add rpc

refpolicy/Changelog

@@ -13,6 +13,7 @@
 	pegasus
 	postfix
 	radius
+	rpc
 	spamassassin
 	xdm
 

refpolicy/policy/global_tunables

@@ -23,6 +23,9 @@ gen_tunable(allow_ftpd_anon_write,false)
 ## Allow gpg executable stack
 gen_tunable(allow_gpg_execstack,false)
 
+## Allow gssd to read temp directory.
+gen_tunable(allow_gssd_read_tmp,true)
+
 ## Allow Apache to modify public files
 ## used for public file transfer services.
 gen_tunable(allow_httpd_anon_write,false)
@@ -84,6 +87,12 @@ gen_tunable(httpd_unified,false)
 ## Generally this is used for dynamic DNS.
 gen_tunable(named_write_master_zones,false)
 
+## Allow nfs to be exported read/write.
+gen_tunable(nfs_export_all_rw,false)
+
+## Allow nfs to be exported read only
+gen_tunable(nfs_export_all_ro,false)
+
 ## Allow pppd to load kernel modules for certain modems
 gen_tunable(pppd_can_insmod,false)
 

refpolicy/policy/modules/kernel/filesystem.if

@@ -524,6 +524,58 @@ interface(`fs_read_cifs_files',`
 	allow $1 cifs_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read all noxattrfs directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_list_noxattr_fs',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir r_dir_perms;
+
+')
+
+########################################
+## <summary>
+##	Read all noxattrfs files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_read_noxattr_fs_files',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+##	Read all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`fs_read_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	allow $1 noxattrfs:dir search;
+	allow $1 noxattrfs:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@@ -1150,6 +1202,78 @@ interface(`fs_read_nfs_symlinks',`
 	allow $1 nfs_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_dirs',`
+	gen_require(`
+		type rpc_pipefs_t;
+		class dir { getattr read search };
+	')
+
+	allow $1 rpc_pipefs_t:dir { getattr read search };
+
+')
+
+########################################
+## <summary>
+##	Read files of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_files',`
+	gen_require(`
+		type rpc_pipefs_t;
+		class file { read getattr };
+	')
+
+	allow $1 rpc_pipefs_t:file { read getattr };
+
+')
+
+########################################
+## <summary>
+##	Read symbolic links of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_symlinks',`
+	gen_require(`
+		type rpc_pipefs_t;
+		class lnk_file { getattr read };
+	')
+
+	allow $1 rpc_pipefs_t:lnk_file { getattr read };
+
+')
+
+########################################
+## <summary>
+##	Read sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_sockets',`
+	gen_require(`
+		type rpc_pipefs_t;
+		class sock_file { read write };
+	')
+
+	allow $1 rpc_pipefs_t:sock_file { read write };
+
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete directories
@@ -1397,6 +1521,43 @@ interface(`fs_getattr_nfsd_fs',`
 	allow $1 nfsd_fs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Search NFS server directories.
+## </summary>
+## <param name="domain">
+##	The type of the domain doing the
+##	search on nfsd directories.
+## </param>
+#
+interface(`fs_search_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+		class dir search;
+	')
+
+	allow $1 nfsd_fs_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read and write NFS server files.
+## </summary>
+## <param name="domain">
+##	The type of the domain doing the
+##	read or write on nfsd files.
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+	gen_require(`
+		type nfsd_fs_t;
+		class file rw_file_perms;
+	')
+
+	allow $1 nfsd_fs_t:file rw_file_perms;
+')
+
+
 ########################################
 ## <summary>
 ##	Mount a RAM filesystem.

refpolicy/policy/modules/kernel/kernel.if

@@ -722,6 +722,23 @@ interface(`kernel_dontaudit_search_network_state',`
 	dontaudit $1 proc_net_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Allow searching of network state directory.
+## </summary>
+## <param name="domain">
+##	The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_search_network_state',`
+	gen_require(`
+		type proc_net_t;
+	')
+
+	allow $1 proc_net_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read the network state information.
@@ -743,6 +760,27 @@ interface(`kernel_read_network_state',`
 	allow $1 proc_net_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow caller to read the network state symbolic links.
+## </summary>
+## <param name="domain">
+##	The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_read_network_state_symlinks',`
+	gen_require(`
+		type proc_t, proc_net_t;
+		class dir r_dir_perms;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 proc_t:dir search;
+	allow $1 proc_net_t:dir r_dir_perms;
+	allow $1 proc_net_t:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts by caller to search
@@ -761,6 +799,24 @@ interface(`kernel_dontaudit_search_sysctl',`
 	dontaudit $1 sysctl_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Allow access to read sysctl directories.
+## </summary>
+## <param name="domain">
+##	The process type to allow to read sysctl directories.
+## </param>
+##
+#
+interface(`kernel_read_sysctl',`
+	gen_require(`
+		type sysctl_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 sysctl_t:dir r_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow caller to read the device sysctls.

refpolicy/policy/modules/kernel/kernel.te

@@ -221,6 +221,53 @@ ifdef(`targeted_policy',`
 	unconfined_domain_template(kernel_t)
 ')
 
+optional_policy(`rpc.te',`
+	# nfs kernel server needs kernel UDP access.  It is less risky and painful
+	# to just give it everything.
+	allow kernel_t self:tcp_socket create_stream_socket_perms;
+	allow kernel_t self:udp_socket { connect };
+	allow kernel_t self:tcp_socket connected_socket_perms;
+	allow kernel_t self:udp_socket connected_socket_perms;
+
+	# nfs kernel server needs kernel UDP access.  It is less risky and painful
+	# to just give it everything.
+	corenet_udp_sendrecv_all_if(kernel_t)
+	corenet_udp_sendrecv_all_nodes(kernel_t)
+	corenet_tcp_bind_all_nodes(kernel_t)
+	corenet_udp_bind_all_nodes(kernel_t)
+	corenet_tcp_sendrecv_all_ports(kernel_t)
+	corenet_udp_sendrecv_all_ports(kernel_t)
+
+	auth_dontaudit_getattr_shadow(kernel_t)
+
+	sysnet_read_config(kernel_t)
+
+	rpc_manage_nfs_ro_content(kernel_t)
+	rpc_manage_nfs_rw_content(kernel_t)
+
+	rpc_udp_rw_nfs_sockets(kernel_t) 
+	#rpc_udp_sendto_sockets(kernel_t) 
+	rpc_udp_sendto_nfs(kernel_t)
+
+	tunable_policy(`nfs_export_all_ro',`
+		fs_list_noxattr_fs(kernel_t) 
+		fs_read_noxattr_fs_files(kernel_t) 
+		fs_read_noxattr_fs_symlinks(kernel_t) 
+
+		auth_read_all_dirs_except_shadow(kernel_t) 
+		auth_read_all_files_except_shadow(kernel_t) 
+		auth_read_all_symlinks_except_shadow(kernel_t) 
+	')
+
+	tunable_policy(`nfs_export_all_rw',`
+		fs_list_noxattr_fs(kernel_t) 
+		fs_read_noxattr_fs_files(kernel_t) 
+		fs_read_noxattr_fs_symlinks(kernel_t) 
+
+		auth_manage_all_files_except_shadow(kernel_t)
+	')
+')
+
 ########################################
 #
 # Unlabeled process local policy

refpolicy/policy/modules/services/portmap.if

@@ -77,3 +77,40 @@ interface(`portmap_udp_sendto',`
 	allow $1 portmap_t:udp_socket sendto;
 	allow portmap_t $1:udp_socket recvfrom;
 ')
+
+########################################
+## <summary>
+##	Send and receive UDP network traffic from portmap.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`portmap_udp_sendrecv',`
+	gen_require(`
+		type portmap_t;
+	')
+
+	allow $1 portmap_t:udp_socket sendto;
+	allow portmap_t $1:udp_socket recvfrom;
+	allow portmap_t $1:udp_socket sendto;
+	allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##	Connect to portmap over a TCP socket
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`portmap_tcp_connect',`
+	gen_require(`
+		type portmap_t;
+	')
+
+	allow $1 portmap_t:tcp_socket { connectto recvfrom };
+	allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
+	kernel_tcp_recvfrom($1)
+')

refpolicy/policy/modules/services/portmap.te

@@ -45,6 +45,7 @@ kernel_read_kernel_sysctl(portmap_t)
 kernel_list_proc(portmap_t)
 kernel_read_proc_symlinks(portmap_t)
 kernel_udp_sendfrom(portmap_t)
+kernel_tcp_recvfrom(portmap_t) 
 
 corenet_tcp_sendrecv_all_if(portmap_t)
 corenet_udp_sendrecv_all_if(portmap_t)
@@ -118,6 +119,10 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(portmap_t)
 ')
 
+optional_policy(`rpc.te',`
+	rpc_udp_sendto_nfs(portmap_t)
+') 
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(portmap_t)
 ')

refpolicy/policy/modules/services/rpc.fc

@@ -0,0 +1,25 @@
+#
+# /etc
+#
+/etc/exports		--	gen_context(system_u:object_r:exports_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..*		--	gen_context(system_u:object_r:rpc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/exportfs	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc.idmapd	--	gen_context(system_u:object_r:rpc_exec_t,s0)
+/usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd	--	gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpc_var_run_t,s0)
+/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpc_var_run_t,s0)

refpolicy/policy/modules/services/rpc.if

@@ -0,0 +1,263 @@
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+#######################################
+## <summary>
+##	The template to define a rpc domain.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a domain to be used for
+##	a new rpc daemon.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The type of daemon to be used.
+## </param>
+#
+template(`rpc_domain_template', `
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t;
+	type $1_exec_t;
+	init_daemon_domain($1_t,$1_exec_t)
+	domain_use_wide_inherit_fd($1_t)
+
+	####################################
+	#
+	# Local Policy
+	#
+
+	dontaudit $1_t self:capability { net_admin sys_tty_config };
+	allow $1_t self:capability net_bind_service;
+	allow $1_t self:process signal_perms;
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+
+	allow $1_t var_lib_nfs_t:dir create_dir_perms;
+	allow $1_t var_lib_nfs_t:file create_file_perms;
+
+	kernel_list_proc($1_t)
+	kernel_read_proc_symlinks($1_t)
+	kernel_read_kernel_sysctl($1_t)
+	# bind to arbitary unused ports
+	kernel_rw_rpc_sysctl($1_t)
+
+	dev_read_sysfs($1_t)
+
+	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_udp_sendrecv_all_if($1_t)
+	corenet_raw_sendrecv_all_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_udp_sendrecv_all_nodes($1_t)
+	corenet_raw_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_bind_all_nodes($1_t)
+	corenet_udp_bind_all_nodes($1_t)
+	corenet_tcp_bind_reserved_port($1_t)
+	corenet_tcp_bind_reserved_port($1_t)
+	corenet_tcp_connect_all_ports($1_t)
+	# do not log when it tries to bind to a port belonging to another domain
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+	corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+	# bind to arbitary unused ports
+	corenet_tcp_bind_generic_port($1_t)
+
+	fs_search_auto_mountpoints($1_t)
+
+	term_dontaudit_use_console($1_t)
+
+	files_read_etc_files($1_t)
+	files_read_etc_runtime_files($1_t)
+	files_search_var($1_t)
+	files_search_var_lib_dir($1_t)
+
+	init_use_fd($1_t)
+	init_use_script_pty($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	sysnet_read_config($1_t)
+
+	userdom_dontaudit_use_unpriv_user_fd($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_tty($1_t)
+		term_dontaudit_use_generic_pty($1_t)
+		files_dontaudit_read_root_file($1_t)
+	')
+
+	optional_policy(`mount.te',`
+		mount_send_nfs_client_request($1_t)
+	')
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_t)
+	')
+
+	optional_policy(`selinuxutil.te',`
+		seutil_sigchld_newrole($1_t)
+	')
+
+	optional_policy(`udev.te', `
+		udev_read_db($1_t)
+	')
+
+	ifdef(`TODO',`
+		optional_policy(`rhgb.te',`
+			rhgb_domain($1_t)
+		')
+	')
+')
+
+########################################
+## <summary>
+##      Send UDP network traffic to rpc and recieve UDP traffic from rpc.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`rpc_udp_sendto',`
+	gen_require(`
+		type rpc_t;
+	')
+
+	allow $1 rpc_t:udp_socket sendto;
+	allow rpc_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Allow read access to exports.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`rpc_read_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow write access to exports.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`rpc_write_exports',`
+	gen_require(`
+		type exports_t;
+	')
+
+	allow $1 exports_t:file write;
+')
+
+########################################
+## <summary>
+##      Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##      The type of the process performing this action.
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+	gen_require(`
+		type nfsd_t, nfsd_exec_t;
+	')
+
+	domain_auto_trans($1,nfsd_exec_t,nfsd_t)
+
+	allow $1 nfsd_t:fd use;
+	allow nfsd_t $1:fd use;
+	allow nfsd_t $1:fifo_file rw_file_perms;
+	allow nfsd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`rpc_manage_nfs_rw_content',`
+	gen_require(`
+		type nfsd_rw_t;	
+	')
+
+	allow $1 nfsd_rw_t:dir manage_dir_perms;
+	allow $1 nfsd_rw_t:file manage_file_perms;
+	allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##      Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`rpc_manage_nfs_ro_content',`
+	gen_require(`
+		type nfsd_ro_t;	
+	')
+
+	allow $1 nfsd_ro_t:dir manage_dir_perms;
+	allow $1 nfsd_ro_t:file manage_file_perms;
+	allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+##      Allow domain to read and write to an NFS UDP socket.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+	gen_require(`
+		type nfsd_t;	
+	')
+
+	allow $1 nfsd_t:udp_socket rw_socket_perms;
+
+')
+
+########################################
+## <summary>
+##      Allow NFS to send UDP network traffic
+##      the specified domain and recieve from it.
+## </summary>
+## <param name="domain">
+##      The type of the receiving domain.
+## </param>
+#
+interface(`rpc_udp_sendto_nfs',`
+	gen_require(`
+		type nfsd_t;
+	')
+
+	allow nfsd_t $1:udp_socket sendto;
+	allow $1 nfsd_t:udp_socket recvfrom;
+')

refpolicy/policy/modules/services/rpc.te

@@ -0,0 +1,143 @@
+
+policy_module(rpc,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type exports_t;
+files_type(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpc_var_run_t;
+files_pid_file(rpc_var_run_t)
+
+# rpc_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpc)
+
+rpc_domain_template(nfsd)
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_type(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpc_t self:fifo_file rw_file_perms;
+allow rpc_t self:file { getattr read };
+
+dontaudit userdomain exports_t:file getattr;
+allow rpc_t rpc_var_run_t:file create_file_perms;
+allow rpc_t rpc_var_run_t:dir create_dir_perms;
+allow rpc_t rpc_var_run_t:dir setattr;
+files_create_pid(rpc_t,rpc_var_run_t)
+
+kernel_search_network_state(rpc_t) 
+# for rpc.rquotad
+kernel_read_sysctl(rpc_t)  
+
+fs_read_rpc_dirs(rpc_t) 
+fs_read_rpc_files(rpc_t) 
+fs_read_rpc_symlinks(rpc_t) 
+fs_read_rpc_sockets(rpc_t) 
+term_use_controlling_term(rpc_t) 
+
+seutil_dontaudit_search_config(rpc_t)
+
+# rpc_t needs to talk to the portmap_t domain
+portmap_udp_sendrecv(rpc_t) 
+
+ifdef(`distro_redhat', `
+	allow rpc_t self:capability { chown dac_override setgid setuid };
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { sys_admin sys_resource };
+
+allow nfsd_t exports_t:file { getattr read };
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t) 
+kernel_read_network_state(nfsd_t) 
+kernel_udp_sendfrom(nfsd_t)	
+kernel_tcp_recvfrom(nfsd_t) 
+				
+fs_mount_nfsd_fs(nfsd_t) 
+fs_search_nfsd_fs(nfsd_t) 
+fs_getattr_all_fs(nfsd_t) 
+fs_rw_nfsd_fs(nfsd_t) 
+
+term_use_controlling_term(nfsd_t) 
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t) 
+# for exportfs and rpc.mountd
+files_getattr_tmp_dir(nfsd_t) 
+
+portmap_tcp_connect(nfsd_t) 
+portmap_udp_sendrecv(nfsd_t)	
+				
+tunable_policy(`nfs_export_all_rw',`
+	auth_read_all_dirs_except_shadow(nfsd_t) 
+	fs_read_noxattr_fs_files(nfsd_t) 
+')
+
+tunable_policy(`nfs_export_all_ro',`
+	auth_read_all_dirs_except_shadow(nfsd_t) 
+	fs_read_noxattr_fs_files(nfsd_t) 
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid };
+allow gssd_t self:fifo_file { read write };
+
+allow gssd_t gssd_tmp_t:dir create_dir_perms;
+allow gssd_t gssd_tmp_t:file create_file_perms;
+files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)	
+
+dev_read_urand(gssd_t)
+
+fs_read_rpc_dirs(gssd_t) 
+fs_read_rpc_sockets(gssd_t) 
+fs_read_rpc_files(gssd_t) 
+
+files_read_tmp(gssd_t) 
+files_read_tmp_files(gssd_t) 
+files_read_tmp_symlinks(gssd_t) 
+
+tunable_policy(`allow_gssd_read_tmp',`
+	userdom_list_unpriv_user_tmp(gssd_t) 
+	userdom_read_unpriv_user_tmp_files(gssd_t) 
+	userdom_read_unpriv_user_tmp_symlinks(gssd_t) 
+')
+
+optional_policy(`kerberos.te',`
+	kerberos_use(gssd_t)
+	kerberos_read_keytab(gssd_t) 
+')

refpolicy/policy/modules/system/authlogin.if

@@ -648,6 +648,69 @@ interface(`auth_delete_pam_console_data',`
 	allow $1 pam_var_console_t:file unlink;
 ')
 
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_dirs_except_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_read_all_dirs_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_files_except_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_read_all_files_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+##	Read all symbolic links on the filesystem, except
+##	the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_symlinks_except_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+
+	files_read_all_symlinks_except($1,$2 -shadow_t)
+')
+
 ########################################
 ## <summary>
 ##	Relabel all files on the filesystem, except

refpolicy/policy/modules/system/files.if

@@ -401,6 +401,73 @@ interface(`files_read_all_files',`
 	')
 ')
 
+########################################
+## <summary>
+##	Read all directories on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all files on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_files_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir search;
+	allow $1 { file_type $2 }:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+##	Read all symbloic links on the filesystem, except
+##	the listed exceptions.
+## </summary>
+## <param name="domain">
+##	The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+##	The types to be excluded.  Each type or attribute
+##	must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+	gen_require(`
+		attribute file_type;
+	')
+
+	allow $1 { file_type $2 }:dir search;
+	allow $1 { file_type $2 }:lnk_file r_file_perms;
+
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of all symbolic links.
@@ -1939,6 +2006,23 @@ interface(`files_dontaudit_getattr_tmp_dir',`
 	dontaudit $1 tmp_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Allow domain to getattr on /tmp directory.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+		class dir getattr;
+	')
+
+	allow $1 tmp_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the tmp directory (/tmp).
@@ -1956,6 +2040,57 @@ interface(`files_search_tmp',`
 	allow $1 tmp_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp',`
+	gen_require(`
+		type tmp_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp_files',`
+	gen_require(`
+		type tmp_t;
+		class file r_file_perms;
+	')
+
+	allow $1 tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp_symlinks',`
+	gen_require(`
+		type tmp_t;
+		class lnk_file r_file_perms;
+	')
+
+	allow $1 tmp_t:lnk_file r_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of all tmp directories.
@@ -2369,6 +2504,24 @@ interface(`files_create_var',`
 	')
 ')
 
+########################################
+## <summary>
+##	Search directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib_dir',`
+	gen_require(`
+		type var_t, var_lib_t;
+		class dir search;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_lib_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the /var/lib directory.

refpolicy/policy/modules/system/init.te

@@ -426,6 +426,11 @@ ifdef(`distro_redhat',`
 	optional_policy(`bind.te',`
 		bind_manage_config_dir(initrc_t)
 	')
+
+	optional_policy(`rpc.te',`
+		#for /etc/rc.d/init.d/nfs to create /etc/exports
+		rpc_write_exports(initrc_t)
+	')
 ')
 
 ifdef(`targeted_policy',`
@@ -551,6 +556,10 @@ optional_policy(`raid.te',`
 	raid_manage_mdadm_pid(initrc_t)
 ')
 
+optional_policy(`rpc.te',`
+	rpc_read_exports(initrc_t)
+')
+
 optional_policy(`postgresql.te',`
 	postgresql_manage_db(initrc_t)
 	postgresql_read_config(initrc_t)

refpolicy/policy/modules/system/userdomain.if

@@ -2245,6 +2245,54 @@ interface(`userdom_read_unpriv_user_home_files',`
 	allow $1 user_home_type:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read all unprivileged users temporary directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_list_unpriv_user_tmp',`
+	gen_require(`
+		attribute user_tmpfile;
+	')
+
+	allow $1 user_tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+##	Read all unprivileged users temporary files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_unpriv_user_tmp_files',`
+	gen_require(`
+		attribute user_tmpfile;
+	')
+
+	allow $1 user_tmpfile:file { read getattr };
+')
+
+########################################
+## <summary>
+##	Read all unprivileged users temporary symbolic links.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_read_unpriv_user_tmp_symlinks',`
+	gen_require(`
+		attribute user_tmpfile;
+	')
+
+	allow $1 user_tmpfile:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Write all unprivileged users files in /tmp

refpolicy/policy/modules/system/userdomain.te

@@ -218,6 +218,10 @@ ifdef(`targeted_policy',`
 		netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`rpc.te',`
+		rpc_domtrans_nfsd(sysadm_t)
+	')
+
 	optional_policy(`ntp.te',`
 		ntp_stub()
 		corenet_udp_bind_ntp_port(sysadm_t)