[refpolicy] [PATCH] mon policy again

* [refpolicy]  [PATCH] mon policy again
@ 2017-02-06  5:13 Russell Coker
  2017-02-08  0:02 ` Chris PeBenito
  2017-02-08 22:18 ` Chris PeBenito
  0 siblings, 2 replies; 5+ messages in thread
From: Russell Coker @ 2017-02-06  5:13 UTC (permalink / raw)
  To: refpolicy

Here is another version of the mon policy including requested changes.


diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/gpm.if /tmp/pol-git/policy/modules/contrib/gpm.if

--- /home/rjc/src/pol-git/policy/modules/contrib/gpm.if	2016-07-30 08:14:41.105650077 +1000
+++ /tmp/pol-git/policy/modules/contrib/gpm.if	2017-02-06 16:11:04.966188329 +1100
@@ -38,6 +38,7 @@
 
 	dev_list_all_dev_nodes($1)
 	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
+	allow $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
 ')
 
 ########################################
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.fc /tmp/pol-git/policy/modules/contrib/mon.fc
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.fc	1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.fc	2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1,11 @@
+
+/usr/sbin/mon		--	gen_context(system_u:object_r:mon_exec_t,s0)
+/usr/lib/mon/mon.d/.*	--	gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon/mon-local.d/.*	--	gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+/usr/lib/mon-contrib/mon.d/.* -- gen_context(system_u:object_r:mon_net_test_exec_t,s0)
+/usr/lib/mon-contrib/mon-local.d/.* -- gen_context(system_u:object_r:mon_local_test_exec_t,s0)
+
+/var/run/mon(/.*)?		gen_context(system_u:object_r:mon_var_run_t,s0)
+
+/var/lib/mon(/.*)?		gen_context(system_u:object_r:mon_var_lib_t,s0)
+/var/log/mon(/.*)?		gen_context(system_u:object_r:mon_var_log_t,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.if /tmp/pol-git/policy/modules/contrib/mon.if
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.if	1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.if	2017-02-06 16:11:04.962188219 +1100
@@ -0,0 +1 @@
+## <summary>mon network monitoring daemon.</summary>
diff -ruN /home/rjc/src/pol-git/policy/modules/contrib/mon.te /tmp/pol-git/policy/modules/contrib/mon.te
--- /home/rjc/src/pol-git/policy/modules/contrib/mon.te	1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/contrib/mon.te	2017-02-06 16:11:04.966188329 +1100
@@ -0,0 +1,213 @@
+policy_module(mon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+type mon_t;
+type mon_exec_t;
+init_daemon_domain(mon_t, mon_exec_t)
+
+type mon_net_test_t;
+typealias mon_net_test_t alias mon_test_t;
+type mon_net_test_exec_t;
+typealias mon_net_test_exec_t alias mon_test_exec_t;
+
+domain_type(mon_net_test_t)
+domain_entry_file(mon_net_test_t, mon_net_test_exec_t)
+role system_r types mon_net_test_t;
+domtrans_pattern(mon_t, mon_net_test_exec_t, mon_net_test_t)
+
+type mon_local_test_t;
+type mon_local_test_exec_t;
+
+domain_type(mon_local_test_t)
+domain_entry_file(mon_local_test_t, mon_local_test_exec_t)
+role system_r types mon_local_test_t;
+domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
+
+type mon_var_run_t;
+files_pid_file(mon_var_run_t)
+
+type mon_var_lib_t;
+files_type(mon_var_lib_t)
+
+type mon_var_log_t;
+logging_log_file(mon_var_log_t)
+
+type mon_tmp_t;
+files_tmp_file(mon_tmp_t)
+
+########################################
+#
+# Local policy
+# mon_t is for the main mon process and for sending alerts
+#
+
+corenet_tcp_bind_mon_port(mon_t)
+corenet_udp_bind_mon_port(mon_t)
+corenet_tcp_bind_generic_node(mon_t)
+corenet_udp_bind_generic_node(mon_t)
+allow mon_t self:tcp_socket create_stream_socket_perms;
+
+corenet_tcp_connect_jabber_client_port(mon_t)
+
+allow mon_t self:fifo_file rw_fifo_file_perms;
+
+manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+manage_files_pattern(mon_t, mon_tmp_t, mon_tmp_t)
+files_tmp_filetrans(mon_t, mon_tmp_t, { file dir })
+
+manage_files_pattern(mon_t, mon_var_run_t, mon_var_run_t)
+files_pid_filetrans(mon_t, mon_var_run_t, file)
+
+manage_files_pattern(mon_t, mon_var_lib_t, mon_var_lib_t)
+
+kernel_read_kernel_sysctls(mon_t)
+kernel_read_network_state(mon_t)
+kernel_read_system_state(mon_t)
+
+domain_use_interactive_fds(mon_t)
+
+corecmd_exec_bin(mon_t)
+dev_read_urand(mon_t)
+dev_read_sysfs(mon_t)
+logging_search_logs(mon_t)
+manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
+
+files_read_etc_files(mon_t)
+files_read_etc_runtime_files(mon_t)
+files_read_usr_files(mon_t)
+
+fs_getattr_all_fs(mon_t)
+fs_search_auto_mountpoints(mon_t)
+
+term_dontaudit_search_ptys(mon_t)
+
+application_signull(mon_t)
+
+init_read_utmp(mon_t)
+
+libs_exec_ld_so(mon_t)
+libs_exec_lib_files(mon_t)
+
+logging_send_syslog_msg(mon_t)
+
+miscfiles_read_localization(mon_t)
+
+sysnet_dns_name_resolve(mon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(mon_t)
+userdom_dontaudit_search_user_home_dirs(mon_t)
+
+corecmd_exec_shell(mon_t)
+
+optional_policy(`
+	mta_send_mail(mon_t)
+')
+
+########################################
+#
+# Local policy
+# mon_net_test_t is for running tests that need network access
+#
+
+allow mon_net_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_net_test_t, mon_net_test_exec_t)
+manage_files_pattern(mon_net_test_t, mon_var_lib_t, mon_var_lib_t)
+
+corenet_tcp_connect_all_ports(mon_net_test_t)
+corenet_udp_bind_generic_node(mon_net_test_t)
+fs_getattr_xattr_fs(mon_net_test_t)
+kernel_dontaudit_getattr_core_if(mon_net_test_t)
+kernel_getattr_proc(mon_net_test_t)
+kernel_read_system_state(mon_net_test_t)
+sysnet_read_config(mon_net_test_t)
+
+auth_use_nsswitch(mon_net_test_t)
+corecmd_exec_bin(mon_net_test_t)
+corecmd_exec_shell(mon_net_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_net_test_t)
+dev_getattr_sysfs(mon_net_test_t)
+dev_read_sysfs(mon_net_test_t)
+dev_read_urand(mon_net_test_t)
+files_read_usr_files(mon_net_test_t)
+miscfiles_read_certs(mon_net_test_t)
+miscfiles_read_localization(mon_net_test_t)
+netutils_domtrans_ping(mon_net_test_t)
+
+optional_policy(`
+	bind_read_zone(mon_net_test_t)
+')
+
+########################################
+#
+# Local policy
+# mon_local_test_t is for running tests that don't need network access
+# this domain has much more access to the local system!
+#
+# try not to use dontaudit rules for this
+#
+
+allow mon_local_test_t self:capability sys_admin;
+allow mon_local_test_t self:fifo_file rw_file_perms;
+
+can_exec(mon_local_test_t, mon_local_test_exec_t)
+manage_files_pattern(mon_local_test_t, mon_var_lib_t, mon_var_lib_t)
+
+files_dontaudit_getattr_tmpfs_file(mon_local_test_t)
+fs_getattr_nfs(mon_local_test_t)
+fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_hugetlbfs(mon_local_test_t)
+fs_list_tmpfs(mon_local_test_t)
+fs_search_nfs(mon_local_test_t)
+kernel_dontaudit_getattr_core_if(mon_local_test_t)
+kernel_getattr_proc(mon_local_test_t)
+kernel_read_software_raid_state(mon_local_test_t)
+kernel_read_system_state(mon_local_test_t)
+storage_getattr_fixed_disk_dev(mon_local_test_t)
+storage_getattr_removable_dev(mon_local_test_t)
+
+application_exec_all(mon_local_test_t)
+auth_use_nsswitch(mon_local_test_t)
+corecmd_exec_bin(mon_local_test_t)
+corecmd_exec_shell(mon_local_test_t)
+dev_dontaudit_getattr_all_chr_files(mon_local_test_t)
+dev_getattr_sysfs(mon_local_test_t)
+dev_read_urand(mon_local_test_t)
+dev_read_sysfs(mon_local_test_t)
+domain_read_all_domains_state(mon_local_test_t)
+files_read_usr_files(mon_local_test_t)
+files_search_mnt(mon_local_test_t)
+files_search_spool(mon_local_test_t)
+fs_search_auto_mountpoints(mon_local_test_t)
+getattr_init_fifo(mon_local_test_t)
+logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_localization(mon_local_test_t)
+rpc_read_nfs_content(mon_local_test_t)
+sysnet_read_config(mon_local_test_t)
+term_getattr_generic_ptys(mon_local_test_t)
+term_list_ptys(mon_local_test_t)
+
+optional_policy(`
+	files_list_boot(mon_local_test_t)
+')
+
+optional_policy(`
+	sudo_role_template(system, system_r, mon_local_test_t)
+	corecmd_bin_entry_type(mon_local_test_t)
+')
+
+optional_policy(`
+	gpm_getattr_gpmctl(mon_local_test_t)
+')
+
+optional_policy(`
+	postfix_search_spool(mon_local_test_t)
+')
+
+optional_policy(`
+	xserver_rw_console(mon_local_test_t)
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in /tmp/pol-git/policy/modules/kernel/corenetwork.te.in
--- /home/rjc/src/pol-git/policy/modules/kernel/corenetwork.te.in	2017-02-05 20:57:06.659564895 +1100
+++ /tmp/pol-git/policy/modules/kernel/corenetwork.te.in	2017-02-06 16:11:04.966188329 +1100
@@ -176,6 +176,7 @@
 network_port(memcache, tcp,11211,s0, udp,11211,s0)
 network_port(milter) # no defined portcon
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
 network_port(monit, tcp,2812,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(mountd, tcp,20048,s0, udp,20048,s0)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if /tmp/pol-git/policy/modules/system/init.if
--- /home/rjc/src/pol-git/policy/modules/system/init.if	2016-12-04 23:04:21.264949806 +1100
+++ /tmp/pol-git/policy/modules/system/init.if	2017-02-06 16:11:04.966188329 +1100
@@ -2504,3 +2504,22 @@
 
 	allow $1 systemdunit:service reload;
 ')
+
+########################################
+## <summary>
+##      stat /run/systemd/initctl/fifo
+## </summary>
+## <param name="domain">
+##      <summary>
+##      domain
+##      </summary>
+## </param>
+#
+interface(`getattr_init_fifo',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:fifo_file getattr;
+	allow $1 init_var_run_t:dir list_dir_perms;
+')
diff -ruN /home/rjc/src/pol-git/policy/modules/system/init.if.orig /tmp/pol-git/policy/modules/system/init.if.orig
--- /home/rjc/src/pol-git/policy/modules/system/init.if.orig	1970-01-01 10:00:00.000000000 +1000
+++ /tmp/pol-git/policy/modules/system/init.if.orig	2016-12-04 23:04:21.264949806 +1100
@@ -0,0 +1,2506 @@
+## <summary>System initialization programs (init and init scripts).</summary>
+
+########################################
+## <summary>
+##	Create a file type used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a file type used for init scripts.  It can not be
+##	used in conjunction with init_script_domain(). These
+##	script files are typically stored in the /etc/init.d directory.
+##	</p>
+##	<p>
+##	Typically this is used to constrain what services an
+##	admin can start/stop.  For example, a policy writer may want
+##	to constrain a web administrator to only being able to
+##	restart the web server, not other services.  This special type
+##	will help address that goal.
+##	</p>
+##	<p>
+##	This also makes the type usable for files; thus an
+##	explicit call to files_type() is redundant.
+##	</p>
+## </desc>
+## <param name="script_file">
+##	<summary>
+##	Type to be used for a script file.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`init_script_file',`
+	gen_require(`
+		type initrc_t;
+		attribute init_script_file_type, init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_file_type;
+
+	domain_entry_file(initrc_t, $1)
+
+	domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t)
+')
+
+########################################
+## <summary>
+##   Make the specified type usable for
+##   systemd unit files.
+## </summary>
+## <param name="type">
+##   <summary>
+##   Type to be used for systemd unit files.
+##   </summary>
+## </param>
+#
+interface(`init_unit_file',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	files_type($1)
+	typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
+##	Create a domain used for init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain used for init scripts.
+##	Can not be used in conjunction with
+##	init_script_file().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as an init script domain.
+##	</summary>
+## </param>
+## <param name="script_file">
+##	<summary>
+##	Type of the script file used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_script_domain',`
+	gen_require(`
+		attribute init_script_domain_type, init_script_file_type;
+		attribute init_run_all_scripts_domain;
+	')
+
+	typeattribute $1 init_script_domain_type;
+	typeattribute $2 init_script_file_type;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`init_domain',`
+	gen_require(`
+		type init_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(init_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by init,
+##	with a range transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+#
+interface(`init_ranged_domain',`
+	gen_require(`
+		type init_t;
+	')
+
+	init_domain($1, $2)
+
+	ifdef(`enable_mcs',`
+		range_transition init_t $2:process $3;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition init_t $2:process $3;
+		mls_rangetrans_target($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for long running processes
+##	(daemons/services) which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts. Short running processes
+##	should use the init_system_domain() interface instead.
+##	Typically all long running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the process must also run in a specific MLS/MCS level,
+##	the init_ranged_daemon_domain() should be used instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_daemon_domain',`
+	gen_require(`
+		type initrc_t;
+		role system_r;
+		attribute daemon;
+	')
+
+	typeattribute $1 daemon;
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(initrc_t, $2, $1)
+
+	# daemons started from init will
+	# inherit fds from init for the console
+	init_dontaudit_use_fds($1)
+	term_dontaudit_use_console($1)
+
+	# init script ptys are the stdin/out/err
+	# when using run_init
+	init_use_script_ptys($1)
+
+	ifdef(`direct_sysadm_daemon',`
+		userdom_dontaudit_use_user_terminals($1)
+	')
+
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+		# this may be because of late labelling
+		kernel_dgram_send($1)
+	')
+
+	optional_policy(`
+		nscd_use($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for long running processes
+##	(daemons/services) which are started by init scripts,
+##	running at a specified MLS/MCS range.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts, running at a specified
+##	MLS/MCS range. Short running processes
+##	should use the init_ranged_system_domain() interface instead.
+##	Typically all long running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface if they need to run in a specific MLS/MCS range.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the policy build option TYPE is standard (MLS and MCS disabled),
+##	this interface has the same behavior as init_daemon_domain().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	MLS/MCS range for the domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_daemon_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_daemon_domain($1, $2)
+
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
+
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
+	')
+')
+
+#########################################
+## <summary>
+##	Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+	')
+')
+
+#########################################
+## <summary>
+##	Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain to be started by systemd socket activation.
+##	</summary>
+## </param>
+## <param name="sock_file">
+##	<summary>
+##	The domain socket file type.
+##	</summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
+
+		allow init_t $1:unix_dgram_socket create_socket_perms;
+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
+		allow init_t $2:dir manage_dir_perms;
+		allow init_t $2:fifo_file manage_fifo_file_perms;
+		allow init_t $2:sock_file manage_sock_file_perms;
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for short running processes
+##	which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for short running processes
+##	which are started by init scripts. These are generally applications that
+##	are used to initialize the system during boot.
+##	Long running processes, such as daemons/services
+##	should use the init_daemon_domain() interface instead.
+##	Typically all short running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the process must also run in a specific MLS/MCS level,
+##	the init_ranged_system_domain() should be used instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a system domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_system_domain',`
+	gen_require(`
+		type initrc_t;
+		role system_r;
+	')
+
+	application_domain($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(initrc_t, $2, $1)
+
+	ifdef(`init_systemd',`
+		init_domain($1, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Create a domain for short running processes
+##	which are started by init scripts.
+## </summary>
+## <desc>
+##	<p>
+##	Create a domain for long running processes (daemons/services)
+##	which are started by init scripts.
+##	These are generally applications that
+##	are used to initialize the system during boot.
+##	Long running processes
+##	should use the init_ranged_system_domain() interface instead.
+##	Typically all short running processes started by an init
+##	script (usually in /etc/init.d) will need to use this
+##	interface if they need to run in a specific MLS/MCS range.
+##	</p>
+##	<p>
+##	The types will be made usable as a domain and file, making
+##	calls to domain_type() and files_type() redundant.
+##	</p>
+##	<p>
+##	If the policy build option TYPE is standard (MLS and MCS disabled),
+##	this interface has the same behavior as init_system_domain().
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a system domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	Range for the domain.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`init_ranged_system_domain',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	ifdef(`init_systemd',`
+		init_ranged_domain($1, $2, $3)
+	',`
+		init_system_domain($1, $2)
+
+		ifdef(`enable_mcs',`
+			range_transition initrc_t $2:process $3;
+		')
+
+		ifdef(`enable_mls',`
+			range_transition initrc_t $2:process $3;
+			mls_rangetrans_target($1)
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon run dir
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the directory that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+	gen_require(`
+		attribute daemonrundir;
+		type initrc_t;
+	')
+
+	refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
+	init_daemon_pid_file($1, dir, $2)
+')
+
+########################################
+## <summary>
+##	Execute init (/sbin/init) with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans',`
+	gen_require(`
+		type init_t, init_exec_t;
+	')
+
+	domtrans_pattern($1, init_exec_t, init_t)
+')
+
+########################################
+## <summary>
+##	Execute the init program in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_exec',`
+	gen_require(`
+		type init_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, init_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute the rc application in the caller domain.
+## </summary>
+## <desc>
+## <p>
+##	This is only applicable to Gentoo or distributions that use the OpenRC
+##	init system.
+## </p>
+## <p>
+##	The OpenRC /sbin/rc binary is used for both init scripts as well as
+##	management applications and tools. When used for management purposes,
+##	calling /sbin/rc should never cause a transition to initrc_t.
+## </p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_rc',`
+	gen_require(`
+		type rc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rc_exec_t)
+')
+
+########################################
+## <summary>
+##	Get the process group of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getpgid',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Send init a null signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signull',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process signull;
+')
+
+########################################
+## <summary>
+##	Send init a SIGCHLD signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_sigchld',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Connect to init with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_connect',`
+	gen_require(`
+		type init_t, init_var_run_t;
+	')
+
+	stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Inherit and use file descriptors from init.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to inherit file
+##	descriptors from the init program (process ID 1).
+##	Typically the only file descriptors to be
+##	inherited from init are for the console.
+##	This does not allow the domain any access to
+##	the object to which the file descriptors references.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>init_dontaudit_use_fds()</li>
+##		<li>term_dontaudit_use_console()</li>
+##		<li>term_use_console()</li>
+##	</ul>
+##	<p>
+##	Example usage:
+##	</p>
+##	<p>
+##	init_use_fds(mydomain_t)
+##	term_use_console(mydomain_t)
+##	</p>
+##	<p>
+##	Normally, processes that can inherit these file
+##	descriptors (usually services) write messages to the
+##	system log instead of writing to the console.
+##	Therefore, in many cases, this access should
+##	dontaudited instead.
+##	</p>
+##	<p>
+##	Example dontaudit usage:
+##	</p>
+##	<p>
+##	init_dontaudit_use_fds(mydomain_t)
+##	term_dontaudit_use_console(mydomain_t)
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="1"/>
+#
+interface(`init_use_fds',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit file
+##	descriptors from init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_fds',`
+	gen_require(`
+		type init_t;
+	')
+
+	dontaudit $1 init_t:fd use;
+')
+
+########################################
+## <summary>
+##	Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+	gen_require(`
+		type init_t, init_var_run_t;
+	')
+
+	dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init with unix domain stream sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to init.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_send',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Get all service status (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_system_status',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+##	Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_enable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+##	Disable all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_disable',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+##	Reload all services (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+##	Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reboot_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+##	Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+	gen_require(`
+		type init_t;
+		class service status;
+	')
+
+	allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## 	Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## 	Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+	gen_require(`
+		type init_t;
+		class service start;
+	')
+
+	allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	systemd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+	gen_require(`
+		type init_t;
+		class dbus send_msg;
+	')
+
+	allow $1 init_t:dbus send_msg;
+	allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Create files in /var/lib/systemd
+##	with an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="type">
+##	<summary>
+##	The type of object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Get the attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	allow $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the
+##	attributes of initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_getattr_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file getattr;
+')
+
+########################################
+## <summary>
+##	Write to initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Use telinit (Read and write initctl).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_telinit',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+
+	init_exec($1)
+
+	tunable_policy(`init_upstart',`
+		gen_require(`
+			type init_t;
+		')
+
+		# upstart uses a datagram socket instead of initctl pipe
+		allow $1 self:unix_dgram_socket create_socket_perms;
+		allow $1 init_t:unix_dgram_socket sendto;
+	')
+')
+
+########################################
+## <summary>
+##	Read and write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write initctl.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_rw_initctl',`
+	gen_require(`
+		type initctl_t;
+	')
+
+	dontaudit $1 initctl_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Make init scripts an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_entry_type',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	domain_entry_file($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute init scripts with a specified domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_spec_domtrans_script',`
+	gen_require(`
+		type initrc_t, initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+	ifdef(`distro_gentoo',`
+		gen_require(`
+			type rc_exec_t;
+		')
+
+		domtrans_pattern($1, rc_exec_t, initrc_t)
+	')
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_domtrans_script',`
+	gen_require(`
+		type initrc_t, initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domtrans_pattern($1, initrc_exec_t, initrc_t)
+
+	ifdef(`enable_mcs',`
+		range_transition $1 initrc_exec_t:process s0;
+	')
+
+	ifdef(`enable_mls',`
+		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Execute a init script in a specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute a init script in a specified domain.
+##	</p>
+##	<p>
+##	No interprocess communication (signals, pipes,
+##	etc.) is provided by this interface since
+##	the domains are not owned by this module.
+##	</p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for gentoo integrated run_init
+interface(`init_script_file_domtrans',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	domain_auto_transition_pattern($1, initrc_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Transition to the init script domain
+##	on a specified labeled init script.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+#
+interface(`init_labeled_script_domtrans',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	domtrans_pattern($1, $2, initrc_t)
+	files_search_etc($1)
+')
+
+#########################################
+## <summary>
+##	Transition to the init script domain
+## 	for all labeled init script types
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`init_all_labeled_script_domtrans',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	init_labeled_script_domtrans($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+##	Allow the role to start and stop
+##	labeled services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+## <param name="unit" optional="true">
+##	<summary>
+##	Systemd unit file type.
+##	</summary>
+## </param>
+#
+interface(`init_startstop_service',`
+	gen_require(`
+		role system_r;
+	')
+
+	ifndef(`direct_sysadm_daemon',`
+		ifdef(`distro_gentoo',`
+			# for OpenRC
+			seutil_labeled_init_script_run_runinit($1, $2, $4)
+		',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
+
+		ifdef(`init_systemd',`
+			# This ifelse condition is temporary, until
+			# all callers are updated to provide unit files.
+			ifelse(`$5',`',`',`
+				gen_require(`
+					class service { start stop };
+				')
+
+				allow $1 $5:service { start stop };
+			')
+		')
+	')
+')
+
+########################################
+## <summary>
+##	Start and stop daemon programs directly.
+## </summary>
+## <desc>
+##	<p>
+##	Start and stop daemon programs directly
+##	in the traditional "/etc/init.d/daemon start"
+##	style, and do not require run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+#
+interface(`init_run_daemon',`
+	gen_require(`
+                attribute init_script_file_type;
+		role system_r;
+	')
+
+	allow $2 system_r;
+
+        init_all_labeled_script_domtrans($1)
+        role_transition $2 init_script_file_type system_r;
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_state',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:dir search_dir_perms;
+	allow $1 init_t:file read_file_perms;
+	allow $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Ptrace init
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_ptrace',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:process ptrace;
+')
+
+########################################
+## <summary>
+##	Write an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_script_pipes',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file write;
+')
+
+########################################
+## <summary>
+##	Get the attribute of init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	allow $1 initrc_exec_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	allow $1 initrc_exec_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_script_files',`
+	gen_require(`
+		type initrc_exec_t;
+	')
+
+	files_list_etc($1)
+	can_exec($1, initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Get the attribute of all init script entrypoint files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	allow $1 init_script_file_type:file getattr;
+')
+
+########################################
+## <summary>
+##	Read all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_search_etc($1)
+	allow $1 init_script_file_type:file read_file_perms;
+')
+
+#######################################
+## <summary>
+##	Dontaudit read all init script files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	dontaudit $1 init_script_file_type:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Execute all init scripts in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_exec_all_script_files',`
+	gen_require(`
+		attribute init_script_file_type;
+	')
+
+	files_list_etc($1)
+	can_exec($1, init_script_file_type)
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid) of the init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_state',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	kernel_search_proc($1)
+	read_files_pattern($1, initrc_t, initrc_t)
+	read_lnk_files_pattern($1, initrc_t, initrc_t)
+	list_dirs_pattern($1, initrc_t, initrc_t)
+
+	# should move this to separate interface
+	allow $1 initrc_t:process getattr;
+')
+
+########################################
+## <summary>
+##	Inherit and use init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_script_fds',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit
+##	init script file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_fds',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:fd use;
+')
+
+########################################
+## <summary>
+##	Search init script keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_script_keys',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:key search;
+')
+
+########################################
+## <summary>
+##	Get the process group ID of init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getpgid_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process getpgid;
+')
+
+########################################
+## <summary>
+##	Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_sigchld_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send generic signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signal_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send null signals to init scripts.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_signull_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read and write init script unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_pipes',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Send UDP network traffic to init scripts.  (Deprecated)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_send_script',`
+	refpolicywarn(`$0($*) has been deprecated.')
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to
+##	init scripts with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stream_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_stream_sockets',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Dont audit the specified domain connecting to
+##	init scripts with a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_stream_connect_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	dontaudit $1 initrc_t:unix_stream_socket connectto;
+')
+########################################
+## <summary>
+##	Send messages to init scripts over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_send_script',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 initrc_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	init scripts over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dbus_chat_script',`
+	gen_require(`
+		type initrc_t;
+		class dbus send_msg;
+	')
+
+	allow $1 initrc_t:dbus send_msg;
+	allow initrc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Read and write the init script pty.
+## </summary>
+## <desc>
+##	<p>
+##	Read and write the init script pty.  This
+##	pty is generally opened by the open_init_pty
+##	portion of the run_init program so that the
+##	daemon does not require direct access to
+##	the administrator terminal.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	term_list_ptys($1)
+	allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Read and write inherited init script ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_inherited_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	term_list_ptys($1)
+	allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+
+	init_use_fds($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and
+##	write the init script pty.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_use_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append };
+')
+
+########################################
+## <summary>
+##	Get the attributes of init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	getattr_files_pattern($1, initrc_state_t, initrc_state_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	dontaudit $1 initrc_state_t:dir search_dir_perms;
+	dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+##	Search the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_run',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 init_var_run_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read and write init script temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create files in a init script
+##	temporary data directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="file_type">
+##	<summary>
+##	The type of the object to be created
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The object class.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`init_script_tmp_filetrans',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	files_search_tmp($1)
+	filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+##	Get the attributes of init script process id files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	allow $1 initrc_var_run_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Read utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_write_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file { write lock };
+')
+
+########################################
+## <summary>
+##	Write to utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_write_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file { getattr open write };
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to lock
+##	init script pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_lock_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file lock;
+')
+
+########################################
+## <summary>
+##	Read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_list_pids($1)
+	allow $1 initrc_var_run_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_rw_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete utmp.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_manage_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 initrc_var_run_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /var/run with the
+##	utmp file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_pid_filetrans_utmp',`
+	gen_require(`
+		type initrc_var_run_t;
+	')
+
+	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a tcp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+
+	corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to daemon with a udp socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_udp_recvfrom_all_daemons',`
+	gen_require(`
+		attribute daemon;
+	')
+	corenet_udp_recvfrom_labeled($1, daemon)
+')
+
+######################################
+## <summary>
+##	Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_units',`
+	gen_require(`
+		type init_var_run_t, systemd_unit_t;
+	')
+
+	search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+	# Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+	files_search_etc($1)
+	files_search_usr($1)
+	libs_search_lib($1)
+
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+##	Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+	gen_require(`
+		type systemd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Start generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service start;
+	')
+
+	allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service stop;
+	')
+
+	allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload generic systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+	gen_require(`
+		type systemd_unit_t;
+		class service reload;
+	')
+
+	allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+##	Get status of all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+	gen_require(`
+		attribute systemdunit;
+		class service status;
+	')
+
+	allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+##	Start all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service start;
+	')
+
+	allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+##	Stop all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+## 	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service stop;
+	')
+
+	allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+##	Reload all systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+	gen_require(`
+		attribute systemdunit;
+		class service reload;
+	')
+
+	allow $1 systemdunit:service reload;
+')

^ permalink raw reply	[flat|nested] 5+ messages in thread