File: //usr/share/selinux/devel/include/system/init.if
## <summary>System initialization programs (init and init scripts).</summary>
######################################
## <summary>
## Make the specified type usable as a mountpoint.
## </summary>
## <desc>
## Make the specified type usable as a mountpoint.
## This is normally used for systemd BindPaths options.
## </desc>
## <param name="file_type">
## <summary>
## Type to be used as a mountpoint.
## </summary>
## </param>
#
interface(`init_mountpoint',`
gen_require(`
attribute init_mountpoint_type;
')
typeattribute $1 init_mountpoint_type;
')
########################################
## <summary>
## Create a file type monitored by a systemd path unit.
## </summary>
## <param name="script_file">
## <summary>
## Type to be used for a path unit monitored location.
## </summary>
## </param>
#
interface(`init_path_unit_location_file',`
gen_require(`
attribute init_path_unit_loc_type;
')
typeattribute $1 init_path_unit_loc_type;
files_type($1)
')
########################################
## <summary>
## Create a file type used for init scripts.
## </summary>
## <desc>
## <p>
## Create a file type used for init scripts. It can not be
## used in conjunction with init_script_domain(). These
## script files are typically stored in the /etc/init.d directory.
## </p>
## <p>
## Typically this is used to constrain what services an
## admin can start/stop. For example, a policy writer may want
## to constrain a web administrator to only being able to
## restart the web server, not other services. This special type
## will help address that goal.
## </p>
## <p>
## This also makes the type usable for files; thus an
## explicit call to files_type() is redundant.
## </p>
## </desc>
## <param name="script_file">
## <summary>
## Type to be used for a script file.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`init_script_file',`
gen_require(`
type initrc_t;
attribute init_script_file_type, init_run_all_scripts_domain;
')
typeattribute $1 init_script_file_type;
domain_entry_file(initrc_t, $1)
domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
')
########################################
## <summary>
## Make the specified type usable for
## systemd unit files.
## </summary>
## <param name="type">
## <summary>
## Type to be used for systemd unit files.
## </summary>
## </param>
#
interface(`init_unit_file',`
gen_require(`
attribute systemdunit;
')
files_type($1)
typeattribute $1 systemdunit;
')
########################################
## <summary>
## Create a domain used for init scripts.
## </summary>
## <desc>
## <p>
## Create a domain used for init scripts.
## Can not be used in conjunction with
## init_script_file().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as an init script domain.
## </summary>
## </param>
## <param name="script_file">
## <summary>
## Type of the script file used as an entry point to this domain.
## </summary>
## </param>
#
interface(`init_script_domain',`
gen_require(`
attribute init_script_domain_type, init_script_file_type;
attribute init_run_all_scripts_domain;
')
typeattribute $1 init_script_domain_type;
typeattribute $2 init_script_file_type;
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
ifdef(`init_systemd',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
')
########################################
## <summary>
## Create a domain which can be started by init.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
interface(`init_domain',`
gen_require(`
type init_t;
role system_r;
')
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
ifdef(`init_systemd', `
domtrans_pattern(init_t, $2, $1)
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
')
allow init_t $1:process rlimitinh;
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
')
########################################
## <summary>
## Create a domain which can be started by init,
## with a range transition.
## </summary>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
#
interface(`init_ranged_domain',`
gen_require(`
type init_t;
')
init_domain($1, $2)
ifdef(`enable_mcs',`
range_transition init_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition init_t $2:process $3;
mls_rangetrans_target($1)
')
')
########################################
## <summary>
## Setup a domain which can be manually transitioned to from init.
## </summary>
## <desc>
## <p>
## Create a domain used for systemd services where the SELinuxContext
## option is specified in the .service file. This allows for the
## manual transition from systemd into the new domain. This is used
## when automatic transitions won't work. Used for the case where the
## same binary is used for multiple target domains.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program being executed when starting this domain.
## </summary>
## </param>
#
interface(`init_spec_daemon_domain',`
gen_require(`
type init_t;
role system_r;
attribute daemon;
')
typeattribute $1 daemon;
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
spec_domtrans_pattern(init_t, $2, $1)
allow init_t $1:process rlimitinh;
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
allow init_t $1:process2 { nnp_transition nosuid_transition };
')
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_user_terminals($1)
')
')
########################################
## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts.
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts. Short running processes
## should use the init_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_daemon_domain() should be used instead.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_daemon_domain',`
gen_require(`
type init_t, initrc_t;
role system_r;
attribute daemon;
')
typeattribute $1 daemon;
domain_type($1)
domain_entry_file($1, $2)
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
# daemons started from init will
# inherit fds from init for the console
init_dontaudit_use_fds($1)
term_dontaudit_use_console($1)
# init script ptys are the stdin/out/err
# when using run_init
init_use_script_ptys($1)
allow init_t $1:process rlimitinh;
ifdef(`direct_sysadm_daemon',`
userdom_dontaudit_use_user_terminals($1)
')
ifdef(`init_systemd',`
init_domain($1, $2)
allow $1 init_t:unix_dgram_socket sendto;
optional_policy(`
systemd_stream_connect_socket_proxyd($1)
')
')
optional_policy(`
nscd_use($1)
')
')
########################################
## <summary>
## Create a domain for long running processes
## (daemons/services) which are started by init scripts,
## running at a specified MLS/MCS range.
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts, running at a specified
## MLS/MCS range. Short running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_daemon_domain().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## MLS/MCS range for the domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_ranged_daemon_domain',`
gen_require(`
type initrc_t;
')
ifdef(`init_systemd',`
init_ranged_domain($1, $2, $3)
',`
init_daemon_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
')
#########################################
## <summary>
## Abstract socket service activation (systemd).
## </summary>
## <param name="domain">
## <summary>
## The domain to be started by systemd socket activation.
## </summary>
## </param>
#
interface(`init_abstract_socket_activation',`
ifdef(`init_systemd',`
gen_require(`
type init_t;
')
allow init_t $1:unix_stream_socket create_stream_socket_perms;
')
')
#########################################
## <summary>
## Named socket service activation (systemd).
## </summary>
## <param name="domain">
## <summary>
## The domain to be started by systemd socket activation.
## </summary>
## </param>
## <param name="sock_file">
## <summary>
## The domain socket file type.
## </summary>
## </param>
#
interface(`init_named_socket_activation',`
ifdef(`init_systemd',`
gen_require(`
type init_t;
')
allow init_t $1:unix_dgram_socket create_socket_perms;
allow init_t $1:unix_stream_socket create_stream_socket_perms;
allow init_t $2:dir manage_dir_perms;
allow init_t $2:fifo_file manage_fifo_file_perms;
allow init_t $2:sock_file manage_sock_file_perms;
')
')
########################################
## <summary>
## Create a domain for short running processes
## which are started by init scripts.
## </summary>
## <desc>
## <p>
## Create a domain for short running processes
## which are started by init scripts. These are generally applications that
## are used to initialize the system during boot.
## Long running processes, such as daemons/services
## should use the init_daemon_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_system_domain() should be used instead.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a system domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_system_domain',`
gen_require(`
type initrc_t;
role system_r;
attribute systemprocess;
')
typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
ifdef(`init_systemd',`
init_domain($1, $2)
')
')
########################################
## <summary>
## Create a domain for short running processes
## which are started by init scripts.
## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts.
## These are generally applications that
## are used to initialize the system during boot.
## Long running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_system_domain().
## </p>
## </desc>
## <param name="domain">
## <summary>
## Type to be used as a system domain.
## </summary>
## </param>
## <param name="entry_point">
## <summary>
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
## <param name="range">
## <summary>
## Range for the domain.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
')
ifdef(`init_systemd',`
init_ranged_domain($1, $2, $3)
',`
init_system_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
mls_rangetrans_target($1)
')
')
')
######################################
## <summary>
## Allow domain dyntransition to init_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_dyntrans',`
gen_require(`
type init_t;
')
dyntrans_pattern($1, init_t)
')
########################################
## <summary>
## Mark the file type as a daemon pid file, allowing initrc_t
## to create it (Deprecated)
## </summary>
## <param name="filetype">
## <summary>
## Type to mark as a daemon pid file
## </summary>
## </param>
## <param name="class">
## <summary>
## Class on which the type is applied
## </summary>
## </param>
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
#
interface(`init_daemon_pid_file',`
refpolicywarn(`$0($*) has been deprecated, please use init_daemon_runtime_file() instead.')
init_daemon_runtime_file($1, $2, $3)
')
########################################
## <summary>
## Mark the file type as a daemon runtime file, allowing initrc_t
## to create it
## </summary>
## <param name="filetype">
## <summary>
## Type to mark as a daemon pid file
## </summary>
## </param>
## <param name="class">
## <summary>
## Class on which the type is applied
## </summary>
## </param>
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
#
interface(`init_daemon_runtime_file',`
gen_require(`
attribute daemonpidfile;
type initrc_t;
')
typeattribute $1 daemonpidfile;
files_runtime_file($1)
files_runtime_filetrans(initrc_t, $1, $2, $3)
')
########################################
## <summary>
## Mark the file type as a daemon lock file, allowing initrc_t
## to create it
## </summary>
## <param name="filetype">
## <summary>
## Type to mark as a daemon lock file
## </summary>
## </param>
## <param name="class">
## <summary>
## Class on which the type is applied
## </summary>
## </param>
## <param name="filename">
## <summary>
## Filename of the file that the init script creates
## </summary>
## </param>
#
interface(`init_daemon_lock_file',`
gen_require(`
type initrc_t;
')
files_lock_file($1)
files_lock_filetrans(initrc_t, $1, $2, $3)
allow initrc_t $1:dir manage_dir_perms;
allow initrc_t $1:file manage_file_perms;
')
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_domtrans',`
gen_require(`
type init_t, init_exec_t;
')
domtrans_pattern($1, init_exec_t, init_t)
')
########################################
## <summary>
## Execute init (/sbin/init) with a domain transition
## to the provided domain.
## </summary>
## <desc>
## Execute init (/sbin/init) with a domain transition
## to the provided domain. This is used by systemd
## to execute the systemd user session.
## </desc>
## <param name="domain">
## <summary>
## The type to be used as a systemd --user domain.
## </summary>
## </param>
#
interface(`init_pgm_spec_user_daemon_domain',`
gen_require(`
type init_t, init_exec_t;
')
domain_type($1)
domain_entry_file($1, init_exec_t)
spec_domtrans_pattern(init_t, init_exec_t, $1)
allow init_t $1:process { setsched rlimitinh noatsecure };
ifdef(`init_systemd',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
')
')
########################################
## <summary>
## Execute the init program in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_exec',`
gen_require(`
type init_exec_t;
')
corecmd_search_bin($1)
can_exec($1, init_exec_t)
')
########################################
## <summary>
## Allow the init program to be an entrypoint
## for the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_pgm_entrypoint',`
gen_require(`
type init_exec_t;
')
allow $1 init_exec_t:file entrypoint;
')
########################################
## <summary>
## Execute the rc application in the caller domain.
## </summary>
## <desc>
## <p>
## This is only applicable to Gentoo or distributions that use the OpenRC
## init system.
## </p>
## <p>
## The OpenRC /sbin/rc binary is used for both init scripts as well as
## management applications and tools. When used for management purposes,
## calling /sbin/rc should never cause a transition to initrc_t.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_exec_rc',`
gen_require(`
type rc_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rc_exec_t)
')
########################################
## <summary>
## Get the process group of init.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getpgid',`
gen_require(`
type init_t;
')
allow $1 init_t:process getpgid;
')
########################################
## <summary>
## Send init a generic signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_signal',`
gen_require(`
type init_t;
')
allow $1 init_t:process signal;
')
########################################
## <summary>
## Send init a null signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_signull',`
gen_require(`
type init_t;
')
allow $1 init_t:process signull;
')
########################################
## <summary>
## Send init a SIGCHLD signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_sigchld',`
gen_require(`
type init_t;
')
allow $1 init_t:process sigchld;
')
########################################
## <summary>
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stream_connect',`
gen_require(`
type init_t, init_runtime_t;
')
stream_connect_pattern($1, init_runtime_t, init_runtime_t, init_t)
files_search_runtime($1)
allow $1 init_t:unix_stream_socket getattr;
')
########################################
## <summary>
## Connect to init with a unix socket.
## Without any additional permissions.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_unix_stream_socket_connectto',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Inherit and use file descriptors from init.
## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit file
## descriptors from the init program (process ID 1).
## Typically the only file descriptors to be
## inherited from init are for the console.
## This does not allow the domain any access to
## the object to which the file descriptors references.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>init_dontaudit_use_fds()</li>
## <li>term_dontaudit_use_console()</li>
## <li>term_use_console()</li>
## </ul>
## <p>
## Example usage:
## </p>
## <p>
## init_use_fds(mydomain_t)
## term_use_console(mydomain_t)
## </p>
## <p>
## Normally, processes that can inherit these file
## descriptors (usually services) write messages to the
## system log instead of writing to the console.
## Therefore, in many cases, this access should
## dontaudited instead.
## </p>
## <p>
## Example dontaudit usage:
## </p>
## <p>
## init_dontaudit_use_fds(mydomain_t)
## term_dontaudit_use_console(mydomain_t)
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="1"/>
#
interface(`init_use_fds',`
gen_require(`
type init_t;
')
allow $1 init_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit file
## descriptors from init.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_use_fds',`
gen_require(`
type init_t;
')
dontaudit $1 init_t:fd use;
')
########################################
## <summary>
## Send messages to init unix datagram sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_dgram_send',`
gen_require(`
type init_t, init_runtime_t;
')
dgram_send_pattern($1, init_runtime_t, init_runtime_t, init_t)
files_search_runtime($1)
allow $1 init_t:unix_stream_socket getattr;
')
########################################
## <summary>
## Read and write to inherited init unix streams.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_inherited_stream_socket',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
')
########################################
## <summary>
## Allow the specified domain to read/write to
## init with unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_stream_sockets',`
gen_require(`
type init_t;
')
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
')
########################################
## <summary>
## start service (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system start;
')
########################################
## <summary>
## stop service (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stop_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system stop;
')
########################################
## <summary>
## Get all service status (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_system_status',`
gen_require(`
type init_t;
')
allow $1 init_t:system status;
')
########################################
## <summary>
## Enable all systemd services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_enable',`
gen_require(`
type init_t;
')
allow $1 init_t:system enable;
')
########################################
## <summary>
## Disable all services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_disable',`
gen_require(`
type init_t;
')
allow $1 init_t:system disable;
')
########################################
## <summary>
## Reload all services (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload',`
gen_require(`
type init_t;
')
allow $1 init_t:system reload;
')
########################################
## <summary>
## Reboot the system (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reboot_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system reboot;
')
########################################
## <summary>
## Shutdown (halt) the system (systemd).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_shutdown_system',`
gen_require(`
type init_t;
')
allow $1 init_t:system halt;
')
########################################
## <summary>
## Allow specified domain to get init status
## </summary>
## <param name="domain">
## <summary>
## Domain to allow access.
## </summary>
## </param>
#
interface(`init_service_status',`
gen_require(`
type init_t;
class service status;
')
allow $1 init_t:service status;
')
########################################
## <summary>
## Allow specified domain to get init start
## </summary>
## <param name="domain">
## <summary>
## Domain to allow access.
## </summary>
## </param>
#
interface(`init_service_start',`
gen_require(`
type init_t;
class service start;
')
allow $1 init_t:service start;
')
########################################
## <summary>
## Send and receive messages from
## systemd over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_dbus_chat',`
gen_require(`
type init_t;
class dbus send_msg;
')
allow $1 init_t:dbus send_msg;
allow init_t $1:dbus send_msg;
')
########################################
## <summary>
## read/follow symlinks under /var/lib/systemd/
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_var_lib_links',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir list_dir_perms;
allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## List /var/lib/systemd/ dir
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_var_lib_dirs',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir list_dir_perms;
')
########################################
## <summary>
## Relabel dirs in /var/lib/systemd/.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_relabel_var_lib_dirs',`
gen_require(`
type init_var_lib_t;
')
allow $1 init_var_lib_t:dir relabel_dir_perms;
')
########################################
## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
type init_var_lib_t;
')
manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Create files in /var/lib/systemd
## with an automatic type transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="type">
## <summary>
## The type of object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_var_lib_filetrans',`
gen_require(`
type init_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
')
######################################
## <summary>
## Allow search directory in the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_pids',`
refpolicywarn(`$0($*) has been deprecated, please use init_search_runtime() instead.')
init_search_runtime($1)
')
######################################
## <summary>
## Allow listing of the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_pids',`
refpolicywarn(`$0($*) has been deprecated, please use init_list_runtime() instead.')
init_list_runtime($1)
')
######################################
## <summary>
## Create symbolic links in the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_pid_symlinks', `
refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_symlinks() instead.')
init_manage_runtime_symlinks($1)
')
######################################
## <summary>
## Create files in the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_create_pid_files', `
refpolicywarn(`$0($*) has been deprecated, please use init_create_runtime_files() instead.')
init_create_runtime_files($1)
')
######################################
## <summary>
## Write files in the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_pid_files', `
refpolicywarn(`$0($*) has been deprecated, please use init_write_runtime_files() instead.')
init_write_runtime_files($1)
')
######################################
## <summary>
## Create, read, write, and delete
## directories in the /run/systemd directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_pid_dirs', `
refpolicywarn(`$0($*) has been deprecated, please use init_manage_runtime_dirs() instead.')
init_manage_runtime_dirs($1)
')
########################################
## <summary>
## Create files in an init PID directory. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_pid_filetrans',`
refpolicywarn(`$0($*) has been deprecated, please use init_runtime_filetrans() instead.')
init_runtime_filetrans($*)
')
######################################
## <summary>
## Search init runtime directories, e.g. /run/systemd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_runtime',`
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:dir search_dir_perms;
')
######################################
## <summary>
## List init runtime directories, e.g. /run/systemd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_runtime',`
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:dir list_dir_perms;
files_search_runtime($1)
')
######################################
## <summary>
## Create, read, write, and delete
## directories in the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_runtime_dirs', `
gen_require(`
type init_runtime_t;
')
manage_dirs_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Create files in an init runtime directory with a private type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_runtime_filetrans',`
gen_require(`
type init_runtime_t;
')
files_search_runtime($1)
filetrans_pattern($1, init_runtime_t, $2, $3, $4)
')
######################################
## <summary>
## Write init runtime files, e.g. in /run/systemd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_runtime_files', `
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:file write_file_perms;
')
######################################
## <summary>
## Create init runtime files, e.g. in /run/systemd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_create_runtime_files', `
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:file create_file_perms;
')
######################################
## <summary>
## Create init runtime symbolic links, e.g. in /run/systemd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_runtime_symlinks', `
gen_require(`
type init_runtime_t;
')
manage_lnk_files_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Get the attributes of initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_initctl',`
gen_require(`
type initctl_t;
')
files_search_runtime($1)
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the
## attributes of initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_getattr_initctl',`
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file getattr;
')
########################################
## <summary>
## Write to initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_initctl',`
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
files_search_runtime($1)
allow $1 initctl_t:fifo_file write;
')
########################################
## <summary>
## Use telinit (Read and write initctl).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_telinit',`
gen_require(`
type initctl_t, init_t;
')
ps_process_pattern($1, init_t)
allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 init_t:unix_dgram_socket sendto;
#576913
allow $1 init_t:unix_stream_socket connectto;
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
corecmd_exec_bin($1)
dev_list_all_dev_nodes($1)
files_search_runtime($1)
init_exec($1)
')
########################################
## <summary>
## Read and write initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_initctl',`
gen_require(`
type initctl_t;
')
dev_list_all_dev_nodes($1)
files_search_runtime($1)
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and
## write initctl.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_rw_initctl',`
gen_require(`
type initctl_t;
')
dontaudit $1 initctl_t:fifo_file { read write };
')
########################################
## <summary>
## Make init scripts an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
# cjp: added for gentoo integrated run_init
interface(`init_script_file_entry_type',`
gen_require(`
type initrc_exec_t;
')
domain_entry_file($1, initrc_exec_t)
')
########################################
## <summary>
## Execute init scripts with a specified domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_spec_domtrans_script',`
gen_require(`
type initrc_t, initrc_exec_t;
')
files_list_etc($1)
spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
ifdef(`distro_gentoo',`
gen_require(`
type rc_exec_t;
')
domtrans_pattern($1, rc_exec_t, initrc_t)
')
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
## Execute init scripts with an automatic domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_domtrans_script',`
gen_require(`
type initrc_t, initrc_exec_t;
')
files_list_etc($1)
domtrans_pattern($1, initrc_exec_t, initrc_t)
ifdef(`enable_mcs',`
range_transition $1 initrc_exec_t:process s0;
')
ifdef(`enable_mls',`
range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
## Execute labelled init scripts with an automatic domain transition.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_domtrans_labeled_script',`
gen_require(`
type initrc_t;
attribute init_script_file_type;
attribute initrc_transition_domain;
')
typeattribute $1 initrc_transition_domain;
files_list_etc($1)
domtrans_pattern($1, init_script_file_type, initrc_t)
ifdef(`enable_mcs',`
range_transition $1 init_script_file_type:process s0;
')
ifdef(`enable_mls',`
range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
')
')
########################################
## <summary>
## Execute a init script in a specified domain.
## </summary>
## <desc>
## <p>
## Execute a init script in a specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
# cjp: added for gentoo integrated run_init
interface(`init_script_file_domtrans',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
domain_auto_transition_pattern($1, initrc_exec_t, $2)
')
########################################
## <summary>
## Send a kill signal to init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_kill_scripts',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigkill;
')
########################################
## <summary>
## Allow manage service for initrc_exec_t scripts
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_manage_script_service',`
gen_require(`
type initrc_exec_t;
class service { status start stop };
')
allow $1 initrc_exec_t:service { start stop status };
')
########################################
## <summary>
## Transition to the init script domain
## on a specified labeled init script.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="init_script_file">
## <summary>
## Labeled init script file.
## </summary>
## </param>
#
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
attribute initrc_transition_domain;
')
typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
#########################################
## <summary>
## Transition to the init script domain
## for all labeled init script types
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`init_all_labeled_script_domtrans',`
gen_require(`
attribute init_script_file_type;
')
init_labeled_script_domtrans($1, init_script_file_type)
')
########################################
## <summary>
## Allow getting service status of initrc_exec_t scripts
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_get_script_status',`
gen_require(`
type initrc_exec_t;
class service status;
')
allow $1 initrc_exec_t:service status;
')
########################################
## <summary>
## Allow the role to start and stop
## labeled services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be performing this action.
## </summary>
## </param>
## <param name="domain">
## <summary>
## Type to be used as a daemon domain.
## </summary>
## </param>
## <param name="init_script_file">
## <summary>
## Labeled init script file.
## </summary>
## </param>
## <param name="unit" optional="true">
## <summary>
## Systemd unit file type.
## </summary>
## </param>
#
interface(`init_startstop_service',`
ifelse(`init_systemd',`true',`
# This ifelse condition is temporary, until
# all callers are updated to provide unit files.
ifelse(`$5',`',`',`
gen_require(`
class service { start status stop };
')
allow $1 $5:service { start status stop };
')
',`distro_gentoo',`true',`
# for OpenRC
seutil_labeled_init_script_run_runinit($1, $2, $4)
',`direct_sysadm_daemon',`true',`
gen_require(`
role system_r;
')
# rules for sysvinit / upstart
init_labeled_script_domtrans($1, $4)
domain_system_change_exemption($1)
role_transition $2 $4 system_r;
allow $2 system_r;
',` dnl else
optional_policy(`
seutil_run_runinit($1, $2)
')
')
')
########################################
## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
## <p>
## Start and stop daemon programs directly
## in the traditional "/etc/init.d/daemon start"
## style, and do not require run_init.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be performing this action.
## </summary>
## </param>
#
interface(`init_run_daemon',`
gen_require(`
attribute init_script_file_type;
role system_r;
')
allow $2 system_r;
init_all_labeled_script_domtrans($1)
role_transition $2 init_script_file_type system_r;
')
########################################
## <summary>
## Start and stop init_script_file_type services
## </summary>
## <param name="domain">
## <summary>
## domain that can start and stop the services
## </summary>
## </param>
#
interface(`init_startstop_all_script_services',`
gen_require(`
attribute init_script_file_type;
class service { start status stop };
')
allow $1 init_script_file_type:service { start status stop };
')
########################################
## <summary>
## Read the process state (/proc/pid) of init.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_state',`
gen_require(`
type init_t;
')
allow $1 init_t:dir search_dir_perms;
allow $1 init_t:file read_file_perms;
allow $1 init_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Dontaudit read the process state (/proc/pid) of init.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_read_state',`
gen_require(`
type init_t;
')
dontaudit $1 init_t:dir search_dir_perms;
dontaudit $1 init_t:file read_file_perms;
dontaudit $1 init_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Ptrace init
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_ptrace',`
gen_require(`
type init_t;
')
allow $1 init_t:process ptrace;
')
########################################
## <summary>
## get init process stats
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`init_getattr',`
gen_require(`
type init_t;
')
allow $1 init_t:process getattr;
')
########################################
## <summary>
## Write an init script unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_script_pipes',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file write;
')
########################################
## <summary>
## Get the attribute of init script entrypoint files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_script_files',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
allow $1 initrc_exec_t:file getattr;
')
########################################
## <summary>
## Read init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_script_files',`
gen_require(`
type initrc_exec_t;
')
files_search_etc($1)
allow $1 initrc_exec_t:file read_file_perms;
')
########################################
## <summary>
## Execute init scripts in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_exec_script_files',`
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
can_exec($1, initrc_exec_t)
')
########################################
## <summary>
## Get the attribute of all init script entrypoint files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
allow $1 init_script_file_type:file getattr;
')
########################################
## <summary>
## Read all init script files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_search_etc($1)
allow $1 init_script_file_type:file read_file_perms;
')
#######################################
## <summary>
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_read_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
dontaudit $1 init_script_file_type:file read_file_perms;
')
########################################
## <summary>
## Execute all init scripts in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_exec_all_script_files',`
gen_require(`
attribute init_script_file_type;
')
files_list_etc($1)
can_exec($1, init_script_file_type)
')
########################################
## <summary>
## Read the process state (/proc/pid) of the init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_script_state',`
gen_require(`
type initrc_t;
')
kernel_search_proc($1)
ps_process_pattern($1, initrc_t)
')
########################################
## <summary>
## Inherit and use init script file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_use_script_fds',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit
## init script file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_use_script_fds',`
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:fd use;
')
########################################
## <summary>
## Search init script keys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_script_keys',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:key search;
')
########################################
## <summary>
## Get the process group ID of init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getpgid_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process getpgid;
')
########################################
## <summary>
## Send SIGCHLD signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_sigchld_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process sigchld;
')
########################################
## <summary>
## Send generic signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_signal_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signal;
')
########################################
## <summary>
## Send null signals to init scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_signull_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:process signull;
')
########################################
## <summary>
## Read and write init script unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_script_pipes',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Allow the specified domain to connect to
## init scripts with a unix socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stream_connect_script',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Allow the specified domain to read/write to
## init scripts with a unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_script_stream_sockets',`
gen_require(`
type initrc_t;
')
allow $1 initrc_t:unix_stream_socket rw_socket_perms;
')
########################################
## <summary>
## Dont audit the specified domain connecting to
## init scripts with a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_stream_connect_script',`
gen_require(`
type initrc_t;
')
dontaudit $1 initrc_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Send messages to init scripts over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_dbus_send_script',`
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## init scripts over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_dbus_chat_script',`
gen_require(`
type initrc_t;
class dbus send_msg;
')
allow $1 initrc_t:dbus send_msg;
allow initrc_t $1:dbus send_msg;
')
########################################
## <summary>
## Read and write the init script pty.
## </summary>
## <desc>
## <p>
## Read and write the init script pty. This
## pty is generally opened by the open_init_pty
## portion of the run_init program so that the
## daemon does not require direct access to
## the administrator terminal.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_use_script_ptys',`
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file rw_chr_file_perms;
')
########################################
## <summary>
## Read and write inherited init script ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_use_inherited_script_ptys',`
gen_require(`
type initrc_devpts_t;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file rw_inherited_term_perms;
init_use_fds($1)
')
########################################
## <summary>
## Do not audit attempts to read and
## write the init script pty.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_use_script_ptys',`
gen_require(`
type initrc_devpts_t;
')
dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
')
########################################
## <summary>
## Get the attributes of init script
## status files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_script_status_files',`
gen_require(`
type initrc_state_t;
')
getattr_files_pattern($1, initrc_state_t, initrc_state_t)
')
########################################
## <summary>
## Do not audit attempts to read init script
## status files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_read_script_status_files',`
gen_require(`
type initrc_state_t;
')
dontaudit $1 initrc_state_t:dir search_dir_perms;
dontaudit $1 initrc_state_t:file read_file_perms;
')
######################################
## <summary>
## Search the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_run',`
gen_require(`
type init_runtime_t;
')
files_search_runtime($1)
allow $1 init_runtime_t:dir search_dir_perms;
')
########################################
## <summary>
## Read init script temporary data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_script_tmp_files',`
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
')
########################################
## <summary>
## Read and write init script inherited temporary data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_inherited_script_tmp_files',`
gen_require(`
type initrc_tmp_t;
')
allow $1 initrc_tmp_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Read and write init script temporary data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_script_tmp_files',`
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
')
########################################
## <summary>
## Create files in a init script
## temporary data directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`init_script_tmp_filetrans',`
gen_require(`
type initrc_tmp_t;
')
files_search_tmp($1)
filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
')
########################################
## <summary>
## Get the attributes of init script process id files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_utmp',`
gen_require(`
type initrc_runtime_t;
')
allow $1 initrc_runtime_t:file getattr;
')
########################################
## <summary>
## Read utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_utmp',`
gen_require(`
type initrc_runtime_t;
')
files_list_runtime($1)
allow $1 initrc_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Do not audit attempts to write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_write_utmp',`
gen_require(`
type initrc_runtime_t;
')
dontaudit $1 initrc_runtime_t:file { write lock };
')
########################################
## <summary>
## Write to utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_utmp',`
gen_require(`
type initrc_runtime_t;
')
files_list_runtime($1)
allow $1 initrc_runtime_t:file write_file_perms;
')
########################################
## <summary>
## Do not audit attempts to lock
## init script pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_lock_utmp',`
gen_require(`
type initrc_runtime_t;
')
dontaudit $1 initrc_runtime_t:file lock;
')
########################################
## <summary>
## Read and write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_rw_utmp',`
gen_require(`
type initrc_runtime_t;
')
files_list_runtime($1)
allow $1 initrc_runtime_t:file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_dontaudit_rw_utmp',`
gen_require(`
type initrc_runtime_t;
')
dontaudit $1 initrc_runtime_t:file rw_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_utmp',`
gen_require(`
type initrc_runtime_t;
')
files_search_runtime($1)
allow $1 initrc_runtime_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_relabel_utmp',`
gen_require(`
type initrc_runtime_t;
')
allow $1 initrc_runtime_t:file relabel_file_perms;
')
########################################
## <summary>
## Watch utmp.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_watch_utmp',`
gen_require(`
type initrc_runtime_t;
')
allow $1 initrc_runtime_t:file watch;
')
########################################
## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_runtime_filetrans_utmp',`
gen_require(`
type initrc_runtime_t;
')
files_runtime_filetrans($1, initrc_runtime_t, file, "utmp")
')
#######################################
## <summary>
## Create a directory in the /run/systemd directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_create_runtime_dirs',`
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:dir list_dir_perms;
create_dirs_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Read init_runtime_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_read_runtime_files',`
gen_require(`
type init_runtime_t;
')
read_files_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Rename init_runtime_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_rename_runtime_files',`
gen_require(`
type init_runtime_t;
')
rename_files_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Setattr init_runtime_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_setattr_runtime_files',`
gen_require(`
type init_runtime_t;
')
setattr_files_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Delete init_runtime_t files
## </summary>
## <param name="domain">
## <summary>
## domain
## </summary>
## </param>
#
interface(`init_delete_runtime_files',`
gen_require(`
type init_runtime_t;
')
delete_files_pattern($1, init_runtime_t, init_runtime_t)
')
#######################################
## <summary>
## Allow the specified domain to write to
## init sock file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_write_runtime_socket',`
gen_require(`
type init_runtime_t;
')
allow $1 init_runtime_t:sock_file write;
')
########################################
## <summary>
## Read init unnamed pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_runtime_pipes',`
gen_require(`
type init_runtime_t;
')
read_fifo_files_pattern($1, init_runtime_t, init_runtime_t)
')
######################################
## <summary>
## read systemd unit symlinks (usually under /run/systemd/units/)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_runtime_symlinks',`
gen_require(`
type init_runtime_t;
')
read_lnk_files_pattern($1, init_runtime_t, init_runtime_t)
')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_tcp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_tcp_recvfrom_labeled($1, daemon)
')
########################################
## <summary>
## Allow the specified domain to connect to daemon with a udp socket
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_udp_recvfrom_all_daemons',`
gen_require(`
attribute daemon;
')
corenet_udp_recvfrom_labeled($1, daemon)
')
######################################
## <summary>
## Search systemd unit dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_search_units',`
gen_require(`
type init_runtime_t, systemd_unit_t;
')
search_dirs_pattern($1, init_runtime_t, systemd_unit_t)
# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
files_search_etc($1)
files_search_usr($1)
libs_search_lib($1)
fs_search_tmpfs($1)
')
######################################
## <summary>
## List systemd unit dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_list_unit_dirs',`
gen_require(`
type systemd_unit_t;
')
allow $1 systemd_unit_t:dir list_dir_perms;
init_search_units($1)
')
######################################
## <summary>
## restart systemd units, for /run/systemd/transient/*
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_restart_units',`
gen_require(`
type init_var_run_t;
')
allow $1 init_var_run_t:service { start status stop };
')
########################################
## <summary>
## Read systemd unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_generic_units_files',`
gen_require(`
type systemd_unit_t;
')
allow $1 systemd_unit_t:file read_file_perms;
')
########################################
## <summary>
## Read systemd unit links
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_generic_units_symlinks',`
gen_require(`
type systemd_unit_t;
')
allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Get status of generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_generic_units_status',`
gen_require(`
type systemd_unit_t;
class service status;
')
allow $1 systemd_unit_t:service status;
')
########################################
## <summary>
## Start generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_generic_units',`
gen_require(`
type systemd_unit_t;
class service start;
')
allow $1 systemd_unit_t:service start;
')
########################################
## <summary>
## Stop generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_stop_generic_units',`
gen_require(`
type systemd_unit_t;
class service stop;
')
allow $1 systemd_unit_t:service stop;
')
#######################################
## <summary>
## Reload generic systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload_generic_units',`
gen_require(`
type systemd_unit_t;
class service reload;
')
allow $1 systemd_unit_t:service reload;
')
########################################
## <summary>
## Get status of all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_all_units_status',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service status;
')
allow $1 { init_script_file_type systemdunit }:service status;
')
#######################################
## <summary>
## All perms on all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_all_units',`
gen_require(`
attribute systemdunit;
class service all_service_perms;
')
allow $1 systemdunit:service all_service_perms;
allow $1 systemdunit:file getattr;
')
########################################
## <summary>
## Start all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service start;
')
allow $1 { init_script_file_type systemdunit }:service start;
')
########################################
## <summary>
## Stop all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`init_stop_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service stop;
')
allow $1 { init_script_file_type systemdunit }:service stop;
')
#######################################
## <summary>
## Reload all systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_reload_all_units',`
gen_require(`
attribute init_script_file_type, systemdunit;
class service reload;
')
allow $1 { init_script_file_type systemdunit }:service reload;
')
#######################################
## <summary>
## getattr all systemd unit files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_all_units',`
gen_require(`
attribute systemdunit;
')
allow $1 systemdunit:file getattr;
')
########################################
## <summary>
## Manage systemd unit dirs and the files in them
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_manage_all_unit_files',`
gen_require(`
attribute systemdunit;
')
manage_dirs_pattern($1, systemdunit, systemdunit)
manage_files_pattern($1, systemdunit, systemdunit)
manage_lnk_files_pattern($1, systemdunit, systemdunit)
')
#########################################
## <summary>
## Associate the specified domain to be a domain whose
## keyring init should be allowed to link.
## </summary>
## <param name="domain">
## <summary>
## Domain whose keyring init should be allowed to link.
## </summary>
## </param>
#
interface(`init_linkable_keyring',`
gen_require(`
attribute init_linkable_keyring_type;
')
typeattribute $1 init_linkable_keyring_type;
')
########################################
## <summary>
## stat systemd unit files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_getattr_all_unit_files',`
gen_require(`
attribute systemdunit;
')
allow $1 systemdunit:file getattr;
')
########################################
## <summary>
## Allow unconfined access to send instructions to init
## </summary>
## <param name="domain">
## <summary>
## Target domain
## </summary>
## </param>
#
interface(`init_admin',`
dev_manage_null_service($1)
init_disable($1)
init_enable($1)
init_get_all_units_status($1)
init_get_generic_units_status($1)
init_get_system_status($1)
init_manage_all_units($1)
init_manage_script_service($1)
init_reboot_system($1)
init_reload($1)
init_reload_all_units($1)
init_shutdown_system($1)
init_start_system($1)
init_start_all_units($1)
init_start_generic_units($1)
init_stop_all_units($1)
init_stop_generic_units($1)
init_stop_system($1)
init_telinit($1)
')
########################################
## <summary>
## Allow getting init_t rlimit
## </summary>
## <param name="domain">
## <summary>
## Source domain
## </summary>
## </param>
#
interface(`init_getrlimit',`
gen_require(`
type init_t;
')
allow $1 init_t:process getrlimit;
')
########################################
## <summary>
## Allow searching init_t keys
## </summary>
## <param name="domain">
## <summary>
## Source domain
## </summary>
## </param>
#
interface(`init_search_keys',`
gen_require(`
type init_t;
')
allow $1 init_t:key search;
')