Chris PeBenito 0fbfa5
#DESC Initrc - System initialization scripts
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 0fbfa5
# X-Debian-Packages: sysvinit policycoreutils
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the initrc_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# initrc_t is the domain of the init rc scripts.
Chris PeBenito 0fbfa5
# initrc_exec_t is the type of the init program.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# do not use privmail for sendmail as it creates a type transition conflict
Chris PeBenito 0fbfa5
type initrc_t, ifdef(`unlimitedRC', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role system_r types initrc_t;
Chris PeBenito 0fbfa5
uses_shlib(initrc_t);
Chris PeBenito 0fbfa5
can_network(initrc_t)
Chris PeBenito 0fbfa5
can_ypbind(initrc_t)
Chris PeBenito 0fbfa5
type initrc_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for halt to down interfaces
Chris PeBenito 0fbfa5
allow initrc_t self:udp_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read files in /etc/init.d
Chris PeBenito 0fbfa5
allow initrc_t etc_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(initrc_t, usr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read system information files in /proc.
Chris PeBenito 0fbfa5
r_dir_file(initrc_t, { proc_t proc_net_t })
Chris PeBenito 0fbfa5
allow initrc_t proc_mdstat_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow IPC with self
Chris PeBenito 0fbfa5
allow initrc_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
Chris PeBenito 0fbfa5
allow initrc_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read the root directory of a usbdevfs filesystem, and
Chris PeBenito 0fbfa5
# the devices and drivers files.  Permit stating of the
Chris PeBenito 0fbfa5
# device nodes, but nothing else.
Chris PeBenito 0fbfa5
allow initrc_t usbdevfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t usbdevfs_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t usbdevfs_t:file getattr;
Chris PeBenito 0fbfa5
allow initrc_t usbfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t usbfs_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow initrc to fork and renice itself
Chris PeBenito 0fbfa5
allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit getsched };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Can create ptys for open_init_pty
Chris PeBenito 0fbfa5
can_create_pty(initrc)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(initrc)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
var_run_domain(initrc)
Chris PeBenito 0fbfa5
allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
Chris PeBenito 0fbfa5
allow initrc_t var_run_t:dir { create rmdir };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_debian', `
Chris PeBenito 0fbfa5
allow initrc_t { etc_t device_t }:dir setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for storing state under /dev/shm
Chris PeBenito 0fbfa5
allow initrc_t tmpfs_t:dir setattr;
Chris PeBenito 0fbfa5
file_type_auto_trans(initrc_t, tmpfs_t, initrc_var_run_t, dir)
Chris PeBenito 0fbfa5
file_type_auto_trans(initrc_t, tmpfs_t, fixed_disk_device_t, blk_file)
Chris PeBenito 0fbfa5
allow { initrc_var_run_t fixed_disk_device_t } tmpfs_t:filesystem associate;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t framebuf_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow initrc_t self:capability ~{ sys_admin sys_module };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use system operations.
Chris PeBenito 0fbfa5
allow initrc_t kernel_t:system *;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set values in /proc/sys.
Chris PeBenito 0fbfa5
can_sysctl(initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run helper programs in the initrc_t domain.
Chris PeBenito 0fbfa5
allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t {bin_t sbin_t }:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(initrc_t, etc_t)
Chris PeBenito 0fbfa5
can_exec(initrc_t, lib_t)
Chris PeBenito 0fbfa5
can_exec(initrc_t, bin_t)
Chris PeBenito 0fbfa5
can_exec(initrc_t, sbin_t)
Chris PeBenito 0fbfa5
can_exec(initrc_t, exec_type)
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
#  These rules are here to allow init scripts to su
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`su.te', `
Chris PeBenito 0fbfa5
su_restricted_domain(initrc,system)
Chris PeBenito 0fbfa5
role system_r types initrc_su_t;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow initrc_t self:passwd rootok;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read /lib/modules
Chris PeBenito 0fbfa5
allow initrc_t modules_object_t:dir { search read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read conf.modules.
Chris PeBenito 0fbfa5
allow initrc_t modules_conf_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run other rc scripts in the initrc_t domain.
Chris PeBenito 0fbfa5
can_exec(initrc_t, initrc_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run init (telinit) in the initrc_t domain.
Chris PeBenito 0fbfa5
can_exec(initrc_t, init_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Communicate with the init process.
Chris PeBenito 0fbfa5
allow initrc_t initctl_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /proc/PID directories for all domains.
Chris PeBenito 0fbfa5
r_dir_file(initrc_t, domain)
Chris PeBenito 0fbfa5
allow initrc_t domain:process { getattr getsession };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Mount and unmount file systems.
Chris PeBenito 0fbfa5
allow initrc_t fs_type:filesystem mount_fs_perms;
Chris PeBenito 0fbfa5
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
Chris PeBenito 0fbfa5
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Update /etc/ld.so.cache.
Chris PeBenito 0fbfa5
allow initrc_t ld_so_cache_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Update /var/log/wtmp and /var/log/dmesg.
Chris PeBenito 0fbfa5
allow initrc_t wtmp_t:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
allow initrc_t var_log_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t var_log_t:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
allow initrc_t lastlog_t:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
allow initrc_t logfile:file { read append };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# remove old locks
Chris PeBenito 0fbfa5
allow initrc_t lockfile:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t lockfile:file { getattr unlink };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /var/lib/random-seed.
Chris PeBenito 0fbfa5
allow initrc_t var_lib_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t var_lib_t:file unlink;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Create lock file.
Chris PeBenito 0fbfa5
allow initrc_t var_lock_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t var_lock_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set the clock.
Chris PeBenito 0fbfa5
allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Kill all processes.
Chris PeBenito 0fbfa5
allow initrc_t domain:process signal_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and unlink /var/run/*.pid files.
Chris PeBenito 0fbfa5
allow initrc_t pidfile:file { getattr read unlink };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /dev/urandom.
Chris PeBenito 0fbfa5
allow initrc_t { random_device_t urandom_device_t }:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for cryptsetup
Chris PeBenito 0fbfa5
allow initrc_t fixed_disk_device_t:blk_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Set device ownerships/modes.
Chris PeBenito 0fbfa5
allow initrc_t framebuf_device_t:chr_file setattr;
Chris PeBenito 0fbfa5
allow initrc_t misc_device_t:devfile_class_set setattr;
Chris PeBenito 0fbfa5
allow initrc_t device_t:devfile_class_set setattr;
Chris PeBenito 0fbfa5
allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
Chris PeBenito 0fbfa5
allow initrc_t removable_device_t:devfile_class_set setattr;
Chris PeBenito 0fbfa5
allow initrc_t device_t:lnk_file read;
Chris PeBenito 0fbfa5
allow initrc_t xconsole_device_t:fifo_file setattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Stat any file.
Chris PeBenito 0fbfa5
allow initrc_t file_type:notdevfile_class_set getattr;
Chris PeBenito 0fbfa5
allow initrc_t file_type:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and write console and ttys.
Chris PeBenito 0fbfa5
allow initrc_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t console_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t tty_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t ttyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t ptyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Reset tty labels.
Chris PeBenito 0fbfa5
allow initrc_t ttyfile:chr_file relabelfrom;
Chris PeBenito 0fbfa5
allow initrc_t tty_device_t:chr_file relabelto;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
# Create and read /boot/kernel.h and /boot/System.map.
Chris PeBenito 0fbfa5
# Redhat systems typically create this file at boot time.
Chris PeBenito 0fbfa5
allow initrc_t boot_t:lnk_file rw_file_perms;
Chris PeBenito 0fbfa5
file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t tmpfs_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t tmpfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', ` 
Chris PeBenito 0fbfa5
# Allow initrc domain to set the enforcing flag.
Chris PeBenito 0fbfa5
can_setenforce(initrc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# readahead asks for these
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow initrc_t etc_aliases_t:file { getattr read };
Chris PeBenito 0fbfa5
allow initrc_t var_lib_nfs_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /halt /.autofsck and other flag files
Chris PeBenito 0fbfa5
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
')dnl end distro_redhat
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t var_spool_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow access to the sysadm TTYs. Note that this will give access to the 
Chris PeBenito 0fbfa5
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
Chris PeBenito 0fbfa5
# started from init should be placed in their own domain.
Chris PeBenito 0fbfa5
allow initrc_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access sound device and files.
Chris PeBenito 0fbfa5
allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read user home directories.
Chris PeBenito 0fbfa5
allow initrc_t { home_root_t home_type }:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t home_type:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for system start scripts
Chris PeBenito 0fbfa5
allow initrc_t pidfile:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t pidfile:sock_file unlink;
Chris PeBenito 0fbfa5
rw_dir_create_file(initrc_t, var_lib_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow start scripts to clean /tmp
Chris PeBenito 0fbfa5
allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
Chris PeBenito 0fbfa5
allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsof which is used by alsa shutdown
Chris PeBenito 0fbfa5
dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
Chris PeBenito 0fbfa5
dontaudit initrc_t proc_kmsg_t:file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the run_init_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
ifdef(`targeted_policy', `
Chris PeBenito 0fbfa5
type run_init_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
type run_init_t, domain;
Chris PeBenito 0fbfa5
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
Chris PeBenito 0fbfa5
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
Chris PeBenito 0fbfa5
domain_trans(initrc_t, shell_exec_t, unconfined_t)
Chris PeBenito 0fbfa5
', `
Chris PeBenito 0fbfa5
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow initrc_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Transition to system_r:initrc_t upon executing init scripts.
Chris PeBenito 0fbfa5
ifdef(`direct_sysadm_daemon', `
Chris PeBenito 0fbfa5
role_transition sysadm_r initrc_exec_t system_r;
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Shutting down xinet causes these
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Fam
Chris PeBenito 0fbfa5
dontaudit initrc_t device_t:dir { read write };
Chris PeBenito 0fbfa5
# Rsync
Chris PeBenito 0fbfa5
dontaudit initrc_t mail_spool_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow initrc_t sysfs_t:dir { getattr read search };
Chris PeBenito 0fbfa5
allow initrc_t sysfs_t:file { getattr read write };
Chris PeBenito 0fbfa5
allow initrc_t sysfs_t:lnk_file { getattr read };
Chris PeBenito 0fbfa5
allow initrc_t udev_runtime_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow initrc_t device_type:chr_file setattr;
Chris PeBenito 0fbfa5
allow initrc_t binfmt_misc_fs_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for lsof in shutdown scripts
Chris PeBenito 0fbfa5
can_kerberos(initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Wants to remove udev.tbl
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow initrc_t device_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t device_t:lnk_file unlink;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(initrc_t,selinux_config_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_redhat', `
Chris PeBenito 0fbfa5
#allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`unlimitedRC', `
Chris PeBenito 0fbfa5
unconfined_domain(initrc_t) 
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# initrc script does a cat /selinux/enforce
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
allow initrc_t security_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow initrc_t security_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# init script state
Chris PeBenito 0fbfa5
type initrc_state_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
create_dir_file(initrc_t,initrc_state_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`distro_gentoo', `
Chris PeBenito 0fbfa5
# Gentoo integrated run_init+open_init_pty-runscript:
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;