| type chromeos_startup, chromeos_domain, domain, cros_init_scripts_domain; |
| |
| permissive chromeos_startup; |
| |
| domain_auto_trans(cros_init, chromeos_startup_script_exec, chromeos_startup); |
| cros_net(chromeos_startup); |
| exec_coreutils(chromeos_startup); |
| |
| allow chromeos_startup cros_passwd_file:file r_file_perms; |
| |
| allow chromeos_startup { sysfs device }:dir mounton; |
| arc_cts_fails_release(` |
| allow chromeos_startup { tmpfs devpts debugfs configfs }:filesystem mount; |
| ', (chromeos_startup)); |
| |
| allow chromeos_startup sysfs:file { open read }; |
| allow chromeos_startup sysfs:dir { open read }; |
| allow chromeos_startup device:blk_file getattr; |
| |
| allow chromeos_startup { proc_cmdline proc_swaps proc_uptime }:file r_file_perms; |
| allow chromeos_startup { proc_dirty proc_page_cluster proc_panic proc_sched proc_net }:file rw_file_perms; |
| |
| # we don't want to allow cros_shm and devpts to associate device, so let's leave |
| # it as is and wait for restorecon after mounting devpts or tmpfs, instead of using |
| # type_transition. |
| # filetrans_pattern_no_target_perm(chromeos_startup, device, devpts, dir, "pts"); |
| # filetrans_pattern_no_target_perm(chromeos_startup, device, cros_shm, dir, "shm"); |
| |
| # Misc files |
| type chromeos_startup_tmp_file, file_type, cros_file_type, cros_tmpfile_type; |
| type chromeos_startup_mount_options_log_file, file_type, cros_file_type, cros_var_file_type; |
| type cros_var_log_asan, file_type, cros_file_type, cros_var_file_type; |
| filetrans_pattern(chromeos_startup, cros_run, chromeos_startup_tmp_file, file); |
| filetrans_pattern(chromeos_startup, cros_var_log, chromeos_startup_mount_options_log_file, file, "mount_options.log"); |
| filetrans_pattern(chromeos_startup, cros_var_log, cros_var_log_asan, dir, "asan"); |
| filetrans_pattern(chromeos_startup, cros_run_lock, cros_power_override_lock_file, dir, "power_override"); |
| |
| allow chromeos_startup self:capability { chown fsetid linux_immutable sys_resource }; |
| |
| allow domain chromeos_startup:key search; |
| |
| type chromeos_startup_restorecon, chromeos_domain, domain; |
| permissive chromeos_startup_restorecon; |
| execute_file_follow_link(chromeos_startup, cros_restorecon_exec); |
| domain_auto_trans(chromeos_startup, cros_restorecon_exec, chromeos_startup_restorecon); |
| allow chromeos_startup_restorecon chromeos_startup:fd use; |
| |
| filetrans_pattern(chromeos_startup, cros_var_lib, cros_tz_data_file, dir, "timezone"); |