Layer: system

Module: init

Tunables Interfaces

Description:

System initialization programs (init and init scripts).

Tunables:

init_upstart

Default value

false

Description

Enable support for upstart as the init program.

Return

Interfaces:

init_all_labeled_script_domtrans(
	
		domain
		
	)

Summary

Transition to the init script domain for all labeled init script types

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

init_daemon_domain(
	
		domain
		
			,
		
		entry_point
		
	)

Summary

Create a domain for long running processes (daemons/services) which are started by init scripts.

Description

Create a domain for long running processes (daemons/services) which are started by init scripts. Short running processes should use the init_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface.

The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.

If the process must also run in a specific MLS/MCS level, the init_ranged_daemon_domain() should be used instead.

Parameters

Parameter:	Description:
domain	Type to be used as a daemon domain.
entry_point	Type of the program to be used as an entry point to this domain.

init_daemon_run_dir(
	
		filetype
		
			,
		
		filename
		
	)

Summary

Mark the file type as a daemon run dir, allowing initrc_t to create it

Parameters

Parameter:	Description:
filetype	Type to mark as a daemon run dir
filename	Filename of the directory that the init script creates

init_dbus_chat_script(
	
		domain
		
	)

Summary

Send and receive messages from init scripts over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_dbus_send_script(
	
		domain
		
	)

Summary

Send messages to init scripts over dbus.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_domain(
	
		domain
		
			,
		
		entry_point
		
	)

Summary

Create a domain which can be started by init.

Parameters

Parameter:	Description:
domain	Type to be used as a domain.
entry_point	Type of the program to be used as an entry point to this domain.

init_domtrans(
	
		domain
		
	)

Summary

Execute init (/sbin/init) with a domain transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

init_domtrans_script(
	
		domain
		
	)

Summary

Execute init scripts with an automatic domain transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

init_dontaudit_getattr_initctl(
	
		domain
		
	)

Summary

Do not audit attempts to get the attributes of initctl.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_lock_utmp(
	
		domain
		
	)

Summary

Do not audit attempts to lock init script pid files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_read_all_script_files(
	
		domain
		
	)

Summary

Dontaudit read all init script files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_read_script_status_files(
	
		domain
		
	)

Summary

Do not audit attempts to read init script status files.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_rw_initctl(
	
		domain
		
	)

Summary

Do not audit attempts to read and write initctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_dontaudit_rw_utmp(
	
		domain
		
	)

Summary

Do not audit attempts to read and write utmp.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_stream_connect_script(
	
		domain
		
	)

Summary

Dont audit the specified domain connecting to init scripts with a unix domain stream socket.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_use_fds(
	
		domain
		
	)

Summary

Do not audit attempts to inherit file descriptors from init.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_use_script_fds(
	
		domain
		
	)

Summary

Do not audit attempts to inherit init script file descriptors.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_use_script_ptys(
	
		domain
		
	)

Summary

Do not audit attempts to read and write the init script pty.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_dontaudit_write_utmp(
	
		domain
		
	)

Summary

Do not audit attempts to write utmp.

Parameters

Parameter:	Description:
domain	Domain to not audit.

init_exec(
	
		domain
		
	)

Summary

Execute the init program in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_exec_all_script_files(
	
		domain
		
	)

Summary

Execute all init scripts in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_exec_rc(
	
		domain
		
	)

Summary

Execute the rc application in the caller domain.

Description

This is only applicable to Gentoo or distributions that use the OpenRC init system.

The OpenRC /sbin/rc binary is used for both init scripts as well as management applications and tools. When used for management purposes, calling /sbin/rc should never cause a transition to initrc_t.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_exec_script_files(
	
		domain
		
	)

Summary

Execute init scripts in the caller domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getattr_all_script_files(
	
		domain
		
	)

Summary

Get the attribute of all init script entrypoint files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getattr_initctl(
	
		domain
		
	)

Summary

Get the attributes of initctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getattr_script_files(
	
		domain
		
	)

Summary

Get the attribute of init script entrypoint files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getattr_script_status_files(
	
		domain
		
	)

Summary

Get the attributes of init script status files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getattr_utmp(
	
		domain
		
	)

Summary

Get the attributes of init script process id files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getpgid(
	
		domain
		
	)

Summary

Get the process group of init.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_getpgid_script(
	
		domain
		
	)

Summary

Get the process group ID of init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_labeled_script_domtrans(
	
		domain
		
			,
		
		init_script_file
		
	)

Summary

Transition to the init script domain on a specified labeled init script.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.
init_script_file	Labeled init script file.

init_manage_utmp(
	
		domain
		
	)

Summary

Create, read, write, and delete utmp.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_pid_filetrans_utmp(
	
		domain
		
	)

Summary

Create files in /var/run with the utmp file type.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_ptrace(
	
		domain
		
	)

Summary

Ptrace init

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_ranged_daemon_domain(
	
		domain
		
			,
		
		entry_point
		
			,
		
		range
		
	)

Summary

Create a domain for long running processes (daemons/services) which are started by init scripts, running at a specified MLS/MCS range.

Description

Create a domain for long running processes (daemons/services) which are started by init scripts, running at a specified MLS/MCS range. Short running processes should use the init_ranged_system_domain() interface instead. Typically all long running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.

The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.

If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_daemon_domain().

Parameters

Parameter:	Description:
domain	Type to be used as a daemon domain.
entry_point	Type of the program to be used as an entry point to this domain.
range	MLS/MCS range for the domain.

init_ranged_domain(
	
		domain
		
			,
		
		entry_point
		
			,
		
		range
		
	)

Summary

Create a domain which can be started by init, with a range transition.

Parameters

Parameter:	Description:
domain	Type to be used as a domain.
entry_point	Type of the program to be used as an entry point to this domain.
range	Range for the domain.

init_ranged_system_domain(
	
		domain
		
			,
		
		entry_point
		
			,
		
		range
		
	)

Summary

Create a domain for short running processes which are started by init scripts.

Description

Create a domain for long running processes (daemons/services) which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes should use the init_ranged_system_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface if they need to run in a specific MLS/MCS range.

The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.

If the policy build option TYPE is standard (MLS and MCS disabled), this interface has the same behavior as init_system_domain().

Parameters

Parameter:	Description:
domain	Type to be used as a system domain.
entry_point	Type of the program to be used as an entry point to this domain.
range	Range for the domain.

init_read_all_script_files(
	
		domain
		
	)

Summary

Read all init script files.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_read_script_files(
	
		domain
		
	)

Summary

Read init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_read_script_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of the init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_read_script_tmp_files(
	
		domain
		
	)

Summary

Read init script temporary data.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_read_state(
	
		domain
		
	)

Summary

Read the process state (/proc/pid) of init.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_read_utmp(
	
		domain
		
	)

Summary

Read utmp.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_run_daemon(
	
		domain
		
			,
		
		role
		
	)

Summary

Start and stop daemon programs directly.

Description

Start and stop daemon programs directly in the traditional "/etc/init.d/daemon start" style, and do not require run_init.

Parameters

Parameter:	Description:
domain	Domain allowed access.
role	The role to be performing this action.

init_rw_initctl(
	
		domain
		
	)

Summary

Read and write initctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_rw_script_pipes(
	
		domain
		
	)

Summary

Read and write init script unnamed pipes.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_rw_script_stream_sockets(
	
		domain
		
	)

Summary

Allow the specified domain to read/write to init scripts with a unix domain stream sockets.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_rw_script_tmp_files(
	
		domain
		
	)

Summary

Read and write init script temporary data.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_rw_utmp(
	
		domain
		
	)

Summary

Read and write utmp.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_script_domain(
	
		domain
		
			,
		
		script_file
		
	)

Summary

Create a domain used for init scripts.

Description

Create a domain used for init scripts. Can not be used in conjunction with init_script_file().

Parameters

Parameter:	Description:
domain	Type to be used as an init script domain.
script_file	Type of the script file used as an entry point to this domain.

init_script_file(
	
		script_file
		
	)

Summary

Create a file type used for init scripts.

Description

Create a file type used for init scripts. It can not be used in conjunction with init_script_domain(). These script files are typically stored in the /etc/init.d directory.

Typically this is used to constrain what services an admin can start/stop. For example, a policy writer may want to constrain a web administrator to only being able to restart the web server, not other services. This special type will help address that goal.

This also makes the type usable for files; thus an explicit call to files_type() is redundant.

Parameters

Parameter:	Description:
script_file	Type to be used for a script file.

init_script_file_domtrans(
	
		source_domain
		
			,
		
		target_domain
		
	)

Summary

Execute a init script in a specified domain.

Description

Execute a init script in a specified domain.

No interprocess communication (signals, pipes, etc.) is provided by this interface since the domains are not owned by this module.

Parameters

Parameter:	Description:
source_domain	Domain allowed to transition.
target_domain	Domain to transition to.

init_script_file_entry_type(
	
		domain
		
	)

Summary

Make init scripts an entry point for the specified domain.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_script_tmp_filetrans(
	
		domain
		
			,
		
		file_type
		
			,
		
		object_class
		
			,
		
		name
		
	)

Summary

Create files in a init script temporary data directory.

Parameters

Parameter:	Description:
domain	Domain allowed access.
file_type	The type of the object to be created
object_class	The object class.
name	The name of the object being created.

init_search_script_keys(
	
		domain
		
	)

Summary

Search init script keys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_sigchld(
	
		domain
		
	)

Summary

Send init a SIGCHLD signal.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_sigchld_script(
	
		domain
		
	)

Summary

Send SIGCHLD signals to init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_signal_script(
	
		domain
		
	)

Summary

Send generic signals to init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_signull(
	
		domain
		
	)

Summary

Send init a null signal.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_signull_script(
	
		domain
		
	)

Summary

Send null signals to init scripts.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_spec_domtrans_script(
	
		domain
		
	)

Summary

Execute init scripts with a specified domain transition.

Parameters

Parameter:	Description:
domain	Domain allowed to transition.

init_stream_connect(
	
		domain
		
	)

Summary

Connect to init with a unix socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_stream_connect_script(
	
		domain
		
	)

Summary

Allow the specified domain to connect to init scripts with a unix socket.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_system_domain(
	
		domain
		
			,
		
		entry_point
		
	)

Summary

Create a domain for short running processes which are started by init scripts.

Description

Create a domain for short running processes which are started by init scripts. These are generally applications that are used to initialize the system during boot. Long running processes, such as daemons/services should use the init_daemon_domain() interface instead. Typically all short running processes started by an init script (usually in /etc/init.d) will need to use this interface.

The types will be made usable as a domain and file, making calls to domain_type() and files_type() redundant.

If the process must also run in a specific MLS/MCS level, the init_ranged_system_domain() should be used instead.

Parameters

Parameter:	Description:
domain	Type to be used as a system domain.
entry_point	Type of the program to be used as an entry point to this domain.

init_tcp_recvfrom_all_daemons(
	
		domain
		
	)

Summary

Allow the specified domain to connect to daemon with a tcp socket

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_telinit(
	
		domain
		
	)

Summary

Use telinit (Read and write initctl).

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_udp_recvfrom_all_daemons(
	
		domain
		
	)

Summary

Allow the specified domain to connect to daemon with a udp socket

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_udp_send(
	
		domain
		
	)

Summary

Send UDP network traffic to init. (Deprecated)

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_udp_send_script(
	
		domain
		
	)

Summary

Send UDP network traffic to init scripts. (Deprecated)

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_use_fds(
	
		domain
		
	)

Summary

Inherit and use file descriptors from init.

Description

Allow the specified domain to inherit file descriptors from the init program (process ID 1). Typically the only file descriptors to be inherited from init are for the console. This does not allow the domain any access to the object to which the file descriptors references.

Related interfaces:

init_dontaudit_use_fds()

term_dontaudit_use_console()

term_use_console()

Example usage:

init_use_fds(mydomain_t) term_use_console(mydomain_t)

Normally, processes that can inherit these file descriptors (usually services) write messages to the system log instead of writing to the console. Therefore, in many cases, this access should dontaudited instead.

Example dontaudit usage:

init_dontaudit_use_fds(mydomain_t) term_dontaudit_use_console(mydomain_t)

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_use_inherited_script_ptys(
	
		domain
		
	)

Summary

Read and write inherited init script ptys.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_use_script_fds(
	
		domain
		
	)

Summary

Inherit and use init script file descriptors.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_use_script_ptys(
	
		domain
		
	)

Summary

Read and write the init script pty.

Description

Read and write the init script pty. This pty is generally opened by the open_init_pty portion of the run_init program so that the daemon does not require direct access to the administrator terminal.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_write_initctl(
	
		domain
		
	)

Summary

Write to initctl.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_write_script_pipes(
	
		domain
		
	)

Summary

Write an init script unnamed pipe.

Parameters

Parameter:	Description:
domain	Domain allowed access.

init_write_utmp(
	
		domain
		
	)

Summary

Write to utmp.

Parameters

Parameter:	Description:
domain	Domain allowed access.

Return