t) > + > +optional_policy(` > + bind_read_zone(mon_net_test_t) > +') > + > +######################################## > +# > +# Local policy > +# mon_local_test_t is for running tests that don't need network access > +# this domain has much more access to the local system! > +# > +# try not to use dontaudit rules for this > +# > + > +allow mon_local_test_t self:capability sys_admin; > +allow mon_local_test_t self:fifo_file rw_file_perms; > + > +can_exec(mon_local_test_t, mon_local_test_exec_t) > +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t) > + > +files_dontaudit_getattr_tmpfs_file(mon_local_test_t) > +fs_getattr_nfs(mon_local_test_t) > +fs_getattr_xattr_fs(mon_local_test_t) > +fs_list_hugetlbfs(mon_local_test_t) > +fs_list_tmpfs(mon_local_test_t) > +fs_search_nfs(mon_local_test_t) > +kernel_dontaudit_getattr_core_if(mon_local_test_t) > +kernel_getattr_proc(mon_local_test_t) > +kernel_read_software_raid_state(mon_local_test_t) > +kernel_read_system_state(mon_local_test_t) > +storage_getattr_fixed_disk_dev(mon_local_test_t) > +storage_getattr_removable_dev(mon_local_test_t) > + > +application_exec_all(mon_local_test_t) > +auth_use_nsswitch(mon_local_test_t) > +corecmd_exec_bin(mon_local_test_t) > +corecmd_exec_shell(mon_local_test_t) > +dev_dontaudit_getattr_all_chr_files(mon_local_test_t) > +dev_getattr_sysfs(mon_local_test_t) > +dev_read_urand(mon_local_test_t) > +dev_read_sysfs(mon_local_test_t) > +domain_read_all_domains_state(mon_local_test_t) > +files_read_usr_files(mon_local_test_t) > +files_search_mnt(mon_local_test_t) > +files_search_spool(mon_local_test_t) > +fs_search_auto_mountpoints(mon_local_test_t) > +getattr_init_fifo(mon_local_test_t) > +logging_send_syslog_msg(mon_local_test_t) > +miscfiles_read_localization(mon_local_test_t) > +rpc_read_nfs_content(mon_local_test_t) > +sysnet_read_config(mon_local_test_t) > +term_getattr_generic_ptys(mon_local_test_t) > +term_list_ptys(mon_local_test_t) > + > +optional_policy(` > + files_list_boot(mon_local_test_t) > +') > + > +optional_policy(` > + sudo_role_template(system, system_r, mon_local_test_t) > + corecmd_bin_entry_type(mon_local_test_t) > +') > + > +optional_policy(` > + gpm_getattr_gpmctl(mon_local_test_t) > +') > + > +optional_policy(` > + postfix_search_spool(mon_local_test_t) > +') > + > +optional_policy(` > + xserver_rw_console(mon_local_test_t) > +') > diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in > --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100 > +++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100 > @@ -176,6 +176,7 @@ > network_port(memcache, tcp,11211,s0, udp,11211,s0) > network_port(milter) # no defined portcon > network_port(mmcc, tcp,5050,s0, udp,5050,s0) > +network_port(mon, tcp,2583,s0, udp,2583,s0) > network_port(monit, tcp,2812,s0) > network_port(monopd, tcp,1234,s0) > network_port(mountd, tcp,20048,s0, udp,20048,s0) > diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if > --- /home/rjc/src/pol-git/policy/modules/system/init.if 2016-12-04 23:04:21.264949806 +1100 > +++ /tmp/pol-git/policy/modules/system/init.if 2017-02-06 16:11:04.966188329 +1100 > @@ -2504,3 +2504,22 @@ > > allow $1 systemdunit:service reload; > ') > + > +######################################## > +## > +## stat /run/systemd/initctl/fifo > +## > +## > +## > +## domain > +## > +## > +# > +interface(`getattr_init_fifo',` > + gen_require(` > + type init_var_run_t; > + ') > + > + allow $1 init_var_run_t:fifo_file getattr; > + allow $1 init_var_run_t:dir list_dir_perms; > +') > diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig > --- /home/rjc/src/pol-git/policy/modules/system/init.if.orig 1970-01-01 10:00:00.000000000 +1000 > +++ /tmp/pol-git/policy/modules/system/init.if.orig 2016-12-04 23:04:21.264949806 +1100 > @@ -0,0 +1,2506 @@ > +## System initialization programs (init and init scripts). > + > +######################################## > +## > +## Create a file type used for init scripts. > +## > +## > +##

> +## Create a file type used for init scripts. It can not be > +## used in conjunction with init_script_domain(). These > +## script files are typically stored in the /etc/init.d directory. > +##

> +##

> +## Typically this is used to constrain what services an > +## admin can start/stop. For example, a policy writer may want > +## to constrain a web administrator to only being able to > +## restart the web server, not other services. This special type > +## will help address that goal. > +##

> +##

> +## This also makes the type usable for files; thus an > +## explicit call to files_type() is redundant. > +##

> +## > +## > +## > +## Type to be used for a script file. > +## > +## > +## > +# > +interface(`init_script_file',` > + gen_require(` > + type initrc_t; > + attribute init_script_file_type, init_run_all_scripts_domain; > + ') > + > + typeattribute $1 init_script_file_type; > + > + domain_entry_file(initrc_t, $1) > + > + domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) > +') > + > +######################################## > +## > +## Make the specified type usable for > +## systemd unit files. > +## > +## > +## > +## Type to be used for systemd unit files. > +## > +## > +# > +interface(`init_unit_file',` > + gen_require(` > + attribute systemdunit; > + ') > + > + files_type($1) > + typeattribute $1 systemdunit; > +') > + > +######################################## > +## > +## Create a domain used for init scripts. > +## > +## > +##

> +## Create a domain used for init scripts. > +## Can not be used in conjunction with > +## init_script_file(). > +##

> +## > +## > +## > +## Type to be used as an init script domain. > +## > +## > +## > +## > +## Type of the script file used as an entry point to this domain. > +## > +## > +# > +interface(`init_script_domain',` > + gen_require(` > + attribute init_script_domain_type, init_script_file_type; > + attribute init_run_all_scripts_domain; > + ') > + > + typeattribute $1 init_script_domain_type; > + typeattribute $2 init_script_file_type; > + > + domain_type($1) > + domain_entry_file($1, $2) > + > + role system_r types $1; > + > + domtrans_pattern(init_run_all_scripts_domain, $2, $1) > +') > + > +######################################## > +## > +## Create a domain which can be started by init. > +## > +## > +## > +## Type to be used as a domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +# > +interface(`init_domain',` > + gen_require(` > + type init_t; > + role system_r; > + ') > + > + domain_type($1) > + domain_entry_file($1, $2) > + > + role system_r types $1; > + > + domtrans_pattern(init_t, $2, $1) > + > + ifdef(`init_systemd',` > + allow $1 init_t:unix_stream_socket { getattr read write ioctl }; > + ') > +') > + > +######################################## > +## > +## Create a domain which can be started by init, > +## with a range transition. > +## > +## > +## > +## Type to be used as a domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +## > +## > +## Range for the domain. > +## > +## > +# > +interface(`init_ranged_domain',` > + gen_require(` > + type init_t; > + ') > + > + init_domain($1, $2) > + > + ifdef(`enable_mcs',` > + range_transition init_t $2:process $3; > + ') > + > + ifdef(`enable_mls',` > + range_transition init_t $2:process $3; > + mls_rangetrans_target($1) > + ') > +') > + > +######################################## > +## > +## Create a domain for long running processes > +## (daemons/services) which are started by init scripts. > +## > +## > +##

> +## Create a domain for long running processes (daemons/services) > +## which are started by init scripts. Short running processes > +## should use the init_system_domain() interface instead. > +## Typically all long running processes started by an init > +## script (usually in /etc/init.d) will need to use this > +## interface. > +##

> +##

> +## The types will be made usable as a domain and file, making > +## calls to domain_type() and files_type() redundant. > +##

> +##

> +## If the process must also run in a specific MLS/MCS level, > +## the init_ranged_daemon_domain() should be used instead. > +##

> +## > +## > +## > +## Type to be used as a daemon domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +## > +# > +interface(`init_daemon_domain',` > + gen_require(` > + type initrc_t; > + role system_r; > + attribute daemon; > + ') > + > + typeattribute $1 daemon; > + > + domain_type($1) > + domain_entry_file($1, $2) > + > + role system_r types $1; > + > + domtrans_pattern(initrc_t, $2, $1) > + > + # daemons started from init will > + # inherit fds from init for the console > + init_dontaudit_use_fds($1) > + term_dontaudit_use_console($1) > + > + # init script ptys are the stdin/out/err > + # when using run_init > + init_use_script_ptys($1) > + > + ifdef(`direct_sysadm_daemon',` > + userdom_dontaudit_use_user_terminals($1) > + ') > + > + ifdef(`init_systemd',` > + init_domain($1, $2) > + # this may be because of late labelling > + kernel_dgram_send($1) > + ') > + > + optional_policy(` > + nscd_use($1) > + ') > +') > + > +######################################## > +## > +## Create a domain for long running processes > +## (daemons/services) which are started by init scripts, > +## running at a specified MLS/MCS range. > +## > +## > +##

> +## Create a domain for long running processes (daemons/services) > +## which are started by init scripts, running at a specified > +## MLS/MCS range. Short running processes > +## should use the init_ranged_system_domain() interface instead. > +## Typically all long running processes started by an init > +## script (usually in /etc/init.d) will need to use this > +## interface if they need to run in a specific MLS/MCS range. > +##

> +##

> +## The types will be made usable as a domain and file, making > +## calls to domain_type() and files_type() redundant. > +##

> +##

> +## If the policy build option TYPE is standard (MLS and MCS disabled), > +## this interface has the same behavior as init_daemon_domain(). > +##

> +## > +## > +## > +## Type to be used as a daemon domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +## > +## > +## MLS/MCS range for the domain. > +## > +## > +## > +# > +interface(`init_ranged_daemon_domain',` > + gen_require(` > + type initrc_t; > + ') > + > + ifdef(`init_systemd',` > + init_ranged_domain($1, $2, $3) > + ',` > + init_daemon_domain($1, $2) > + > + ifdef(`enable_mcs',` > + range_transition initrc_t $2:process $3; > + ') > + > + ifdef(`enable_mls',` > + range_transition initrc_t $2:process $3; > + mls_rangetrans_target($1) > + ') > + ') > +') > + > +######################################### > +## > +## Abstract socket service activation (systemd). > +## > +## > +## > +## The domain to be started by systemd socket activation. > +## > +## > +# > +interface(`init_abstract_socket_activation',` > + ifdef(`init_systemd',` > + gen_require(` > + type init_t; > + ') > + > + allow init_t $1:unix_stream_socket create_stream_socket_perms; > + ') > +') > + > +######################################### > +## > +## Named socket service activation (systemd). > +## > +## > +## > +## The domain to be started by systemd socket activation. > +## > +## > +## > +## > +## The domain socket file type. > +## > +## > +# > +interface(`init_named_socket_activation',` > + ifdef(`init_systemd',` > + gen_require(` > + type init_t; > + ') > + > + allow init_t $1:unix_dgram_socket create_socket_perms; > + allow init_t $1:unix_stream_socket create_stream_socket_perms; > + allow init_t $2:dir manage_dir_perms; > + allow init_t $2:fifo_file manage_fifo_file_perms; > + allow init_t $2:sock_file manage_sock_file_perms; > + ') > +') > + > +######################################## > +## > +## Create a domain for short running processes > +## which are started by init scripts. > +## > +## > +##

> +## Create a domain for short running processes > +## which are started by init scripts. These are generally applications that > +## are used to initialize the system during boot. > +## Long running processes, such as daemons/services > +## should use the init_daemon_domain() interface instead. > +## Typically all short running processes started by an init > +## script (usually in /etc/init.d) will need to use this > +## interface. > +##

> +##

> +## The types will be made usable as a domain and file, making > +## calls to domain_type() and files_type() redundant. > +##

> +##

> +## If the process must also run in a specific MLS/MCS level, > +## the init_ranged_system_domain() should be used instead. > +##

> +## > +## > +## > +## Type to be used as a system domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +## > +# > +interface(`init_system_domain',` > + gen_require(` > + type initrc_t; > + role system_r; > + ') > + > + application_domain($1, $2) > + > + role system_r types $1; > + > + domtrans_pattern(initrc_t, $2, $1) > + > + ifdef(`init_systemd',` > + init_domain($1, $2) > + ') > +') > + > +######################################## > +## > +## Create a domain for short running processes > +## which are started by init scripts. > +## > +## > +##

> +## Create a domain for long running processes (daemons/services) > +## which are started by init scripts. > +## These are generally applications that > +## are used to initialize the system during boot. > +## Long running processes > +## should use the init_ranged_system_domain() interface instead. > +## Typically all short running processes started by an init > +## script (usually in /etc/init.d) will need to use this > +## interface if they need to run in a specific MLS/MCS range. > +##

> +##

> +## The types will be made usable as a domain and file, making > +## calls to domain_type() and files_type() redundant. > +##

> +##

> +## If the policy build option TYPE is standard (MLS and MCS disabled), > +## this interface has the same behavior as init_system_domain(). > +##

> +## > +## > +## > +## Type to be used as a system domain. > +## > +## > +## > +## > +## Type of the program to be used as an entry point to this domain. > +## > +## > +## > +## > +## Range for the domain. > +## > +## > +## > +# > +interface(`init_ranged_system_domain',` > + gen_require(` > + type initrc_t; > + ') > + > + ifdef(`init_systemd',` > + init_ranged_domain($1, $2, $3) > + ',` > + init_system_domain($1, $2) > + > + ifdef(`enable_mcs',` > + range_transition initrc_t $2:process $3; > + ') > + > + ifdef(`enable_mls',` > + range_transition initrc_t $2:process $3; > + mls_rangetrans_target($1) > + ') > + ') > +') > + > +######################################## > +## > +## Mark the file type as a daemon pid file, allowing initrc_t > +## to create it > +## > +## > +## > +## Type to mark as a daemon pid file > +## > +## > +## > +## > +## Class on which the type is applied > +## > +## > +## > +## > +## Filename of the file that the init script creates > +## > +## > +# > +interface(`init_daemon_pid_file',` > + gen_require(` > + attribute daemonpidfile; > + type initrc_t; > + ') > + > + typeattribute $1 daemonpidfile; > + > + files_pid_file($1) > + files_pid_filetrans(initrc_t, $1, $2, $3) > +') > + > +######################################## > +## > +## Mark the file type as a daemon run dir, allowing initrc_t > +## to create it > +## > +## > +## > +## Type to mark as a daemon run dir > +## > +## > +## > +## > +## Filename of the directory that the init script creates > +## > +## > +# > +interface(`init_daemon_run_dir',` > + gen_require(` > + attribute daemonrundir; > + type initrc_t; > + ') > + > + refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.') > + init_daemon_pid_file($1, dir, $2) > +') > + > +######################################## > +## > +## Execute init (/sbin/init) with a domain transition. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_domtrans',` > + gen_require(` > + type init_t, init_exec_t; > + ') > + > + domtrans_pattern($1, init_exec_t, init_t) > +') > + > +######################################## > +## > +## Execute the init program in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_exec',` > + gen_require(` > + type init_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, init_exec_t) > +') > + > +######################################## > +## > +## Execute the rc application in the caller domain. > +## > +## > +##

> +## This is only applicable to Gentoo or distributions that use the OpenRC > +## init system. > +##

> +##

> +## The OpenRC /sbin/rc binary is used for both init scripts as well as > +## management applications and tools. When used for management purposes, > +## calling /sbin/rc should never cause a transition to initrc_t. > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_exec_rc',` > + gen_require(` > + type rc_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, rc_exec_t) > +') > + > +######################################## > +## > +## Get the process group of init. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getpgid',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:process getpgid; > +') > + > +######################################## > +## > +## Send init a null signal. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_signull',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:process signull; > +') > + > +######################################## > +## > +## Send init a SIGCHLD signal. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_sigchld',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:process sigchld; > +') > + > +######################################## > +## > +## Connect to init with a unix socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_stream_connect',` > + gen_require(` > + type init_t, init_var_run_t; > + ') > + > + stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) > + files_search_pids($1) > +') > + > +######################################## > +## > +## Inherit and use file descriptors from init. > +## > +## > +##

> +## Allow the specified domain to inherit file > +## descriptors from the init program (process ID 1). > +## Typically the only file descriptors to be > +## inherited from init are for the console. > +## This does not allow the domain any access to > +## the object to which the file descriptors references. > +##

> +##

> +## Related interfaces: > +##

> +##
    > +##
  • init_dontaudit_use_fds()
    • > +##
  • term_dontaudit_use_console()
    • > +##
  • term_use_console()
    • > +##
> +##

> +## Example usage: > +##

> +##

> +## init_use_fds(mydomain_t) > +## term_use_console(mydomain_t) > +##

> +##

> +## Normally, processes that can inherit these file > +## descriptors (usually services) write messages to the > +## system log instead of writing to the console. > +## Therefore, in many cases, this access should > +## dontaudited instead. > +##

> +##

> +## Example dontaudit usage: > +##

> +##

> +## init_dontaudit_use_fds(mydomain_t) > +## term_dontaudit_use_console(mydomain_t) > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_use_fds',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:fd use; > +') > + > +######################################## > +## > +## Do not audit attempts to inherit file > +## descriptors from init. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_use_fds',` > + gen_require(` > + type init_t; > + ') > + > + dontaudit $1 init_t:fd use; > +') > + > +######################################## > +## > +## Send messages to init unix datagram sockets. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_dgram_send',` > + gen_require(` > + type init_t, init_var_run_t; > + ') > + > + dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t) > + files_search_pids($1) > +') > + > +######################################## > +## > +## Allow the specified domain to read/write to > +## init with unix domain stream sockets. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_stream_sockets',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; > +') > + > +######################################## > +## > +## Send UDP network traffic to init. (Deprecated) > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_udp_send',` > + refpolicywarn(`$0($*) has been deprecated.') > +') > + > +######################################## > +## > +## Get all service status (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_get_system_status',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system status; > +') > + > +######################################## > +## > +## Enable all systemd services (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_enable',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system enable; > +') > + > +######################################## > +## > +## Disable all services (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_disable',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system disable; > +') > + > +######################################## > +## > +## Reload all services (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_reload',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system reload; > +') > + > +######################################## > +## > +## Reboot the system (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_reboot_system',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system reboot; > +') > + > +######################################## > +## > +## Shutdown (halt) the system (systemd). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_shutdown_system',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:system halt; > +') > + > +######################################## > +## > +## Allow specified domain to get init status > +## > +## > +## > +## Domain to allow access. > +## > +## > +# > +interface(`init_service_status',` > + gen_require(` > + type init_t; > + class service status; > + ') > + > + allow $1 init_t:service status; > +') > + > +######################################## > +## > +## Allow specified domain to get init start > +## > +## > +## > +## Domain to allow access. > +## > +## > +# > +interface(`init_service_start',` > + gen_require(` > + type init_t; > + class service start; > + ') > + > + allow $1 init_t:service start; > +') > + > +######################################## > +## > +## Send and receive messages from > +## systemd over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_dbus_chat',` > + gen_require(` > + type init_t; > + class dbus send_msg; > + ') > + > + allow $1 init_t:dbus send_msg; > + allow init_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Manage files in /var/lib/systemd/. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`init_manage_var_lib_files',` > + gen_require(` > + type init_var_lib_t; > + ') > + > + manage_files_pattern($1, init_var_lib_t, init_var_lib_t) > + files_search_var_lib($1) > +') > + > +######################################## > +## > +## Create files in /var/lib/systemd > +## with an automatic type transition. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`init_var_lib_filetrans',` > + gen_require(` > + type init_var_lib_t; > + ') > + > + files_search_var_lib($1) > + filetrans_pattern($1, init_var_lib_t, $2, $3, $4) > +') > + > +######################################## > +## > +## Create files in an init PID directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`init_pid_filetrans',` > + gen_require(` > + type init_var_run_t; > + ') > + > + files_search_pids($1) > + filetrans_pattern($1, init_var_run_t, $2, $3, $4) > +') > + > +######################################## > +## > +## Get the attributes of initctl. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_initctl',` > + gen_require(` > + type initctl_t; > + ') > + > + allow $1 initctl_t:fifo_file getattr; > +') > + > +######################################## > +## > +## Do not audit attempts to get the > +## attributes of initctl. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_getattr_initctl',` > + gen_require(` > + type initctl_t; > + ') > + > + dontaudit $1 initctl_t:fifo_file getattr; > +') > + > +######################################## > +## > +## Write to initctl. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_write_initctl',` > + gen_require(` > + type initctl_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 initctl_t:fifo_file write; > +') > + > +######################################## > +## > +## Use telinit (Read and write initctl). > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_telinit',` > + gen_require(` > + type initctl_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 initctl_t:fifo_file rw_fifo_file_perms; > + > + init_exec($1) > + > + tunable_policy(`init_upstart',` > + gen_require(` > + type init_t; > + ') > + > + # upstart uses a datagram socket instead of initctl pipe > + allow $1 self:unix_dgram_socket create_socket_perms; > + allow $1 init_t:unix_dgram_socket sendto; > + ') > +') > + > +######################################## > +## > +## Read and write initctl. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_initctl',` > + gen_require(` > + type initctl_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 initctl_t:fifo_file rw_fifo_file_perms; > +') > + > +######################################## > +## > +## Do not audit attempts to read and > +## write initctl. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_rw_initctl',` > + gen_require(` > + type initctl_t; > + ') > + > + dontaudit $1 initctl_t:fifo_file { read write }; > +') > + > +######################################## > +## > +## Make init scripts an entry point for > +## the specified domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# cjp: added for gentoo integrated run_init > +interface(`init_script_file_entry_type',` > + gen_require(` > + type initrc_exec_t; > + ') > + > + domain_entry_file($1, initrc_exec_t) > +') > + > +######################################## > +## > +## Execute init scripts with a specified domain transition. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_spec_domtrans_script',` > + gen_require(` > + type initrc_t, initrc_exec_t; > + ') > + > + files_list_etc($1) > + spec_domtrans_pattern($1, initrc_exec_t, initrc_t) > + > + ifdef(`distro_gentoo',` > + gen_require(` > + type rc_exec_t; > + ') > + > + domtrans_pattern($1, rc_exec_t, initrc_t) > + ') > + > + ifdef(`enable_mcs',` > + range_transition $1 initrc_exec_t:process s0; > + ') > + > + ifdef(`enable_mls',` > + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; > + ') > +') > + > +######################################## > +## > +## Execute init scripts with an automatic domain transition. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_domtrans_script',` > + gen_require(` > + type initrc_t, initrc_exec_t; > + ') > + > + files_list_etc($1) > + domtrans_pattern($1, initrc_exec_t, initrc_t) > + > + ifdef(`enable_mcs',` > + range_transition $1 initrc_exec_t:process s0; > + ') > + > + ifdef(`enable_mls',` > + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; > + ') > +') > + > +######################################## > +## > +## Execute a init script in a specified domain. > +## > +## > +##

> +## Execute a init script in a specified domain. > +##

> +##

> +## No interprocess communication (signals, pipes, > +## etc.) is provided by this interface since > +## the domains are not owned by this module. > +##

> +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Domain to transition to. > +## > +## > +# cjp: added for gentoo integrated run_init > +interface(`init_script_file_domtrans',` > + gen_require(` > + type initrc_exec_t; > + ') > + > + files_list_etc($1) > + domain_auto_transition_pattern($1, initrc_exec_t, $2) > +') > + > +######################################## > +## > +## Transition to the init script domain > +## on a specified labeled init script. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Labeled init script file. > +## > +## > +# > +interface(`init_labeled_script_domtrans',` > + gen_require(` > + type initrc_t; > + ') > + > + domtrans_pattern($1, $2, initrc_t) > + files_search_etc($1) > +') > + > +######################################### > +## > +## Transition to the init script domain > +## for all labeled init script types > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`init_all_labeled_script_domtrans',` > + gen_require(` > + attribute init_script_file_type; > + ') > + > + init_labeled_script_domtrans($1, init_script_file_type) > +') > + > +######################################## > +## > +## Allow the role to start and stop > +## labeled services. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## The role to be performing this action. > +## > +## > +## > +## > +## Type to be used as a daemon domain. > +## > +## > +## > +## > +## Labeled init script file. > +## > +## > +## > +## > +## Systemd unit file type. > +## > +## > +# > +interface(`init_startstop_service',` > + gen_require(` > + role system_r; > + ') > + > + ifndef(`direct_sysadm_daemon',` > + ifdef(`distro_gentoo',` > + # for OpenRC > + seutil_labeled_init_script_run_runinit($1, $2, $4) > + ',` > + # rules for sysvinit / upstart > + init_labeled_script_domtrans($1, $4) > + domain_system_change_exemption($1) > + role_transition $2 $4 system_r; > + allow $2 system_r; > + ') > + > + ifdef(`init_systemd',` > + # This ifelse condition is temporary, until > + # all callers are updated to provide unit files. > + ifelse(`$5',`',`',` > + gen_require(` > + class service { start stop }; > + ') > + > + allow $1 $5:service { start stop }; > + ') > + ') > + ') > +') > + > +######################################## > +## > +## Start and stop daemon programs directly. > +## > +## > +##

> +## Start and stop daemon programs directly > +## in the traditional "/etc/init.d/daemon start" > +## style, and do not require run_init. > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The role to be performing this action. > +## > +## > +# > +interface(`init_run_daemon',` > + gen_require(` > + attribute init_script_file_type; > + role system_r; > + ') > + > + allow $2 system_r; > + > + init_all_labeled_script_domtrans($1) > + role_transition $2 init_script_file_type system_r; > +') > + > +######################################## > +## > +## Read the process state (/proc/pid) of init. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_state',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:dir search_dir_perms; > + allow $1 init_t:file read_file_perms; > + allow $1 init_t:lnk_file read_lnk_file_perms; > +') > + > +######################################## > +## > +## Ptrace init > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`init_ptrace',` > + gen_require(` > + type init_t; > + ') > + > + allow $1 init_t:process ptrace; > +') > + > +######################################## > +## > +## Write an init script unnamed pipe. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_write_script_pipes',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:fifo_file write; > +') > + > +######################################## > +## > +## Get the attribute of init script entrypoint files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_script_files',` > + gen_require(` > + type initrc_exec_t; > + ') > + > + files_list_etc($1) > + allow $1 initrc_exec_t:file getattr; > +') > + > +######################################## > +## > +## Read init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_script_files',` > + gen_require(` > + type initrc_exec_t; > + ') > + > + files_search_etc($1) > + allow $1 initrc_exec_t:file read_file_perms; > +') > + > +######################################## > +## > +## Execute init scripts in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_exec_script_files',` > + gen_require(` > + type initrc_exec_t; > + ') > + > + files_list_etc($1) > + can_exec($1, initrc_exec_t) > +') > + > +######################################## > +## > +## Get the attribute of all init script entrypoint files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_all_script_files',` > + gen_require(` > + attribute init_script_file_type; > + ') > + > + files_list_etc($1) > + allow $1 init_script_file_type:file getattr; > +') > + > +######################################## > +## > +## Read all init script files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_all_script_files',` > + gen_require(` > + attribute init_script_file_type; > + ') > + > + files_search_etc($1) > + allow $1 init_script_file_type:file read_file_perms; > +') > + > +####################################### > +## > +## Dontaudit read all init script files. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_read_all_script_files',` > + gen_require(` > + attribute init_script_file_type; > + ') > + > + dontaudit $1 init_script_file_type:file read_file_perms; > +') > + > +######################################## > +## > +## Execute all init scripts in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_exec_all_script_files',` > + gen_require(` > + attribute init_script_file_type; > + ') > + > + files_list_etc($1) > + can_exec($1, init_script_file_type) > +') > + > +######################################## > +## > +## Read the process state (/proc/pid) of the init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_script_state',` > + gen_require(` > + type initrc_t; > + ') > + > + kernel_search_proc($1) > + read_files_pattern($1, initrc_t, initrc_t) > + read_lnk_files_pattern($1, initrc_t, initrc_t) > + list_dirs_pattern($1, initrc_t, initrc_t) > + > + # should move this to separate interface > + allow $1 initrc_t:process getattr; > +') > + > +######################################## > +## > +## Inherit and use init script file descriptors. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_use_script_fds',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:fd use; > +') > + > +######################################## > +## > +## Do not audit attempts to inherit > +## init script file descriptors. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_use_script_fds',` > + gen_require(` > + type initrc_t; > + ') > + > + dontaudit $1 initrc_t:fd use; > +') > + > +######################################## > +## > +## Search init script keys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_search_script_keys',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:key search; > +') > + > +######################################## > +## > +## Get the process group ID of init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getpgid_script',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process getpgid; > +') > + > +######################################## > +## > +## Send SIGCHLD signals to init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_sigchld_script',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process sigchld; > +') > + > +######################################## > +## > +## Send generic signals to init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_signal_script',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process signal; > +') > + > +######################################## > +## > +## Send null signals to init scripts. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_signull_script',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:process signull; > +') > + > +######################################## > +## > +## Read and write init script unnamed pipes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_script_pipes',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:fifo_file { read write }; > +') > + > +######################################## > +## > +## Send UDP network traffic to init scripts. (Deprecated) > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_udp_send_script',` > + refpolicywarn(`$0($*) has been deprecated.') > +') > + > +######################################## > +## > +## Allow the specified domain to connect to > +## init scripts with a unix socket. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_stream_connect_script',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:unix_stream_socket connectto; > +') > + > +######################################## > +## > +## Allow the specified domain to read/write to > +## init scripts with a unix domain stream sockets. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_script_stream_sockets',` > + gen_require(` > + type initrc_t; > + ') > + > + allow $1 initrc_t:unix_stream_socket rw_socket_perms; > +') > + > +######################################## > +## > +## Dont audit the specified domain connecting to > +## init scripts with a unix domain stream socket. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_stream_connect_script',` > + gen_require(` > + type initrc_t; > + ') > + > + dontaudit $1 initrc_t:unix_stream_socket connectto; > +') > +######################################## > +## > +## Send messages to init scripts over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_dbus_send_script',` > + gen_require(` > + type initrc_t; > + class dbus send_msg; > + ') > + > + allow $1 initrc_t:dbus send_msg; > +') > + > +######################################## > +## > +## Send and receive messages from > +## init scripts over dbus. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_dbus_chat_script',` > + gen_require(` > + type initrc_t; > + class dbus send_msg; > + ') > + > + allow $1 initrc_t:dbus send_msg; > + allow initrc_t $1:dbus send_msg; > +') > + > +######################################## > +## > +## Read and write the init script pty. > +## > +## > +##

> +## Read and write the init script pty. This > +## pty is generally opened by the open_init_pty > +## portion of the run_init program so that the > +## daemon does not require direct access to > +## the administrator terminal. > +##

> +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_use_script_ptys',` > + gen_require(` > + type initrc_devpts_t; > + ') > + > + term_list_ptys($1) > + allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; > +') > + > +######################################## > +## > +## Read and write inherited init script ptys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_use_inherited_script_ptys',` > + gen_require(` > + type initrc_devpts_t; > + ') > + > + term_list_ptys($1) > + allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; > + > + init_use_fds($1) > +') > + > +######################################## > +## > +## Do not audit attempts to read and > +## write the init script pty. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_use_script_ptys',` > + gen_require(` > + type initrc_devpts_t; > + ') > + > + dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; > +') > + > +######################################## > +## > +## Get the attributes of init script > +## status files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_script_status_files',` > + gen_require(` > + type initrc_state_t; > + ') > + > + getattr_files_pattern($1, initrc_state_t, initrc_state_t) > +') > + > +######################################## > +## > +## Do not audit attempts to read init script > +## status files. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_read_script_status_files',` > + gen_require(` > + type initrc_state_t; > + ') > + > + dontaudit $1 initrc_state_t:dir search_dir_perms; > + dontaudit $1 initrc_state_t:file read_file_perms; > +') > + > +###################################### > +## > +## Search the /run/systemd directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_search_run',` > + gen_require(` > + type init_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 init_var_run_t:dir search_dir_perms; > +') > + > +######################################## > +## > +## Read init script temporary data. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_script_tmp_files',` > + gen_require(` > + type initrc_tmp_t; > + ') > + > + files_search_tmp($1) > + read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) > +') > + > +######################################## > +## > +## Read and write init script temporary data. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_script_tmp_files',` > + gen_require(` > + type initrc_tmp_t; > + ') > + > + files_search_tmp($1) > + rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) > +') > + > +######################################## > +## > +## Create files in a init script > +## temporary data directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The type of the object to be created > +## > +## > +## > +## > +## The object class. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`init_script_tmp_filetrans',` > + gen_require(` > + type initrc_tmp_t; > + ') > + > + files_search_tmp($1) > + filetrans_pattern($1, initrc_tmp_t, $2, $3, $4) > +') > + > +######################################## > +## > +## Get the attributes of init script process id files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + allow $1 initrc_var_run_t:file getattr; > +') > + > +######################################## > +## > +## Read utmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + files_list_pids($1) > + allow $1 initrc_var_run_t:file read_file_perms; > +') > + > +######################################## > +## > +## Do not audit attempts to write utmp. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_write_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + dontaudit $1 initrc_var_run_t:file { write lock }; > +') > + > +######################################## > +## > +## Write to utmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_write_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + files_list_pids($1) > + allow $1 initrc_var_run_t:file { getattr open write }; > +') > + > +######################################## > +## > +## Do not audit attempts to lock > +## init script pid files. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_lock_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + dontaudit $1 initrc_var_run_t:file lock; > +') > + > +######################################## > +## > +## Read and write utmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_rw_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + files_list_pids($1) > + allow $1 initrc_var_run_t:file rw_file_perms; > +') > + > +######################################## > +## > +## Do not audit attempts to read and write utmp. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_dontaudit_rw_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + dontaudit $1 initrc_var_run_t:file { getattr read write append lock }; > +') > + > +######################################## > +## > +## Create, read, write, and delete utmp. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_manage_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 initrc_var_run_t:file manage_file_perms; > +') > + > +######################################## > +## > +## Create files in /var/run with the > +## utmp file type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_pid_filetrans_utmp',` > + gen_require(` > + type initrc_var_run_t; > + ') > + > + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") > +') > + > +######################################## > +## > +## Allow the specified domain to connect to daemon with a tcp socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_tcp_recvfrom_all_daemons',` > + gen_require(` > + attribute daemon; > + ') > + > + corenet_tcp_recvfrom_labeled($1, daemon) > +') > + > +######################################## > +## > +## Allow the specified domain to connect to daemon with a udp socket > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_udp_recvfrom_all_daemons',` > + gen_require(` > + attribute daemon; > + ') > + corenet_udp_recvfrom_labeled($1, daemon) > +') > + > +###################################### > +## > +## Search systemd unit dirs. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_search_units',` > + gen_require(` > + type init_var_run_t, systemd_unit_t; > + ') > + > + search_dirs_pattern($1, init_var_run_t, systemd_unit_t) > + > + # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd > + files_search_etc($1) > + files_search_usr($1) > + libs_search_lib($1) > + > + fs_search_tmpfs($1) > +') > + > +######################################## > +## > +## Get status of generic systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_get_generic_units_status',` > + gen_require(` > + type systemd_unit_t; > + class service status; > + ') > + > + allow $1 systemd_unit_t:service status; > +') > + > +######################################## > +## > +## Start generic systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_start_generic_units',` > + gen_require(` > + type systemd_unit_t; > + class service start; > + ') > + > + allow $1 systemd_unit_t:service start; > +') > + > +######################################## > +## > +## Stop generic systemd units. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_stop_generic_units',` > + gen_require(` > + type systemd_unit_t; > + class service stop; > + ') > + > + allow $1 systemd_unit_t:service stop; > +') > + > +####################################### > +## > +## Reload generic systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_reload_generic_units',` > + gen_require(` > + type systemd_unit_t; > + class service reload; > + ') > + > + allow $1 systemd_unit_t:service reload; > +') > + > +######################################## > +## > +## Get status of all systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_get_all_units_status',` > + gen_require(` > + attribute systemdunit; > + class service status; > + ') > + > + allow $1 systemdunit:service status; > +') > + > +######################################## > +## > +## Start all systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_start_all_units',` > + gen_require(` > + attribute systemdunit; > + class service start; > + ') > + > + allow $1 systemdunit:service start; > +') > + > +######################################## > +## > +## Stop all systemd units. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`init_stop_all_units',` > + gen_require(` > + attribute systemdunit; > + class service stop; > + ') > + > + allow $1 systemdunit:service stop; > +') > + > +####################################### > +## > +## Reload all systemd units. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_reload_all_units',` > + gen_require(` > + attribute systemdunit; > + class service reload; > + ') > + > + allow $1 systemdunit:service reload; > +') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito