Blob Blame History Raw
#DESC Init - Process initialization
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: sysvinit
#

#################################
#
# Rules for the init_t domain.
#
# init_t is the domain of the init process.
# init_exec_t is the type of the init program.
# initctl_t is the type of the named pipe created 
# by init during initialization.  This pipe is used
# to communicate with init.
#
type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
type initctl_t, file_type, sysadmfile, dev_fs;

# for init to determine whether SE Linux is active so it can know whether to
# activate it
allow init_t security_t:dir search;
allow init_t security_t:file { getattr read };

# for mount points
allow init_t file_t:dir search;

# Use capabilities.
allow init_t self:capability ~sys_module;

# Run /etc/rc.sysinit, /etc/rc, /etc/rc.local in the initrc_t domain.
domain_auto_trans(init_t, initrc_exec_t, initrc_t)

# Run the shell in the sysadm_t domain for single-user mode.
domain_auto_trans(init_t, shell_exec_t, sysadm_t)

# Run /sbin/update in the init_t domain.
can_exec(init_t, sbin_t)

# Run init.
can_exec(init_t, init_exec_t)

# Run chroot from initrd scripts.
ifdef(`chroot.te', `
can_exec(init_t, chroot_exec_t)
')

# Create /dev/initctl.
file_type_auto_trans(init_t, device_t, initctl_t, fifo_file)
ifdef(`distro_redhat', `
file_type_auto_trans(init_t, tmpfs_t, initctl_t, fifo_file)
')

# Create ioctl.save.
file_type_auto_trans(init_t, etc_t, etc_runtime_t, file)

# Update /etc/ld.so.cache
allow init_t ld_so_cache_t:file rw_file_perms;

# Allow access to log files
allow init_t var_t:dir search;
allow init_t var_log_t:dir search;
allow init_t var_log_t:file rw_file_perms;

read_locale(init_t)

# Create unix sockets
allow init_t self:unix_dgram_socket create_socket_perms;
allow init_t self:unix_stream_socket create_socket_perms;
allow init_t self:fifo_file rw_file_perms;

# Permissions required for system startup
allow init_t { bin_t sbin_t }:dir r_dir_perms;
allow init_t { bin_t sbin_t }:{ file lnk_file } { read getattr lock ioctl };

# allow init to fork
allow init_t self:process { fork sigchld };

# Modify utmp.
allow init_t var_run_t:file rw_file_perms;
allow init_t initrc_var_run_t:file { setattr rw_file_perms };

# For /var/run/shutdown.pid.
var_run_domain(init)

# Shutdown permissions
r_dir_file(init_t, proc_t)
r_dir_file(init_t, self)
allow init_t devpts_t:dir r_dir_perms;

# Modify wtmp.
allow init_t wtmp_t:file rw_file_perms;

# Kill all processes.
allow init_t domain:process signal_perms;

# Allow all processes to send SIGCHLD to init.
allow domain init_t:process { sigchld signull };

# If you load a new policy that removes active domains, processes can
# get stuck if you do not allow unlabeled processes to signal init
# If you load an incompatible policy, you should probably reboot,
# since you may have compromised system security.
allow unlabeled_t init_t:process sigchld;

# for loading policy
allow init_t policy_config_t:file r_file_perms;

# Set booleans.
can_setbool(init_t)

# Read and write the console and ttys.
allow init_t { tty_device_t console_device_t } :chr_file rw_file_perms;
ifdef(`distro_redhat', `
allow init_t tmpfs_t:chr_file rw_file_perms;
')
allow init_t ttyfile:chr_file rw_file_perms;
allow init_t ptyfile:chr_file rw_file_perms;

# Run system executables.
can_exec(init_t,bin_t)
ifdef(`consoletype.te', `
can_exec(init_t, consoletype_exec_t)
')

# Run /etc/X11/prefdm.
can_exec(init_t,etc_t)

allow init_t lib_t:file { getattr read };

ifdef(`rhgb.te', `
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
')
r_dir_file(init_t, sysfs_t)

r_dir_file(init_t, selinux_config_t)

# file descriptors inherited from the rootfs.
dontaudit init_t root_t:{ file chr_file } { read write }; 
ifdef(`targeted_policy', `
typeattribute init_t unrestricted;
')