diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index a414ffe..6bb4ff9 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -225,14 +225,17 @@ devices_read_sound_mixer_levels(initrc_t) devices_write_sound_mixer_levels(initrc_t) devices_set_all_character_device_attributes(initrc_t) +storage_get_fixed_disk_attributes(initrc_t) storage_set_fixed_disk_attributes(initrc_t) storage_set_removable_device_attributes(initrc_t) terminal_use_all_terminals(initrc_t) -terminal_reset_labels(initrc_t) +terminal_reset_physical_terminal_labels(initrc_t) bootloader_read_kernel_symbol_table(initrc_t) +domain_use_widely_inheritable_file_descriptors(initrc_t) + libraries_modify_dynamic_loader_cache(initrc_t) libraries_use_dynamic_loader(initrc_t) libraries_read_shared_libraries(initrc_t) @@ -256,7 +259,6 @@ corecommands_execute_shell(initrc_t) logging_send_system_log_message(initrc_t) selinux_read_config(initrc_t) -selinux_read_default_contexts(run_init_t) sysnetwork_read_network_config(initrc_t) @@ -271,6 +273,10 @@ logging_modify_system_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) +optional_policy(`consoletype.te',` +consoletype_transition(initrc_t) +') + ifdef(`distro_redhat',` kernel_set_selinux_enforcement_mode(initrc_t) @@ -287,11 +293,6 @@ allow initrc_t { file_t default_t }:dir { read search getattr mounton }; allow initrc_t var_spool_t:file rw_file_perms; -allow initrc_t privfd:fd use; - -# for cryptsetup -allow initrc_t fixed_disk_device_t:blk_file getattr; - # Set device ownerships/modes. allow initrc_t xconsole_device_t:fifo_file setattr; @@ -307,7 +308,14 @@ allow initrc_t home_type:file r_file_perms; allow initrc_t udev_runtime_t:file rw_file_perms; # for lsof in shutdown scripts -can_kerberos(initrc_t) +ifdef(`kerberos.te',` +if (allow_kerberos) { +can_network_client(initrc_t, `kerberos_port_t') +can_resolve(initrc_t) +} +') dnl kerberos.te +dontaudit initrc_t krb5_conf_t:file write; +allow initrc_t krb5_conf_t:file { getattr read }; # # Wants to remove udev.tbl @@ -381,6 +389,7 @@ libraries_use_dynamic_loader(run_init_t) libraries_read_shared_libraries(run_init_t) selinux_read_config(run_init_t) +selinux_read_default_contexts(run_init_t) authlogin_ignore_read_shadow_passwords(run_init_t) @@ -406,6 +415,12 @@ dontaudit run_init_t self:capability { dac_override dac_read_search }; devices_ignore_list_device_nodes(run_init_t) terminal_ignore_list_pseudoterminals(run_init_t) + +# often the administrator runs such programs from a directory that is owned +# by a different user or has restrictive SE permissions, do not want to audit +# the failed access to the current directory +files_ignore_search_all_directories(run_init_t) + ') dnl end ifdef targeted policy @@ -428,11 +443,6 @@ allow run_init_t admin_tty_type:chr_file rw_file_perms; allow run_init_t privfd:fd use; allow run_init_t lib_t:file { getattr read }; -# often the administrator runs such programs from a directory that is owned -# by a different user or has restrictive SE permissions, do not want to audit -# the failed access to the current directory -dontaudit run_init_t file_type:dir search; - ') dnl endif targeted policy ifdef(`distro_gentoo', `