|
Chris PeBenito |
0fbfa5 |
#DESC Init - Process initialization
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: sysvinit
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the init_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# init_t is the domain of the init process.
|
|
Chris PeBenito |
0fbfa5 |
# init_exec_t is the type of the init program.
|
|
Chris PeBenito |
0fbfa5 |
# initctl_t is the type of the named pipe created
|
|
Chris PeBenito |
0fbfa5 |
# by init during initialization. This pipe is used
|
|
Chris PeBenito |
0fbfa5 |
# to communicate with init.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0907bd |
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types init_t;
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(init_t);
|
|
Chris PeBenito |
0fbfa5 |
type init_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0907bd |
type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for init to determine whether SE Linux is active so it can know whether to
|
|
Chris PeBenito |
0fbfa5 |
# activate it
|
|
Chris PeBenito |
0fbfa5 |
allow init_t security_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t security_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for mount points
|
|
Chris PeBenito |
0fbfa5 |
allow init_t file_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow init_t self:capability ~sys_module;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(init_t, initrc_exec_t, initrc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run the shell in the sysadm_t domain for single-user mode.
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(init_t, shell_exec_t, sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run /sbin/update in the init_t domain.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t, sbin_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run init.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t, init_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run chroot from initrd scripts.
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`chroot.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t, chroot_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Create /dev/initctl.
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Create ioctl.save.
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Update /etc/ld.so.cache
|
|
Chris PeBenito |
0fbfa5 |
allow init_t ld_so_cache_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow access to log files
|
|
Chris PeBenito |
0fbfa5 |
allow init_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t var_log_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t var_log_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(init_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Create unix sockets
|
|
Chris PeBenito |
0fbfa5 |
allow init_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Permissions required for system startup
|
|
Chris PeBenito |
0fbfa5 |
allow init_t { bin_t sbin_t }:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow init to fork
|
|
Chris PeBenito |
0fbfa5 |
allow init_t self:process { fork sigchld };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Modify utmp.
|
|
Chris PeBenito |
0fbfa5 |
allow init_t var_run_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t initrc_var_run_t:file { setattr rw_file_perms };
|
|
Chris PeBenito |
0907bd |
can_unix_connect(init_t, initrc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# For /var/run/shutdown.pid.
|
|
Chris PeBenito |
0fbfa5 |
var_run_domain(init)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Shutdown permissions
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(init_t, proc_t)
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(init_t, self)
|
|
Chris PeBenito |
0fbfa5 |
allow init_t devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Modify wtmp.
|
|
Chris PeBenito |
0fbfa5 |
allow init_t wtmp_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Kill all processes.
|
|
Chris PeBenito |
0fbfa5 |
allow init_t domain:process signal_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Allow all processes to send SIGCHLD to init.
|
|
Chris PeBenito |
0fbfa5 |
allow domain init_t:process { sigchld signull };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# If you load a new policy that removes active domains, processes can
|
|
Chris PeBenito |
0fbfa5 |
# get stuck if you do not allow unlabeled processes to signal init
|
|
Chris PeBenito |
0fbfa5 |
# If you load an incompatible policy, you should probably reboot,
|
|
Chris PeBenito |
0fbfa5 |
# since you may have compromised system security.
|
|
Chris PeBenito |
0fbfa5 |
allow unlabeled_t init_t:process sigchld;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for loading policy
|
|
Chris PeBenito |
0fbfa5 |
allow init_t policy_config_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Set booleans.
|
|
Chris PeBenito |
0fbfa5 |
can_setbool(init_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read and write the console and ttys.
|
|
Chris PeBenito |
0fbfa5 |
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
0fbfa5 |
allow init_t tmpfs_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
allow init_t ttyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow init_t ptyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run system executables.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t,bin_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`consoletype.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t, consoletype_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run /etc/X11/prefdm.
|
|
Chris PeBenito |
0fbfa5 |
can_exec(init_t,etc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow init_t lib_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow init_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow init_t ramfs_t:dir search;
|
|
Chris PeBenito |
0907bd |
allow init_t ramfs_t:sock_file write;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(init_t, sysfs_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(init_t, selinux_config_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# file descriptors inherited from the rootfs.
|
|
Chris PeBenito |
0fbfa5 |
dontaudit init_t root_t:{ file chr_file } { read write };
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
2705f9 |
unconfined_domain(init_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|