diff options
author | 2017-10-12 17:42:23 -0400 | |
---|---|---|
committer | 2017-10-29 20:59:08 +0800 | |
commit | ef14bcd0189098ada222dd638183eb44073de691 (patch) | |
tree | 475085e00e001c8d1980864a7dc2bf8da92d0fcf /policy/modules/system/init.te | |
parent | ipsec: Module version bump. (diff) | |
download | hardened-refpolicy-ef14bcd0189098ada222dd638183eb44073de691.tar.gz hardened-refpolicy-ef14bcd0189098ada222dd638183eb44073de691.tar.bz2 hardened-refpolicy-ef14bcd0189098ada222dd638183eb44073de691.zip |
init: Clean up line placement in init_systemd blocks.
No rule changes.
Diffstat (limited to 'policy/modules/system/init.te')
-rw-r--r-- | policy/modules/system/init.te | 196 |
1 files changed, 102 insertions, 94 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 90291d34..75da7a62 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -216,11 +216,23 @@ ifdef(`init_systemd',` # handle instances where an old labeled init script is encountered. typeattribute init_t init_run_all_scripts_domain; + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate setrlimit }; + allow init_t self:process { getcap setcap getsched setsched }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; + allow init_t self:netlink_selinux_socket create_socket_perms; + allow init_t self:system { status reboot halt reload }; + # Until systemd is fixed + allow init_t self:udp_socket create_socket_perms; + allow init_t self:netlink_route_socket create_netlink_socket_perms; + allow init_t initrc_t:unix_dgram_socket create_socket_perms; + allow init_t self:capability2 audit_read; + # for /run/systemd/inaccessible/{chr,blk} allow init_t init_var_run_t:blk_file { create getattr }; allow init_t init_var_run_t:chr_file { create getattr }; - allow init_t systemprocess:process { dyntransition siginh }; allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; allow init_t systemprocess:unix_dgram_socket create_socket_perms; @@ -257,18 +269,47 @@ ifdef(`init_systemd',` kernel_dyntrans_to(init_t) kernel_read_network_state(init_t) - kernel_read_kernel_sysctls(init_t) - kernel_read_vm_sysctls(init_t) kernel_dgram_send(init_t) kernel_stream_connect(init_t) kernel_getattr_proc(init_t) kernel_read_fs_sysctls(init_t) + kernel_list_unlabeled(init_t) + kernel_load_module(init_t) + kernel_rw_kernel_sysctl(init_t) + kernel_rw_net_sysctls(init_t) + kernel_read_all_sysctls(init_t) + kernel_read_software_raid_state(init_t) + kernel_unmount_debugfs(init_t) + kernel_setsched(init_t) + kernel_rw_unix_sysctls(init_t) + + # run systemd misc initializations + # in the initrc_t domain, as would be + # done in traditional sysvinit/upstart. + corecmd_bin_domtrans(init_t, initrc_t) + corecmd_shell_domtrans(init_t, initrc_t) - dev_create_generic_dirs(init_t) dev_manage_input_dev(init_t) dev_relabel_all_sysfs(init_t) dev_relabel_generic_symlinks(init_t) dev_read_urand(init_t) + dev_write_kmsg(init_t) + dev_write_urand(init_t) + dev_rw_lvm_control(init_t) + dev_rw_autofs(init_t) + dev_manage_generic_symlinks(init_t) + dev_manage_generic_dirs(init_t) + dev_manage_generic_files(init_t) + dev_manage_null_service(initrc_t) + dev_read_generic_chr_files(init_t) + dev_relabel_generic_dev_dirs(init_t) + dev_relabel_all_dev_nodes(init_t) + dev_relabel_all_dev_files(init_t) + dev_manage_sysfs_dirs(init_t) + dev_relabel_sysfs_dirs(init_t) + dev_read_usbfs(initrc_t) + # systemd writes to /dev/watchdog on shutdown + dev_write_watchdog(init_t) domain_read_all_domains_state(init_t) @@ -283,21 +324,47 @@ ifdef(`init_systemd',` files_relabelto_etc_runtime_files(init_t) files_read_all_locks(init_t) files_search_kernel_modules(init_t) + files_create_all_pid_pipes(init_t) + files_create_all_pid_sockets(init_t) + files_create_all_spool_sockets(init_t) + files_create_lock_dirs(init_t) + files_delete_all_pids(init_t) + files_delete_all_spool_sockets(init_t) + files_exec_generic_pid_files(init_t) + files_list_locks(init_t) + files_list_spool(init_t) + files_manage_all_pid_dirs(init_t) + files_manage_generic_tmp_dirs(init_t) + files_manage_urandom_seed(init_t) + files_mounton_all_mountpoints(init_t) + files_read_boot_files(initrc_t) + files_relabel_all_lock_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_search_all(init_t) + files_unmount_all_file_type_fs(init_t) # for privatetmp functions files_mounton_tmp(init_t) # for ProtectSystem files_mounton_etc_dirs(init_t) fs_relabel_cgroup_dirs(init_t) - fs_rw_cgroup_files(init_t) fs_list_auto_mountpoints(init_t) fs_mount_autofs(init_t) fs_manage_hugetlbfs_dirs(init_t) fs_getattr_tmpfs(init_t) fs_read_tmpfs_files(init_t) - fs_read_cgroup_files(init_t) fs_relabel_pstore_dirs(init_t) fs_dontaudit_getattr_xattr_fs(init_t) + fs_create_cgroup_links(init_t) + fs_getattr_all_fs(init_t) + fs_manage_cgroup_dirs(init_t) + fs_manage_cgroup_files(init_t) + fs_manage_tmpfs_dirs(init_t) + fs_mount_all_fs(init_t) + fs_remount_all_fs(init_t) + fs_relabelfrom_tmpfs_symlinks(init_t) + fs_unmount_all_fs(init_t) # for privatetmp functions fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t) @@ -308,20 +375,32 @@ ifdef(`init_systemd',` # for network namespaces fs_read_nsfs_files(init_t) - # need write to /var/run/systemd/notify - init_write_pid_socket(daemon) + init_read_script_state(init_t) # systemd_socket_activated policy mls_socket_write_all_levels(init_t) + selinux_unmount_fs(init_t) + selinux_validate_context(init_t) selinux_compute_create_context(init_t) selinux_compute_access_vector(init_t) + storage_getattr_removable_dev(init_t) + + term_relabel_pty_dirs(init_t) + + auth_manage_var_auth(init_t) + auth_relabel_login_records(init_t) + auth_relabel_pam_console_data_dirs(init_t) + logging_manage_pid_sockets(init_t) logging_send_audit_msgs(init_t) logging_relabelto_devlog_sock_files(init_t) logging_relabel_generic_log_dirs(init_t) + # lvm2-activation-generator checks file labels + seutil_read_file_contexts(init_t) + systemd_manage_passwd_runtime_symlinks(init_t) systemd_use_passwd_agent(init_t) systemd_list_tmpfiles_conf(init_t) @@ -329,6 +408,7 @@ ifdef(`init_systemd',` systemd_relabelto_tmpfiles_conf_files(init_t) systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_files(init_t) + systemd_manage_all_units(init_t) term_create_devpts_dirs(init_t) @@ -853,21 +933,8 @@ ifdef(`enabled_mls',` ') ifdef(`init_systemd',` - allow init_t self:system { status reboot halt reload }; - - allow init_t self:unix_dgram_socket { create_socket_perms sendto }; - allow init_t self:process { setsockcreate setfscreate setrlimit }; - allow init_t self:process { getcap setcap getsched setsched }; - allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; - allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; - allow init_t self:netlink_selinux_socket create_socket_perms; - # Until systemd is fixed - allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; - allow init_t self:udp_socket create_socket_perms; - allow init_t self:netlink_route_socket create_netlink_socket_perms; - allow init_t initrc_t:unix_dgram_socket create_socket_perms; allow initrc_t init_t:system { start status reboot halt reload }; - allow init_t self:capability2 audit_read; + manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) @@ -890,106 +957,37 @@ ifdef(`init_systemd',` allow initrc_t init_script_file_type:service { stop start status reload }; kernel_dgram_send(initrc_t) - kernel_list_unlabeled(init_t) - kernel_load_module(init_t) - kernel_rw_kernel_sysctl(init_t) - kernel_rw_net_sysctls(init_t) - kernel_read_all_sysctls(init_t) - kernel_read_software_raid_state(init_t) - kernel_unmount_debugfs(init_t) - kernel_setsched(init_t) - kernel_rw_unix_sysctls(init_t) - - auth_manage_var_auth(init_t) - auth_relabel_login_records(init_t) - auth_relabel_pam_console_data_dirs(init_t) # run systemd misc initializations # in the initrc_t domain, as would be # done in traditional sysvinit/upstart. corecmd_bin_entry_type(initrc_t) - corecmd_bin_domtrans(init_t, initrc_t) - corecmd_shell_domtrans(init_t, initrc_t) dev_create_generic_dirs(initrc_t) - dev_write_kmsg(init_t) - dev_write_urand(init_t) - dev_rw_lvm_control(init_t) - dev_rw_autofs(init_t) - dev_manage_generic_symlinks(init_t) - dev_manage_generic_dirs(init_t) - dev_manage_generic_files(init_t) - dev_manage_null_service(initrc_t) - dev_read_generic_chr_files(init_t) - dev_relabel_generic_dev_dirs(init_t) - dev_relabel_all_dev_nodes(init_t) - dev_relabel_all_dev_files(init_t) - dev_manage_sysfs_dirs(init_t) - dev_relabel_sysfs_dirs(init_t) - dev_read_usbfs(initrc_t) - # systemd writes to /dev/watchdog on shutdown - dev_write_watchdog(init_t) # Allow initrc_t to check /etc/fstab "service." It appears that # systemd is conflating files and services. - files_create_all_pid_pipes(init_t) - files_create_all_pid_sockets(init_t) - files_create_all_spool_sockets(init_t) - files_create_lock_dirs(init_t) - files_create_pid_dirs(initrc_t) - files_delete_all_pids(init_t) - files_delete_all_spool_sockets(init_t) - files_exec_generic_pid_files(init_t) files_get_etc_unit_status(initrc_t) - files_list_locks(init_t) - files_list_spool(init_t) - files_manage_all_pid_dirs(init_t) - files_manage_generic_tmp_dirs(init_t) - files_manage_urandom_seed(init_t) - files_mounton_all_mountpoints(init_t) - files_read_boot_files(initrc_t) - files_relabel_all_lock_dirs(init_t) - files_relabel_all_pid_dirs(init_t) - files_relabel_all_pid_files(init_t) - files_search_all(init_t) + files_create_pid_dirs(initrc_t) files_setattr_pid_dirs(initrc_t) - files_unmount_all_file_type_fs(init_t) - - fs_create_cgroup_links(init_t) - fs_getattr_all_fs(init_t) - fs_manage_cgroup_dirs(init_t) - fs_manage_cgroup_files(init_t) - fs_manage_tmpfs_dirs(init_t) - fs_mount_all_fs(init_t) - fs_remount_all_fs(init_t) - fs_relabelfrom_tmpfs_symlinks(init_t) - fs_unmount_all_fs(init_t) - fs_search_cgroup_dirs(daemon) # for logsave in strict configuration fstools_write_log(initrc_t) + selinux_set_enforce_mode(initrc_t) + init_get_all_units_status(initrc_t) init_manage_var_lib_files(initrc_t) - init_read_script_state(init_t) init_rw_stream_sockets(initrc_t) # Create /etc/audit.rules.prev after firstboot remediation logging_manage_audit_config(initrc_t) - selinux_set_enforce_mode(initrc_t) - selinux_unmount_fs(init_t) - selinux_validate_context(init_t) # lvm2-activation-generator checks file labels seutil_read_file_contexts(initrc_t) - seutil_read_file_contexts(init_t) - storage_getattr_removable_dev(init_t) - systemd_manage_all_units(init_t) systemd_start_power_units(initrc_t) - term_relabel_pty_dirs(init_t) - optional_policy(` # create /var/lock/lvm/ lvm_create_lock_dirs(initrc_t) @@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon) # when using run_init init_use_script_ptys(daemon) +ifdef(`init_systemd',` + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; + + fs_search_cgroup_dirs(daemon) + + # need write to /var/run/systemd/notify + init_write_pid_socket(daemon) +') + tunable_policy(`init_daemons_use_tty',` term_use_unallocated_ttys(daemon) term_use_generic_ptys(daemon) |