diff --git a/Changelog b/Changelog
index 382ac7a..9497a31 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Init script file and domain support.
- Glibc 2.7 fix from Vaclav Ovsik.
- Samba/winbind update from Mike Edenfield.
- Policy size optimization with a non-security file attribute from James
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index c923e6f..3cdd56a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2,6 +2,73 @@
########################################
##
+## Create a file type used for init scripts.
+##
+##
+##
+## Create a file type used for init scripts.
+## Can not be used in conjunction with
+## init_script_domain().
+##
+##
+##
+##
+## Type of the script file used as an entry point to this domain.
+##
+##
+#
+interface(`init_script_file',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type, init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_file_type;
+
+ domain_entry_file(initrc_t, $1)
+
+ domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+##
+## Create a domain used for init scripts.
+##
+##
+##
+## Create a domain used for init scripts.
+## Can not be used in conjunction with
+## init_script_file().
+##
+##
+##
+##
+## Type to be used as an init script domain.
+##
+##
+##
+##
+## Type of the script file used as an entry point to this domain.
+##
+##
+#
+interface(`init_script_domain',`
+ gen_require(`
+ attribute init_script_domain_type, init_script_file_type;
+ attribute init_run_all_scripts_domain;
+ ')
+
+ typeattribute $1 init_script_domain_type;
+ typeattribute $2 init_script_file_type;
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+##
## Create a domain which can be started by init.
##
##
@@ -703,6 +770,25 @@ interface(`init_getattr_script_files',`
########################################
##
+## Read init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_script_files',`
+ gen_require(`
+ type initrc_exec_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+##
## Execute init scripts in the caller domain.
##
##
@@ -722,6 +808,63 @@ interface(`init_exec_script_files',`
########################################
##
+## Get the attribute of all init script entrypoint files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+##
+## Read all init script files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_read_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_search_etc($1)
+ allow $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+##
+## Execute all init scripts in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_exec_all_script_files',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ files_list_etc($1)
+ can_exec($1, init_script_file_type)
+')
+
+########################################
+##
## Read the process state (/proc/pid) of the init scripts.
##
##
@@ -1030,25 +1173,6 @@ interface(`init_dontaudit_use_script_ptys',`
########################################
##
-## Read init scripts.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`init_read_script_files',`
- gen_require(`
- type initrc_exec_t;
- ')
-
- files_search_etc($1)
- allow $1 initrc_exec_t:file read_file_perms;
-')
-
-########################################
-##
## Get the attributes of init script
## status files.
##
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 51b714c..ebc586d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -23,6 +23,10 @@ attribute direct_run_init;
attribute direct_init;
attribute direct_init_entry;
+attribute init_script_domain_type;
+attribute init_script_file_type;
+attribute init_run_all_scripts_domain;
+
# Mark process types as daemons
attribute daemon;
@@ -51,8 +55,8 @@ type initctl_t;
files_type(initctl_t)
mls_trusted_object(initctl_t)
-type initrc_t;
-type initrc_exec_t;
+type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
+type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t,initrc_exec_t)
role system_r types initrc_t;
@@ -217,7 +221,9 @@ term_create_pty(initrc_t,initrc_devpts_t)
# Going to single user mode
init_exec(initrc_t)
-can_exec(initrc_t,initrc_exec_t)
+can_exec(initrc_t, init_script_file_type)
+
+domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)