#DESC Rpcd - RPC daemon # # Authors: Stephen Smalley and Timothy Fraser # Russell Coker # Depends: portmap.te # X-Debian-Packages: nfs-common # ################################# # # Rules for the rpcd_t and nfsd_t domain. # define(`rpc_domain', ` daemon_base_domain($1) can_network($1_t) can_ypbind($1_t) allow $1_t etc_t:file { getattr read }; read_locale($1_t) allow $1_t self:capability net_bind_service; dontaudit $1_t self:capability net_admin; allow $1_t var_t:dir { getattr search }; allow $1_t var_lib_t:dir search; allow $1_t var_lib_nfs_t:dir create_dir_perms; allow $1_t var_lib_nfs_t:file create_file_perms; # do not log when it tries to bind to a port belonging to another domain dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind; allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind; allow $1_t self:netlink_route_socket r_netlink_socket_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; # bind to arbitary unused ports allow $1_t port_t:{ tcp_socket udp_socket } name_bind; allow $1_t sysctl_rpc_t:dir search; allow $1_t sysctl_rpc_t:file rw_file_perms; ') type exports_t, file_type, sysadmfile; dontaudit userdomain exports_t:file getattr; # rpcd_t is the domain of rpc daemons. # rpcd_exec_t is the type of rpc daemon programs. # rpc_domain(rpcd) var_run_domain(rpcd) allow rpcd_t rpcd_var_run_t:dir setattr; # for rpc.rquotad allow rpcd_t sysctl_t:dir r_dir_perms; allow rpcd_t self:fifo_file rw_file_perms; # rpcd_t needs to talk to the portmap_t domain can_udp_send(rpcd_t, portmap_t) allow initrc_t exports_t:file r_file_perms; ifdef(`distro_redhat', ` allow rpcd_t self:capability { chown dac_override setgid setuid }; # for /etc/rc.d/init.d/nfs to create /etc/exports allow initrc_t exports_t:file write; ') allow rpcd_t self:file { getattr read }; # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. can_network_server(kernel_t) #can_udp_send(kernel_t, rpcd_t) #can_udp_send(rpcd_t, kernel_t) rpc_domain(nfsd) domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t) role sysadm_r types nfsd_t; # for /proc/fs/nfs/exports - should we have a new type? allow nfsd_t proc_t:file r_file_perms; allow nfsd_t proc_net_t:dir search; allow nfsd_t exports_t:file { getattr read }; allow nfsd_t nfsd_fs_t:filesystem mount; allow nfsd_t nfsd_fs_t:dir search; allow nfsd_t nfsd_fs_t:file rw_file_perms; allow initrc_t sysctl_rpc_t:dir search; allow initrc_t sysctl_rpc_t:file rw_file_perms; type nfsd_rw_t, file_type, sysadmfile, usercanread; type nfsd_ro_t, file_type, sysadmfile, usercanread; bool nfs_export_all_rw false; if(nfs_export_all_rw) { allow nfsd_t { file_type -shadow_t }:dir r_dir_perms; create_dir_file(kernel_t,{ file_type -shadow_t }) } dontaudit kernel_t shadow_t:file getattr; bool nfs_export_all_ro false; if(nfs_export_all_ro) { allow nfsd_t { file_type -shadow_t }:dir r_dir_perms; r_dir_file(kernel_t,{ file_type -shadow_t }) } allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; create_dir_file(kernel_t, nfsd_rw_t); r_dir_file(kernel_t, nfsd_ro_t); allow kernel_t nfsd_t:udp_socket rw_socket_perms; can_udp_send(kernel_t, nfsd_t) can_udp_send(nfsd_t, kernel_t) # does not really need this, but it is easier to just allow it allow nfsd_t var_run_t:dir search; allow nfsd_t self:capability { sys_admin sys_resource }; allow nfsd_t fs_t:filesystem getattr; can_udp_send(nfsd_t, portmap_t) can_udp_send(portmap_t, nfsd_t) can_tcp_connect(nfsd_t, portmap_t) # for exportfs and rpc.mountd allow nfsd_t tmp_t:dir getattr; r_dir_file(rpcd_t, rpc_pipefs_t) allow rpcd_t rpc_pipefs_t:sock_file { read write }; dontaudit rpcd_t selinux_config_t:dir { search }; allow rpcd_t proc_net_t:dir search; rpc_domain(gssd) can_kerberos(gssd_t) allow gssd_t krb5_keytab_t:file r_file_perms; allow gssd_t urandom_device_t:chr_file { getattr read }; r_dir_file(gssd_t, tmp_t) tmp_domain(gssd) allow gssd_t self:fifo_file { read write }; r_dir_file(gssd_t, proc_net_t) allow gssd_t rpc_pipefs_t:dir r_dir_perms; allow gssd_t rpc_pipefs_t:sock_file { read write };