Here is another version of the mon policy including requested changes.
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if
--- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000
+++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100
@@ -38,6 +38,7 @@
dev_list_all_dev_nodes($1)
allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1,11 @@
+
+/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100
@@ -0,0 +1,213 @@
+policy_module(mon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+corecmd_exec_bin(mon_t)
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+logging_search_logs(mon_t)
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+libs_exec_ld_so(mon_t)
+libs_exec_lib_files(mon_t)
+
+logging_send_syslog_msg(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+corecmd_exec_shell(mon_t)
+
+optional_policy(`
+ mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+fs_getattr_xattr_fs(mon_net_test_t)
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+sysnet_read_config(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+files_read_usr_files(mon_net_test_t)
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+netutils_domtrans_ping(mon_net_test_t)
+
+optional_policy(`
+ bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+auth_use_nsswitch(mon_local_test_t)
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+domain_read_all_domains_state(mon_local_test_t)
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+fs_search_auto_mountpoints(mon_local_test_t)
+getattr_init_fifo(mon_local_test_t)
+logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_localization(mon_local_test_t)
+rpc_read_nfs_content(mon_local_test_t)
+sysnet_read_config(mon_local_test_t)
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+optional_policy(`
+ files_list_boot(mon_local_test_t)
+')
+
+optional_policy(`
+ sudo_role_template(system, system_r, mon_local_test_t)
+ corecmd_bin_entry_type(mon_local_test_t)
+')
+
+optional_policy(`
+ gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+ postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+ xserver_rw_console(mon_local_test_t)
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
--- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100
+++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100
@@ -176,6 +176,7 @@
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(milter) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
network_port(monit, tcp,2812,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if 2016-12-04 23:04:21.264949806 +1100
+++ /tmp/pol-git/policy/modules/system/init.if 2017-02-06 16:11:04.966188329 +1100
@@ -2504,3 +2504,22 @@
allow $1 systemdunit:service reload;
')
+
+########################################
+## <summary>
+## stat /run/systemd/initctl/fifo
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`getattr_init_fifo',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:fifo_file getattr;
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig
--- /home/rjc/src/pol-git/policy/modules/system/init.if.orig 1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/system/init.if.orig 2016-12-04 23:04:21.264949806 +1100
@@ -0,0 +1,2506 @@
+## <summary>System initialization programs (init and init scripts).</summary>
+
+########################################
+## <summary>
+## Create a file type used for init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a file type used for init scripts. It can not be
+## used in conjunction with init_script_domain(). These
+## script files are typically stored in the /etc/init.d directory.
+## </p>
+## <p>
+## Typically this is used to constrain what services an
+## admin can start/stop. For example, a policy writer may want
+## to constrain a web administrator to only being able to
+## restart the web server, not other services. This special type
+## will help address that goal.
+## </p>
+## <p>
+## This also makes the type usable for files; thus an
+## explicit call to files_type() is redundant.
+## </p>
+## </desc>
+## <param name="script_file">
+## <summary>
+## Type to be used for a script file.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_script_file',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type, init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_file_type;
+
+ domain_entry_file(initrc_t, $1)
+
+ domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+## <summary>
+## Make the specified type usable for
+## systemd unit files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for systemd unit files.
+## </summary>
+## </param>
+#
+interface(`init_unit_file',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
+## Create a domain used for init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain used for init scripts.
+## Can not be used in conjunction with
+## init_script_file().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as an init script domain.
+## </summary>
+## </param>
+## <param name="script_file">
+## <summary>
+## Type of the script file used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_script_domain',`
+ gen_require(`
+ attribute init_script_domain_type, init_script_file_type;
+ attribute init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_domain_type;
+ typeattribute $2 init_script_file_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+## <summary>
+## Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+#
+interface(`init_domain',`
+ gen_require(`
+ type init_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain which can be started by init,
+## with a range transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+#
+interface(`init_ranged_domain',`
+ gen_require(`
+ type init_t;
+ ')
+
+ init_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition init_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts. Short running processes
+## should use the init_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_daemon_domain() should be used instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_daemon_domain',`
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ attribute daemon;
+ ')
+
+ typeattribute $1 daemon;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t, $2, $1)
+
+ # daemons started from init will
+ # inherit fds from init for the console
+ init_dontaudit_use_fds($1)
+ term_dontaudit_use_console($1)
+
+ # init script ptys are the stdin/out/err
+ # when using run_init
+ init_use_script_ptys($1)
+
+ ifdef(`direct_sysadm_daemon',`
+ userdom_dontaudit_use_user_terminals($1)
+ ')
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ # this may be because of late labelling
+ kernel_dgram_send($1)
+ ')
+
+ optional_policy(`
+ nscd_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for long running processes
+## (daemons/services) which are started by init scripts,
+## running at a specified MLS/MCS range.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts, running at a specified
+## MLS/MCS range. Short running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all long running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_daemon_domain().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## MLS/MCS range for the domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_daemon_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_daemon_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+')
+
+#########################################
+## <summary>
+## Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ ')
+')
+
+#########################################
+## <summary>
+## Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+## <param name="sock_file">
+## <summary>
+## The domain socket file type.
+## </summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $2:dir manage_dir_perms;
+ allow init_t $2:fifo_file manage_fifo_file_perms;
+ allow init_t $2:sock_file manage_sock_file_perms;
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for short running processes
+## which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for short running processes
+## which are started by init scripts. These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes, such as daemons/services
+## should use the init_daemon_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the process must also run in a specific MLS/MCS level,
+## the init_ranged_system_domain() should be used instead.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a system domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_system_domain',`
+ gen_require(`
+ type initrc_t;
+ role system_r;
+ ')
+
+ application_domain($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(initrc_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ ')
+')
+
+########################################
+## <summary>
+## Create a domain for short running processes
+## which are started by init scripts.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for long running processes (daemons/services)
+## which are started by init scripts.
+## These are generally applications that
+## are used to initialize the system during boot.
+## Long running processes
+## should use the init_ranged_system_domain() interface instead.
+## Typically all short running processes started by an init
+## script (usually in /etc/init.d) will need to use this
+## interface if they need to run in a specific MLS/MCS range.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## <p>
+## If the policy build option TYPE is standard (MLS and MCS disabled),
+## this interface has the same behavior as init_system_domain().
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used as a system domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="range">
+## <summary>
+## Range for the domain.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_system_domain',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_system_domain($1, $2)
+
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Mark the file type as a daemon pid file, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon pid file
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which the type is applied
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the file that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+ gen_require(`
+ attribute daemonpidfile;
+ type initrc_t;
+ ')
+
+ typeattribute $1 daemonpidfile;
+
+ files_pid_file($1)
+ files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+## Mark the file type as a daemon run dir, allowing initrc_t
+## to create it
+## </summary>
+## <param name="filetype">
+## <summary>
+## Type to mark as a daemon run dir
+## </summary>
+## </param>
+## <param name="filename">
+## <summary>
+## Filename of the directory that the init script creates
+## </summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+ gen_require(`
+ attribute daemonrundir;
+ type initrc_t;
+ ')
+
+ refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
+ init_daemon_pid_file($1, dir, $2)
+')
+
+########################################
+## <summary>
+## Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans',`
+ gen_require(`
+ type init_t, init_exec_t;
+ ')
+
+ domtrans_pattern($1, init_exec_t, init_t)
+')
+
+########################################
+## <summary>
+## Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_exec',`
+ gen_require(`
+ type init_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, init_exec_t)
+')
+
+########################################
+## <summary>
+## Execute the rc application in the caller domain.
+## </summary>
+## <desc>
+## <p>
+## This is only applicable to Gentoo or distributions that use the OpenRC
+## init system.
+## </p>
+## <p>
+## The OpenRC /sbin/rc binary is used for both init scripts as well as
+## management applications and tools. When used for management purposes,
+## calling /sbin/rc should never cause a transition to initrc_t.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_rc',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
+## Get the process group of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send init a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process signull;
+')
+
+########################################
+## <summary>
+## Send init a SIGCHLD signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from init.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to inherit file
+## descriptors from the init program (process ID 1).
+## Typically the only file descriptors to be
+## inherited from init are for the console.
+## This does not allow the domain any access to
+## the object to which the file descriptors references.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>init_dontaudit_use_fds()</li>
+## <li>term_dontaudit_use_console()</li>
+## <li>term_use_console()</li>
+## </ul>
+## <p>
+## Example usage:
+## </p>
+## <p>
+## init_use_fds(mydomain_t)
+## term_use_console(mydomain_t)
+## </p>
+## <p>
+## Normally, processes that can inherit these file
+## descriptors (usually services) write messages to the
+## system log instead of writing to the console.
+## Therefore, in many cases, this access should
+## dontaudited instead.
+## </p>
+## <p>
+## Example dontaudit usage:
+## </p>
+## <p>
+## init_dontaudit_use_fds(mydomain_t)
+## term_dontaudit_use_console(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`init_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit file
+## descriptors from init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_fds',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+## Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Get all service status (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_system_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_enable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+## Disable all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_disable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+## Reload all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+## Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reboot_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+## Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+ gen_require(`
+ type init_t;
+ class service status;
+ ')
+
+ allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+ gen_require(`
+ type init_t;
+ class service start;
+ ')
+
+ allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type init_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create files in /var/lib/systemd
+## with an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## The type of object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the
+## attributes of initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+## Write to initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+ init_exec($1)
+
+ tunable_policy(`init_upstart',`
+ gen_require(`
+ type init_t;
+ ')
+
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
+')
+
+########################################
+## <summary>
+## Read and write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write initctl.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_initctl',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Make init scripts an entry point for
+## the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ domain_entry_file($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute init scripts with a specified domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_spec_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+ ifdef(`distro_gentoo',`
+ gen_require(`
+ type rc_exec_t;
+ ')
+
+ domtrans_pattern($1, rc_exec_t, initrc_t)
+ ')
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initrc_exec_t:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans_script',`
+ gen_require(`
+ type initrc_t, initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 initrc_exec_t:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
+## Execute a init script in a specified domain.
+## </summary>
+## <desc>
+## <p>
+## Execute a init script in a specified domain.
+## </p>
+## <p>
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+## </p>
+## </desc>
+## <param name="source_domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ domain_auto_transition_pattern($1, initrc_exec_t, $2)
+')
+
+########################################
+## <summary>
+## Transition to the init script domain
+## on a specified labeled init script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ domtrans_pattern($1, $2, initrc_t)
+ files_search_etc($1)
+')
+
+#########################################
+## <summary>
+## Transition to the init script domain
+## for all labeled init script types
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_all_labeled_script_domtrans',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ init_labeled_script_domtrans($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+## Allow the role to start and stop
+## labeled services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+## <param name="unit" optional="true">
+## <summary>
+## Systemd unit file type.
+## </summary>
+## </param>
+#
+interface(`init_startstop_service',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ ifdef(`distro_gentoo',`
+ # for OpenRC
+ seutil_labeled_init_script_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+
+ ifdef(`init_systemd',`
+ # This ifelse condition is temporary, until
+ # all callers are updated to provide unit files.
+ ifelse(`$5',`',`',`
+ gen_require(`
+ class service { start stop };
+ ')
+
+ allow $1 $5:service { start stop };
+ ')
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Start and stop daemon programs directly.
+## </summary>
+## <desc>
+## <p>
+## Start and stop daemon programs directly
+## in the traditional "/etc/init.d/daemon start"
+## style, and do not require run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+#
+interface(`init_run_daemon',`
+ gen_require(`
+ attribute init_script_file_type;
+ role system_r;
+ ')
+
+ allow $2 system_r;
+
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_state',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:dir search_dir_perms;
+ allow $1 init_t:file read_file_perms;
+ allow $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Ptrace init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+## Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+## <summary>
+## Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Get the attribute of all init script entrypoint files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+## <summary>
+## Read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_search_etc($1)
+ allow $1 init_script_file_type:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Execute all init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_exec_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+## Read the process state (/proc/pid) of the init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_state',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ kernel_search_proc($1)
+ read_files_pattern($1, initrc_t, initrc_t)
+ read_lnk_files_pattern($1, initrc_t, initrc_t)
+ list_dirs_pattern($1, initrc_t, initrc_t)
+
+ # should move this to separate interface
+ allow $1 initrc_t:process getattr;
+')
+
+########################################
+## <summary>
+## Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to inherit
+## init script file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_fds',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+## Search init script keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_script_keys',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:key search;
+')
+
+########################################
+## <summary>
+## Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getpgid_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process getpgid;
+')
+
+########################################
+## <summary>
+## Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_sigchld_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send generic signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signal_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send null signals to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_signull_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process signull;
+')
+
+########################################
+## <summary>
+## Read and write init script unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_pipes',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to init scripts. (Deprecated)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_send_script',`
+ refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Dont audit the specified domain connecting to
+## init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+########################################
+## <summary>
+## Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## init scripts over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat_script',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 initrc_t:dbus send_msg;
+ allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write the init script pty.
+## </summary>
+## <desc>
+## <p>
+## Read and write the init script pty. This
+## pty is generally opened by the open_init_pty
+## portion of the run_init program so that the
+## daemon does not require direct access to
+## the administrator terminal.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Read and write inherited init script ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_inherited_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ term_list_ptys($1)
+ allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+
+ init_use_fds($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and
+## write the init script pty.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_ptys',`
+ gen_require(`
+ type initrc_devpts_t;
+ ')
+
+ dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+## Get the attributes of init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read init script
+## status files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ dontaudit $1 initrc_state_t:dir search_dir_perms;
+ dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## Search the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_run',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+## Read and write init script temporary data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_script_tmp_files',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+## Create files in a init script
+## temporary data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_script_tmp_filetrans',`
+ gen_require(`
+ type initrc_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+## <summary>
+## Write to utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file { getattr open write };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to lock
+## init script pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_lock_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+## <summary>
+## Read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_rw_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 initrc_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /var/run with the
+## utmp file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+')
+
+######################################
+## <summary>
+## Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_units',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+ files_search_etc($1)
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+ gen_require(`
+ type systemd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+## Start generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+## Stop generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+## Reload generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+## Get status of all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+ gen_require(`
+ attribute systemdunit;
+ class service status;
+ ')
+
+ allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+## Start all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service start;
+ ')
+
+ allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+## Stop all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service stop;
+ ')
+
+ allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+## Reload all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service reload;
+ ')
+
+ allow $1 systemdunit:service reload;
+')
On 02/06/17 00:13, Russell Coker via refpolicy wrote:
> Here is another version of the mon policy including requested changes.
Did you include the wrong patch? I didn't do a side-by-side comparison,
but it doesn't look any different than the one from Dec. 21, including
the extra .orig files in the patch.
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000
> +++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100
> @@ -38,6 +38,7 @@
>
> dev_list_all_dev_nodes($1)
> allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
> + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
> ')
>
> ########################################
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1,11 @@
> +
> +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +
> +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100
> @@ -0,0 +1,213 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_net_test_t;
> +typealias mon_net_test_t alias mon_test_t;
> +type mon_net_test_exec_t;
> +typealias mon_net_test_exec_t alias mon_test_exec_t;
> +
> +domain_type(mon_net_test_t)
> +domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
> +role system_r types mon_net_test_t;
> +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
> +
> +type mon_local_test_t;
> +type mon_local_test_exec_t;
> +
> +domain_type(mon_local_test_t)
> +domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
> +role system_r types mon_local_test_t;
> +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +dev_read_sysfs(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> + mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_net_test_t is for running tests that need network access
> +#
> +
> +allow mon_net_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_net_test_t, mon_net_test_exec_t)
> +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +corenet_tcp_connect_all_ports(mon_net_test_t)
> +corenet_udp_bind_generic_node(mon_net_test_t)
> +fs_getattr_xattr_fs(mon_net_test_t)
> +kernel_dontaudit_getattr_core_if(mon_net_test_t)
> +kernel_getattr_proc(mon_net_test_t)
> +kernel_read_system_state(mon_net_test_t)
> +sysnet_read_config(mon_net_test_t)
> +
> +auth_use_nsswitch(mon_net_test_t)
> +corecmd_exec_bin(mon_net_test_t)
> +corecmd_exec_shell(mon_net_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
> +dev_getattr_sysfs(mon_net_test_t)
> +dev_read_sysfs(mon_net_test_t)
> +dev_read_urand(mon_net_test_t)
> +files_read_usr_files(mon_net_test_t)
> +miscfiles_read_certs(mon_net_test_t)
> +miscfiles_read_localization(mon_net_test_t)
> +netutils_domtrans_ping(mon_net_test_t)
> +
> +optional_policy(`
> + bind_read_zone(mon_net_test_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_local_test_t is for running tests that don't need network access
> +# this domain has much more access to the local system!
> +#
> +# try not to use dontaudit rules for this
> +#
> +
> +allow mon_local_test_t self:capability sys_admin;
> +allow mon_local_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_local_test_t, mon_local_test_exec_t)
> +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
> +fs_getattr_nfs(mon_local_test_t)
> +fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_hugetlbfs(mon_local_test_t)
> +fs_list_tmpfs(mon_local_test_t)
> +fs_search_nfs(mon_local_test_t)
> +kernel_dontaudit_getattr_core_if(mon_local_test_t)
> +kernel_getattr_proc(mon_local_test_t)
> +kernel_read_software_raid_state(mon_local_test_t)
> +kernel_read_system_state(mon_local_test_t)
> +storage_getattr_fixed_disk_dev(mon_local_test_t)
> +storage_getattr_removable_dev(mon_local_test_t)
> +
> +application_exec_all(mon_local_test_t)
> +auth_use_nsswitch(mon_local_test_t)
> +corecmd_exec_bin(mon_local_test_t)
> +corecmd_exec_shell(mon_local_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
> +dev_getattr_sysfs(mon_local_test_t)
> +dev_read_urand(mon_local_test_t)
> +dev_read_sysfs(mon_local_test_t)
> +domain_read_all_domains_state(mon_local_test_t)
> +files_read_usr_files(mon_local_test_t)
> +files_search_mnt(mon_local_test_t)
> +files_search_spool(mon_local_test_t)
> +fs_search_auto_mountpoints(mon_local_test_t)
> +getattr_init_fifo(mon_local_test_t)
> +logging_send_syslog_msg(mon_local_test_t)
> +miscfiles_read_localization(mon_local_test_t)
> +rpc_read_nfs_content(mon_local_test_t)
> +sysnet_read_config(mon_local_test_t)
> +term_getattr_generic_ptys(mon_local_test_t)
> +term_list_ptys(mon_local_test_t)
> +
> +optional_policy(`
> + files_list_boot(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + sudo_role_template(system, system_r, mon_local_test_t)
> + corecmd_bin_entry_type(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + gpm_getattr_gpmctl(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + postfix_search_spool(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + xserver_rw_console(mon_local_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100
> +++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100
> @@ -176,6 +176,7 @@
> network_port(memcache, tcp,11211,s0, udp,11211,s0)
> network_port(milter) # no defined portcon
> network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
> network_port(monit, tcp,2812,s0)
> network_port(monopd, tcp,1234,s0)
> network_port(mountd, tcp,20048,s0, udp,20048,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if
> --- /home/rjc/src/pol-git/policy/modules/system/init.if 2016-12-04 23:04:21.264949806 +1100
> +++ /tmp/pol-git/policy/modules/system/init.if 2017-02-06 16:11:04.966188329 +1100
> @@ -2504,3 +2504,22 @@
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## stat /run/systemd/initctl/fifo
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain
> +## </summary>
> +## </param>
> +#
> +interface(`getattr_init_fifo',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + allow $1 init_var_run_t:fifo_file getattr;
> + allow $1 init_var_run_t:dir list_dir_perms;
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig
> --- /home/rjc/src/pol-git/policy/modules/system/init.if.orig 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/system/init.if.orig 2016-12-04 23:04:21.264949806 +1100
> @@ -0,0 +1,2506 @@
> +## <summary>System initialization programs (init and init scripts).</summary>
> +
> +########################################
> +## <summary>
> +## Create a file type used for init scripts.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a file type used for init scripts. It can not be
> +## used in conjunction with init_script_domain(). These
> +## script files are typically stored in the /etc/init.d directory.
> +## </p>
> +## <p>
> +## Typically this is used to constrain what services an
> +## admin can start/stop. For example, a policy writer may want
> +## to constrain a web administrator to only being able to
> +## restart the web server, not other services. This special type
> +## will help address that goal.
> +## </p>
> +## <p>
> +## This also makes the type usable for files; thus an
> +## explicit call to files_type() is redundant.
> +## </p>
> +## </desc>
> +## <param name="script_file">
> +## <summary>
> +## Type to be used for a script file.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`init_script_file',`
> + gen_require(`
> + type initrc_t;
> + attribute init_script_file_type, init_run_all_scripts_domain;
> + ')
> +
> + typeattribute $1 init_script_file_type;
> +
> + domain_entry_file(initrc_t, $1)
> +
> + domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Make the specified type usable for
> +## systemd unit files.
> +## </summary>
> +## <param name="type">
> +## <summary>
> +## Type to be used for systemd unit files.
> +## </summary>
> +## </param>
> +#
> +interface(`init_unit_file',`
> + gen_require(`
> + attribute systemdunit;
> + ')
> +
> + files_type($1)
> + typeattribute $1 systemdunit;
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain used for init scripts.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain used for init scripts.
> +## Can not be used in conjunction with
> +## init_script_file().
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as an init script domain.
> +## </summary>
> +## </param>
> +## <param name="script_file">
> +## <summary>
> +## Type of the script file used as an entry point to this domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_script_domain',`
> + gen_require(`
> + attribute init_script_domain_type, init_script_file_type;
> + attribute init_run_all_scripts_domain;
> + ')
> +
> + typeattribute $1 init_script_domain_type;
> + typeattribute $2 init_script_file_type;
> +
> + domain_type($1)
> + domain_entry_file($1, $2)
> +
> + role system_r types $1;
> +
> + domtrans_pattern(init_run_all_scripts_domain, $2, $1)
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain which can be started by init.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_domain',`
> + gen_require(`
> + type init_t;
> + role system_r;
> + ')
> +
> + domain_type($1)
> + domain_entry_file($1, $2)
> +
> + role system_r types $1;
> +
> + domtrans_pattern(init_t, $2, $1)
> +
> + ifdef(`init_systemd',`
> + allow $1 init_t:unix_stream_socket { getattr read write ioctl };
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain which can be started by init,
> +## with a range transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <param name="range">
> +## <summary>
> +## Range for the domain.
> +## </summary>
> +## </param>
> +#
> +interface(`init_ranged_domain',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + init_domain($1, $2)
> +
> + ifdef(`enable_mcs',`
> + range_transition init_t $2:process $3;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition init_t $2:process $3;
> + mls_rangetrans_target($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain for long running processes
> +## (daemons/services) which are started by init scripts.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain for long running processes (daemons/services)
> +## which are started by init scripts. Short running processes
> +## should use the init_system_domain() interface instead.
> +## Typically all long running processes started by an init
> +## script (usually in /etc/init.d) will need to use this
> +## interface.
> +## </p>
> +## <p>
> +## The types will be made usable as a domain and file, making
> +## calls to domain_type() and files_type() redundant.
> +## </p>
> +## <p>
> +## If the process must also run in a specific MLS/MCS level,
> +## the init_ranged_daemon_domain() should be used instead.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a daemon domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`init_daemon_domain',`
> + gen_require(`
> + type initrc_t;
> + role system_r;
> + attribute daemon;
> + ')
> +
> + typeattribute $1 daemon;
> +
> + domain_type($1)
> + domain_entry_file($1, $2)
> +
> + role system_r types $1;
> +
> + domtrans_pattern(initrc_t, $2, $1)
> +
> + # daemons started from init will
> + # inherit fds from init for the console
> + init_dontaudit_use_fds($1)
> + term_dontaudit_use_console($1)
> +
> + # init script ptys are the stdin/out/err
> + # when using run_init
> + init_use_script_ptys($1)
> +
> + ifdef(`direct_sysadm_daemon',`
> + userdom_dontaudit_use_user_terminals($1)
> + ')
> +
> + ifdef(`init_systemd',`
> + init_domain($1, $2)
> + # this may be because of late labelling
> + kernel_dgram_send($1)
> + ')
> +
> + optional_policy(`
> + nscd_use($1)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain for long running processes
> +## (daemons/services) which are started by init scripts,
> +## running at a specified MLS/MCS range.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain for long running processes (daemons/services)
> +## which are started by init scripts, running at a specified
> +## MLS/MCS range. Short running processes
> +## should use the init_ranged_system_domain() interface instead.
> +## Typically all long running processes started by an init
> +## script (usually in /etc/init.d) will need to use this
> +## interface if they need to run in a specific MLS/MCS range.
> +## </p>
> +## <p>
> +## The types will be made usable as a domain and file, making
> +## calls to domain_type() and files_type() redundant.
> +## </p>
> +## <p>
> +## If the policy build option TYPE is standard (MLS and MCS disabled),
> +## this interface has the same behavior as init_daemon_domain().
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a daemon domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <param name="range">
> +## <summary>
> +## MLS/MCS range for the domain.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`init_ranged_daemon_domain',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + ifdef(`init_systemd',`
> + init_ranged_domain($1, $2, $3)
> + ',`
> + init_daemon_domain($1, $2)
> +
> + ifdef(`enable_mcs',`
> + range_transition initrc_t $2:process $3;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition initrc_t $2:process $3;
> + mls_rangetrans_target($1)
> + ')
> + ')
> +')
> +
> +#########################################
> +## <summary>
> +## Abstract socket service activation (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The domain to be started by systemd socket activation.
> +## </summary>
> +## </param>
> +#
> +interface(`init_abstract_socket_activation',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> + ')
> +')
> +
> +#########################################
> +## <summary>
> +## Named socket service activation (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The domain to be started by systemd socket activation.
> +## </summary>
> +## </param>
> +## <param name="sock_file">
> +## <summary>
> +## The domain socket file type.
> +## </summary>
> +## </param>
> +#
> +interface(`init_named_socket_activation',`
> + ifdef(`init_systemd',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow init_t $1:unix_dgram_socket create_socket_perms;
> + allow init_t $1:unix_stream_socket create_stream_socket_perms;
> + allow init_t $2:dir manage_dir_perms;
> + allow init_t $2:fifo_file manage_fifo_file_perms;
> + allow init_t $2:sock_file manage_sock_file_perms;
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain for short running processes
> +## which are started by init scripts.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain for short running processes
> +## which are started by init scripts. These are generally applications that
> +## are used to initialize the system during boot.
> +## Long running processes, such as daemons/services
> +## should use the init_daemon_domain() interface instead.
> +## Typically all short running processes started by an init
> +## script (usually in /etc/init.d) will need to use this
> +## interface.
> +## </p>
> +## <p>
> +## The types will be made usable as a domain and file, making
> +## calls to domain_type() and files_type() redundant.
> +## </p>
> +## <p>
> +## If the process must also run in a specific MLS/MCS level,
> +## the init_ranged_system_domain() should be used instead.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a system domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`init_system_domain',`
> + gen_require(`
> + type initrc_t;
> + role system_r;
> + ')
> +
> + application_domain($1, $2)
> +
> + role system_r types $1;
> +
> + domtrans_pattern(initrc_t, $2, $1)
> +
> + ifdef(`init_systemd',`
> + init_domain($1, $2)
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain for short running processes
> +## which are started by init scripts.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain for long running processes (daemons/services)
> +## which are started by init scripts.
> +## These are generally applications that
> +## are used to initialize the system during boot.
> +## Long running processes
> +## should use the init_ranged_system_domain() interface instead.
> +## Typically all short running processes started by an init
> +## script (usually in /etc/init.d) will need to use this
> +## interface if they need to run in a specific MLS/MCS range.
> +## </p>
> +## <p>
> +## The types will be made usable as a domain and file, making
> +## calls to domain_type() and files_type() redundant.
> +## </p>
> +## <p>
> +## If the policy build option TYPE is standard (MLS and MCS disabled),
> +## this interface has the same behavior as init_system_domain().
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a system domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <param name="range">
> +## <summary>
> +## Range for the domain.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`init_ranged_system_domain',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + ifdef(`init_systemd',`
> + init_ranged_domain($1, $2, $3)
> + ',`
> + init_system_domain($1, $2)
> +
> + ifdef(`enable_mcs',`
> + range_transition initrc_t $2:process $3;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition initrc_t $2:process $3;
> + mls_rangetrans_target($1)
> + ')
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Mark the file type as a daemon pid file, allowing initrc_t
> +## to create it
> +## </summary>
> +## <param name="filetype">
> +## <summary>
> +## Type to mark as a daemon pid file
> +## </summary>
> +## </param>
> +## <param name="class">
> +## <summary>
> +## Class on which the type is applied
> +## </summary>
> +## </param>
> +## <param name="filename">
> +## <summary>
> +## Filename of the file that the init script creates
> +## </summary>
> +## </param>
> +#
> +interface(`init_daemon_pid_file',`
> + gen_require(`
> + attribute daemonpidfile;
> + type initrc_t;
> + ')
> +
> + typeattribute $1 daemonpidfile;
> +
> + files_pid_file($1)
> + files_pid_filetrans(initrc_t, $1, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Mark the file type as a daemon run dir, allowing initrc_t
> +## to create it
> +## </summary>
> +## <param name="filetype">
> +## <summary>
> +## Type to mark as a daemon run dir
> +## </summary>
> +## </param>
> +## <param name="filename">
> +## <summary>
> +## Filename of the directory that the init script creates
> +## </summary>
> +## </param>
> +#
> +interface(`init_daemon_run_dir',`
> + gen_require(`
> + attribute daemonrundir;
> + type initrc_t;
> + ')
> +
> + refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
> + init_daemon_pid_file($1, dir, $2)
> +')
> +
> +########################################
> +## <summary>
> +## Execute init (/sbin/init) with a domain transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_domtrans',`
> + gen_require(`
> + type init_t, init_exec_t;
> + ')
> +
> + domtrans_pattern($1, init_exec_t, init_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute the init program in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_exec',`
> + gen_require(`
> + type init_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, init_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute the rc application in the caller domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## This is only applicable to Gentoo or distributions that use the OpenRC
> +## init system.
> +## </p>
> +## <p>
> +## The OpenRC /sbin/rc binary is used for both init scripts as well as
> +## management applications and tools. When used for management purposes,
> +## calling /sbin/rc should never cause a transition to initrc_t.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_exec_rc',`
> + gen_require(`
> + type rc_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, rc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Get the process group of init.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getpgid',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process getpgid;
> +')
> +
> +########################################
> +## <summary>
> +## Send init a null signal.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_signull',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process signull;
> +')
> +
> +########################################
> +## <summary>
> +## Send init a SIGCHLD signal.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_sigchld',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to init with a unix socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_stream_connect',`
> + gen_require(`
> + type init_t, init_var_run_t;
> + ')
> +
> + stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
> + files_search_pids($1)
> +')
> +
> +########################################
> +## <summary>
> +## Inherit and use file descriptors from init.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to inherit file
> +## descriptors from the init program (process ID 1).
> +## Typically the only file descriptors to be
> +## inherited from init are for the console.
> +## This does not allow the domain any access to
> +## the object to which the file descriptors references.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>init_dontaudit_use_fds()</li>
> +## <li>term_dontaudit_use_console()</li>
> +## <li>term_use_console()</li>
> +## </ul>
> +## <p>
> +## Example usage:
> +## </p>
> +## <p>
> +## init_use_fds(mydomain_t)
> +## term_use_console(mydomain_t)
> +## </p>
> +## <p>
> +## Normally, processes that can inherit these file
> +## descriptors (usually services) write messages to the
> +## system log instead of writing to the console.
> +## Therefore, in many cases, this access should
> +## dontaudited instead.
> +## </p>
> +## <p>
> +## Example dontaudit usage:
> +## </p>
> +## <p>
> +## init_dontaudit_use_fds(mydomain_t)
> +## term_dontaudit_use_console(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="1"/>
> +#
> +interface(`init_use_fds',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to inherit file
> +## descriptors from init.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_use_fds',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + dontaudit $1 init_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Send messages to init unix datagram sockets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_dgram_send',`
> + gen_require(`
> + type init_t, init_var_run_t;
> + ')
> +
> + dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
> + files_search_pids($1)
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to read/write to
> +## init with unix domain stream sockets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_stream_sockets',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Send UDP network traffic to init. (Deprecated)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_udp_send',`
> + refpolicywarn(`$0($*) has been deprecated.')
> +')
> +
> +########################################
> +## <summary>
> +## Get all service status (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_get_system_status',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system status;
> +')
> +
> +########################################
> +## <summary>
> +## Enable all systemd services (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_enable',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system enable;
> +')
> +
> +########################################
> +## <summary>
> +## Disable all services (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_disable',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system disable;
> +')
> +
> +########################################
> +## <summary>
> +## Reload all services (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_reload',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system reload;
> +')
> +
> +########################################
> +## <summary>
> +## Reboot the system (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_reboot_system',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system reboot;
> +')
> +
> +########################################
> +## <summary>
> +## Shutdown (halt) the system (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_shutdown_system',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system halt;
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to get init status
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_service_status',`
> + gen_require(`
> + type init_t;
> + class service status;
> + ')
> +
> + allow $1 init_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to get init start
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to allow access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_service_start',`
> + gen_require(`
> + type init_t;
> + class service start;
> + ')
> +
> + allow $1 init_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## systemd over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dbus_chat',`
> + gen_require(`
> + type init_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 init_t:dbus send_msg;
> + allow init_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Manage files in /var/lib/systemd/.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_manage_var_lib_files',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create files in /var/lib/systemd
> +## with an automatic type transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="type">
> +## <summary>
> +## The type of object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_var_lib_filetrans',`
> + gen_require(`
> + type init_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +## Create files in an init PID directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_pid_filetrans',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + filetrans_pattern($1, init_var_run_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of initctl.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_initctl',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + allow $1 initctl_t:fifo_file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to get the
> +## attributes of initctl.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_getattr_initctl',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + dontaudit $1 initctl_t:fifo_file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Write to initctl.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_write_initctl',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 initctl_t:fifo_file write;
> +')
> +
> +########################################
> +## <summary>
> +## Use telinit (Read and write initctl).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_telinit',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 initctl_t:fifo_file rw_fifo_file_perms;
> +
> + init_exec($1)
> +
> + tunable_policy(`init_upstart',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + # upstart uses a datagram socket instead of initctl pipe
> + allow $1 self:unix_dgram_socket create_socket_perms;
> + allow $1 init_t:unix_dgram_socket sendto;
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Read and write initctl.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_initctl',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + dev_list_all_dev_nodes($1)
> + allow $1 initctl_t:fifo_file rw_fifo_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and
> +## write initctl.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_rw_initctl',`
> + gen_require(`
> + type initctl_t;
> + ')
> +
> + dontaudit $1 initctl_t:fifo_file { read write };
> +')
> +
> +########################################
> +## <summary>
> +## Make init scripts an entry point for
> +## the specified domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +# cjp: added for gentoo integrated run_init
> +interface(`init_script_file_entry_type',`
> + gen_require(`
> + type initrc_exec_t;
> + ')
> +
> + domain_entry_file($1, initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute init scripts with a specified domain transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_spec_domtrans_script',`
> + gen_require(`
> + type initrc_t, initrc_exec_t;
> + ')
> +
> + files_list_etc($1)
> + spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
> +
> + ifdef(`distro_gentoo',`
> + gen_require(`
> + type rc_exec_t;
> + ')
> +
> + domtrans_pattern($1, rc_exec_t, initrc_t)
> + ')
> +
> + ifdef(`enable_mcs',`
> + range_transition $1 initrc_exec_t:process s0;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Execute init scripts with an automatic domain transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_domtrans_script',`
> + gen_require(`
> + type initrc_t, initrc_exec_t;
> + ')
> +
> + files_list_etc($1)
> + domtrans_pattern($1, initrc_exec_t, initrc_t)
> +
> + ifdef(`enable_mcs',`
> + range_transition $1 initrc_exec_t:process s0;
> + ')
> +
> + ifdef(`enable_mls',`
> + range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Execute a init script in a specified domain.
> +## </summary>
> +## <desc>
> +## <p>
> +## Execute a init script in a specified domain.
> +## </p>
> +## <p>
> +## No interprocess communication (signals, pipes,
> +## etc.) is provided by this interface since
> +## the domains are not owned by this module.
> +## </p>
> +## </desc>
> +## <param name="source_domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="target_domain">
> +## <summary>
> +## Domain to transition to.
> +## </summary>
> +## </param>
> +# cjp: added for gentoo integrated run_init
> +interface(`init_script_file_domtrans',`
> + gen_require(`
> + type initrc_exec_t;
> + ')
> +
> + files_list_etc($1)
> + domain_auto_transition_pattern($1, initrc_exec_t, $2)
> +')
> +
> +########################################
> +## <summary>
> +## Transition to the init script domain
> +## on a specified labeled init script.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="init_script_file">
> +## <summary>
> +## Labeled init script file.
> +## </summary>
> +## </param>
> +#
> +interface(`init_labeled_script_domtrans',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + domtrans_pattern($1, $2, initrc_t)
> + files_search_etc($1)
> +')
> +
> +#########################################
> +## <summary>
> +## Transition to the init script domain
> +## for all labeled init script types
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`init_all_labeled_script_domtrans',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + init_labeled_script_domtrans($1, init_script_file_type)
> +')
> +
> +########################################
> +## <summary>
> +## Allow the role to start and stop
> +## labeled services.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be performing this action.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a daemon domain.
> +## </summary>
> +## </param>
> +## <param name="init_script_file">
> +## <summary>
> +## Labeled init script file.
> +## </summary>
> +## </param>
> +## <param name="unit" optional="true">
> +## <summary>
> +## Systemd unit file type.
> +## </summary>
> +## </param>
> +#
> +interface(`init_startstop_service',`
> + gen_require(`
> + role system_r;
> + ')
> +
> + ifndef(`direct_sysadm_daemon',`
> + ifdef(`distro_gentoo',`
> + # for OpenRC
> + seutil_labeled_init_script_run_runinit($1, $2, $4)
> + ',`
> + # rules for sysvinit / upstart
> + init_labeled_script_domtrans($1, $4)
> + domain_system_change_exemption($1)
> + role_transition $2 $4 system_r;
> + allow $2 system_r;
> + ')
> +
> + ifdef(`init_systemd',`
> + # This ifelse condition is temporary, until
> + # all callers are updated to provide unit files.
> + ifelse(`$5',`',`',`
> + gen_require(`
> + class service { start stop };
> + ')
> +
> + allow $1 $5:service { start stop };
> + ')
> + ')
> + ')
> +')
> +
> +########################################
> +## <summary>
> +## Start and stop daemon programs directly.
> +## </summary>
> +## <desc>
> +## <p>
> +## Start and stop daemon programs directly
> +## in the traditional "/etc/init.d/daemon start"
> +## style, and do not require run_init.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`init_run_daemon',`
> + gen_require(`
> + attribute init_script_file_type;
> + role system_r;
> + ')
> +
> + allow $2 system_r;
> +
> + init_all_labeled_script_domtrans($1)
> + role_transition $2 init_script_file_type system_r;
> +')
> +
> +########################################
> +## <summary>
> +## Read the process state (/proc/pid) of init.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_state',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:dir search_dir_perms;
> + allow $1 init_t:file read_file_perms;
> + allow $1 init_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Ptrace init
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`init_ptrace',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:process ptrace;
> +')
> +
> +########################################
> +## <summary>
> +## Write an init script unnamed pipe.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_write_script_pipes',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:fifo_file write;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attribute of init script entrypoint files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_script_files',`
> + gen_require(`
> + type initrc_exec_t;
> + ')
> +
> + files_list_etc($1)
> + allow $1 initrc_exec_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Read init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_script_files',`
> + gen_require(`
> + type initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 initrc_exec_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Execute init scripts in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_exec_script_files',`
> + gen_require(`
> + type initrc_exec_t;
> + ')
> +
> + files_list_etc($1)
> + can_exec($1, initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Get the attribute of all init script entrypoint files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_all_script_files',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + files_list_etc($1)
> + allow $1 init_script_file_type:file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Read all init script files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_all_script_files',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + files_search_etc($1)
> + allow $1 init_script_file_type:file read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
> +## Dontaudit read all init script files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_read_all_script_files',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + dontaudit $1 init_script_file_type:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Execute all init scripts in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_exec_all_script_files',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + files_list_etc($1)
> + can_exec($1, init_script_file_type)
> +')
> +
> +########################################
> +## <summary>
> +## Read the process state (/proc/pid) of the init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_script_state',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + kernel_search_proc($1)
> + read_files_pattern($1, initrc_t, initrc_t)
> + read_lnk_files_pattern($1, initrc_t, initrc_t)
> + list_dirs_pattern($1, initrc_t, initrc_t)
> +
> + # should move this to separate interface
> + allow $1 initrc_t:process getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Inherit and use init script file descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_use_script_fds',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to inherit
> +## init script file descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_use_script_fds',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + dontaudit $1 initrc_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> +## Search init script keys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_search_script_keys',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:key search;
> +')
> +
> +########################################
> +## <summary>
> +## Get the process group ID of init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getpgid_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process getpgid;
> +')
> +
> +########################################
> +## <summary>
> +## Send SIGCHLD signals to init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_sigchld_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process sigchld;
> +')
> +
> +########################################
> +## <summary>
> +## Send generic signals to init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_signal_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process signal;
> +')
> +
> +########################################
> +## <summary>
> +## Send null signals to init scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_signull_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:process signull;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write init script unnamed pipes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_script_pipes',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:fifo_file { read write };
> +')
> +
> +########################################
> +## <summary>
> +## Send UDP network traffic to init scripts. (Deprecated)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_udp_send_script',`
> + refpolicywarn(`$0($*) has been deprecated.')
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to connect to
> +## init scripts with a unix socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_stream_connect_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:unix_stream_socket connectto;
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to read/write to
> +## init scripts with a unix domain stream sockets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_script_stream_sockets',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + allow $1 initrc_t:unix_stream_socket rw_socket_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Dont audit the specified domain connecting to
> +## init scripts with a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_stream_connect_script',`
> + gen_require(`
> + type initrc_t;
> + ')
> +
> + dontaudit $1 initrc_t:unix_stream_socket connectto;
> +')
> +########################################
> +## <summary>
> +## Send messages to init scripts over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dbus_send_script',`
> + gen_require(`
> + type initrc_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 initrc_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## init scripts over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dbus_chat_script',`
> + gen_require(`
> + type initrc_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 initrc_t:dbus send_msg;
> + allow initrc_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write the init script pty.
> +## </summary>
> +## <desc>
> +## <p>
> +## Read and write the init script pty. This
> +## pty is generally opened by the open_init_pty
> +## portion of the run_init program so that the
> +## daemon does not require direct access to
> +## the administrator terminal.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_use_script_ptys',`
> + gen_require(`
> + type initrc_devpts_t;
> + ')
> +
> + term_list_ptys($1)
> + allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
> +')
> +
> +########################################
> +## <summary>
> +## Read and write inherited init script ptys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_use_inherited_script_ptys',`
> + gen_require(`
> + type initrc_devpts_t;
> + ')
> +
> + term_list_ptys($1)
> + allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
> +
> + init_use_fds($1)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and
> +## write the init script pty.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_use_script_ptys',`
> + gen_require(`
> + type initrc_devpts_t;
> + ')
> +
> + dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of init script
> +## status files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_script_status_files',`
> + gen_require(`
> + type initrc_state_t;
> + ')
> +
> + getattr_files_pattern($1, initrc_state_t, initrc_state_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read init script
> +## status files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_read_script_status_files',`
> + gen_require(`
> + type initrc_state_t;
> + ')
> +
> + dontaudit $1 initrc_state_t:dir search_dir_perms;
> + dontaudit $1 initrc_state_t:file read_file_perms;
> +')
> +
> +######################################
> +## <summary>
> +## Search the /run/systemd directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_search_run',`
> + gen_require(`
> + type init_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 init_var_run_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Read init script temporary data.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_script_tmp_files',`
> + gen_require(`
> + type initrc_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read and write init script temporary data.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_script_tmp_files',`
> + gen_require(`
> + type initrc_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create files in a init script
> +## temporary data directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`init_script_tmp_filetrans',`
> + gen_require(`
> + type initrc_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of init script process id files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + allow $1 initrc_var_run_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> +## Read utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + files_list_pids($1)
> + allow $1 initrc_var_run_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to write utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_write_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + dontaudit $1 initrc_var_run_t:file { write lock };
> +')
> +
> +########################################
> +## <summary>
> +## Write to utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_write_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + files_list_pids($1)
> + allow $1 initrc_var_run_t:file { getattr open write };
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to lock
> +## init script pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_lock_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + dontaudit $1 initrc_var_run_t:file lock;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_rw_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + files_list_pids($1)
> + allow $1 initrc_var_run_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to read and write utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_dontaudit_rw_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete utmp.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_manage_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 initrc_var_run_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create files in /var/run with the
> +## utmp file type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_pid_filetrans_utmp',`
> + gen_require(`
> + type initrc_var_run_t;
> + ')
> +
> + files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to connect to daemon with a tcp socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_tcp_recvfrom_all_daemons',`
> + gen_require(`
> + attribute daemon;
> + ')
> +
> + corenet_tcp_recvfrom_labeled($1, daemon)
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to connect to daemon with a udp socket
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_udp_recvfrom_all_daemons',`
> + gen_require(`
> + attribute daemon;
> + ')
> + corenet_udp_recvfrom_labeled($1, daemon)
> +')
> +
> +######################################
> +## <summary>
> +## Search systemd unit dirs.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_search_units',`
> + gen_require(`
> + type init_var_run_t, systemd_unit_t;
> + ')
> +
> + search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
> +
> + # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
> + files_search_etc($1)
> + files_search_usr($1)
> + libs_search_lib($1)
> +
> + fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> +## Get status of generic systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_get_generic_units_status',`
> + gen_require(`
> + type systemd_unit_t;
> + class service status;
> + ')
> +
> + allow $1 systemd_unit_t:service status;
> +')
> +
> +########################################
> +## <summary>
> +## Start generic systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_start_generic_units',`
> + gen_require(`
> + type systemd_unit_t;
> + class service start;
> + ')
> +
> + allow $1 systemd_unit_t:service start;
> +')
> +
> +########################################
> +## <summary>
> +## Stop generic systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_stop_generic_units',`
> + gen_require(`
> + type systemd_unit_t;
> + class service stop;
> + ')
> +
> + allow $1 systemd_unit_t:service stop;
> +')
> +
> +#######################################
> +## <summary>
> +## Reload generic systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_reload_generic_units',`
> + gen_require(`
> + type systemd_unit_t;
> + class service reload;
> + ')
> +
> + allow $1 systemd_unit_t:service reload;
> +')
> +
> +########################################
> +## <summary>
> +## Get status of all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_get_all_units_status',`
> + gen_require(`
> + attribute systemdunit;
> + class service status;
> + ')
> +
> + allow $1 systemdunit:service status;
> +')
> +
> +########################################
> +## <summary>
> +## Start all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_start_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + class service start;
> + ')
> +
> + allow $1 systemdunit:service start;
> +')
> +
> +########################################
> +## <summary>
> +## Stop all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`init_stop_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + class service stop;
> + ')
> +
> + allow $1 systemdunit:service stop;
> +')
> +
> +#######################################
> +## <summary>
> +## Reload all systemd units.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_reload_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + class service reload;
> + ')
> +
> + allow $1 systemdunit:service reload;
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
On Tuesday, 7 February 2017 7:02:43 PM AEDT Chris PeBenito via refpolicy
wrote:
> Did you include the wrong patch? I didn't do a side-by-side comparison,
> but it doesn't look any different than the one from Dec. 21, including
> the extra .orig files in the patch.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
Sorry about the .orig files. I changed the order of rules according to the
style guide. What else did you want me to do?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 02/06/17 00:13, Russell Coker via refpolicy wrote:
> Here is another version of the mon policy including requested changes.
I've merged this but made some changes:
* Adjusted to fit style
* Moved the init fifo part to init_getattr_initctl, adjusting that
interface implementation accordingly
* Dropped the sudo for the time being (I realize it likely breaks
things) as the user role template isn't intended to be called like that.
A specific sudo for system use should be created in the sudo module
(not calling the role template there either). It's probably a good
place to use attributes to simplify the implementation across the system
instance and user template. Something like this should probably exist
for su too.
* Dropped one files_* call which didn't exist upstream (I don't remember
the name)
* Removed aliases, as the original types never existed upstream.
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if 2016-07-30 08:14:41.105650077 +1000
> +++ /tmp/pol-git/policy/modules/contrib/gpm.if 2017-02-06 16:11:04.966188329 +1100
> @@ -38,6 +38,7 @@
>
> dev_list_all_dev_nodes($1)
> allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
> + allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
> ')
>
> ########################################
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.fc 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1,11 @@
> +
> +/usr/sbin/mon -- gen_context(system_u:object_r:mon_exec_t,s0)
> +/usr/lib/mon/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
> +/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
> +
> +/var/run/mon(/.*)? gen_context(system_u:object_r:mon_var_run_t,s0)
> +
> +/var/lib/mon(/.*)? gen_context(system_u:object_r:mon_var_lib_t,s0)
> +/var/log/mon(/.*)? gen_context(system_u:object_r:mon_var_log_t,s0)
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.if 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.if 2017-02-06 16:11:04.962188219 +1100
> @@ -0,0 +1 @@
> +## <summary>mon network monitoring daemon.</summary>
> diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/mon.te 1970-01-01 10:00:00.000000000 +1000
> +++ /tmp/pol-git/policy/modules/contrib/mon.te 2017-02-06 16:11:04.966188329 +1100
> @@ -0,0 +1,213 @@
> +policy_module(mon, 1.12.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type mon_t;
> +type mon_exec_t;
> +init_daemon_domain(mon_t, mon_exec_t)
> +
> +type mon_net_test_t;
> +typealias mon_net_test_t alias mon_test_t;
> +type mon_net_test_exec_t;
> +typealias mon_net_test_exec_t alias mon_test_exec_t;
> +
> +domain_type(mon_net_test_t)
> +domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
> +role system_r types mon_net_test_t;
> +domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
> +
> +type mon_local_test_t;
> +type mon_local_test_exec_t;
> +
> +domain_type(mon_local_test_t)
> +domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
> +role system_r types mon_local_test_t;
> +domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
> +
> +type mon_var_run_t;
> +files_pid_file(mon_var_run_t)
> +
> +type mon_var_lib_t;
> +files_type(mon_var_lib_t)
> +
> +type mon_var_log_t;
> +logging_log_file(mon_var_log_t)
> +
> +type mon_tmp_t;
> +files_tmp_file(mon_tmp_t)
> +
> +########################################
> +#
> +# Local policy
> +# mon_t is for the main mon process and for sending alerts
> +#
> +
> +corenet_tcp_bind_mon_port(mon_t)
> +corenet_udp_bind_mon_port(mon_t)
> +corenet_tcp_bind_generic_node(mon_t)
> +corenet_udp_bind_generic_node(mon_t)
> +allow mon_t self:tcp_socket create_stream_socket_perms;
> +
> +corenet_tcp_connect_jabber_client_port(mon_t)
> +
> +allow mon_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> +files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
> +
> +manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
> +files_pid_filetrans(mon_t, mon_var_run_t, file)
> +
> +manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
> +
> +kernel_read_kernel_sysctls(mon_t)
> +kernel_read_network_state(mon_t)
> +kernel_read_system_state(mon_t)
> +
> +domain_use_interactive_fds(mon_t)
> +
> +corecmd_exec_bin(mon_t)
> +dev_read_urand(mon_t)
> +dev_read_sysfs(mon_t)
> +logging_search_logs(mon_t)
> +manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
> +
> +files_read_etc_files(mon_t)
> +files_read_etc_runtime_files(mon_t)
> +files_read_usr_files(mon_t)
> +
> +fs_getattr_all_fs(mon_t)
> +fs_search_auto_mountpoints(mon_t)
> +
> +term_dontaudit_search_ptys(mon_t)
> +
> +application_signull(mon_t)
> +
> +init_read_utmp(mon_t)
> +
> +libs_exec_ld_so(mon_t)
> +libs_exec_lib_files(mon_t)
> +
> +logging_send_syslog_msg(mon_t)
> +
> +miscfiles_read_localization(mon_t)
> +
> +sysnet_dns_name_resolve(mon_t)
> +
> +userdom_dontaudit_use_unpriv_user_fds(mon_t)
> +userdom_dontaudit_search_user_home_dirs(mon_t)
> +
> +corecmd_exec_shell(mon_t)
> +
> +optional_policy(`
> + mta_send_mail(mon_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_net_test_t is for running tests that need network access
> +#
> +
> +allow mon_net_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_net_test_t, mon_net_test_exec_t)
> +manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +corenet_tcp_connect_all_ports(mon_net_test_t)
> +corenet_udp_bind_generic_node(mon_net_test_t)
> +fs_getattr_xattr_fs(mon_net_test_t)
> +kernel_dontaudit_getattr_core_if(mon_net_test_t)
> +kernel_getattr_proc(mon_net_test_t)
> +kernel_read_system_state(mon_net_test_t)
> +sysnet_read_config(mon_net_test_t)
> +
> +auth_use_nsswitch(mon_net_test_t)
> +corecmd_exec_bin(mon_net_test_t)
> +corecmd_exec_shell(mon_net_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
> +dev_getattr_sysfs(mon_net_test_t)
> +dev_read_sysfs(mon_net_test_t)
> +dev_read_urand(mon_net_test_t)
> +files_read_usr_files(mon_net_test_t)
> +miscfiles_read_certs(mon_net_test_t)
> +miscfiles_read_localization(mon_net_test_t)
> +netutils_domtrans_ping(mon_net_test_t)
> +
> +optional_policy(`
> + bind_read_zone(mon_net_test_t)
> +')
> +
> +########################################
> +#
> +# Local policy
> +# mon_local_test_t is for running tests that don't need network access
> +# this domain has much more access to the local system!
> +#
> +# try not to use dontaudit rules for this
> +#
> +
> +allow mon_local_test_t self:capability sys_admin;
> +allow mon_local_test_t self:fifo_file rw_file_perms;
> +
> +can_exec(mon_local_test_t, mon_local_test_exec_t)
> +manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
> +
> +files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
> +fs_getattr_nfs(mon_local_test_t)
> +fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_hugetlbfs(mon_local_test_t)
> +fs_list_tmpfs(mon_local_test_t)
> +fs_search_nfs(mon_local_test_t)
> +kernel_dontaudit_getattr_core_if(mon_local_test_t)
> +kernel_getattr_proc(mon_local_test_t)
> +kernel_read_software_raid_state(mon_local_test_t)
> +kernel_read_system_state(mon_local_test_t)
> +storage_getattr_fixed_disk_dev(mon_local_test_t)
> +storage_getattr_removable_dev(mon_local_test_t)
> +
> +application_exec_all(mon_local_test_t)
> +auth_use_nsswitch(mon_local_test_t)
> +corecmd_exec_bin(mon_local_test_t)
> +corecmd_exec_shell(mon_local_test_t)
> +dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
> +dev_getattr_sysfs(mon_local_test_t)
> +dev_read_urand(mon_local_test_t)
> +dev_read_sysfs(mon_local_test_t)
> +domain_read_all_domains_state(mon_local_test_t)
> +files_read_usr_files(mon_local_test_t)
> +files_search_mnt(mon_local_test_t)
> +files_search_spool(mon_local_test_t)
> +fs_search_auto_mountpoints(mon_local_test_t)
> +getattr_init_fifo(mon_local_test_t)
> +logging_send_syslog_msg(mon_local_test_t)
> +miscfiles_read_localization(mon_local_test_t)
> +rpc_read_nfs_content(mon_local_test_t)
> +sysnet_read_config(mon_local_test_t)
> +term_getattr_generic_ptys(mon_local_test_t)
> +term_list_ptys(mon_local_test_t)
> +
> +optional_policy(`
> + files_list_boot(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + sudo_role_template(system, system_r, mon_local_test_t)
> + corecmd_bin_entry_type(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + gpm_getattr_gpmctl(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + postfix_search_spool(mon_local_test_t)
> +')
> +
> +optional_policy(`
> + xserver_rw_console(mon_local_test_t)
> +')
> diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
> --- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-05 20:57:06.659564895 +1100
> +++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in 2017-02-06 16:11:04.966188329 +1100
> @@ -176,6 +176,7 @@
> network_port(memcache, tcp,11211,s0, udp,11211,s0)
> network_port(milter) # no defined portcon
> network_port(mmcc, tcp,5050,s0, udp,5050,s0)
> +network_port(mon, tcp,2583,s0, udp,2583,s0)
> network_port(monit, tcp,2812,s0)
> network_port(monopd, tcp,1234,s0)
> network_port(mountd, tcp,20048,s0, udp,20048,s0)
--
Chris PeBenito
On Wednesday, 8 February 2017 5:18:20 PM AEDT Chris PeBenito wrote:
> * Dropped the sudo for the time being (I realize it likely breaks
> things) as the user role template isn't intended to be called like that.
> A specific sudo for system use should be created in the sudo module
Actually it's better to not use sudo in monitors, they have a standard method
of using setuid wrappers. I have to support this in Debian/Stretch because
it's too late to change some mon scripts but for the next version I won't.
Thanks for merging it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/