policy_module(rpc,1.0) ######################################## # # Declarations # type exports_t; files_type(exports_t) rpc_domain_template(gssd) type gssd_tmp_t; files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) # rpcd_t is the domain of rpc daemons. # rpc_exec_t is the type of rpc daemon programs. rpc_domain_template(rpcd) rpc_domain_template(nfsd) type nfsd_rw_t; files_config_file(nfsd_rw_t) type nfsd_ro_t; files_config_file(nfsd_ro_t) type var_lib_nfs_t; files_config_file(var_lib_nfs_t) ######################################## # # RPC local policy # allow rpcd_t self:fifo_file rw_file_perms; allow rpcd_t self:file { getattr read }; allow rpcd_t rpcd_var_run_t:file manage_file_perms; allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr }; files_create_pid(rpcd_t,rpcd_var_run_t) kernel_search_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) corenet_udp_bind_generic_port(rpcd_t) corenet_udp_bind_reserved_port(rpcd_t) fs_read_rpc_dirs(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_read_rpc_sockets(rpcd_t) term_use_controlling_term(rpcd_t) # cjp: this should really have its own type files_manage_mounttab(rpcd_t) seutil_dontaudit_search_config(rpcd_t) ifdef(`distro_redhat',` allow rpcd_t self:capability { chown dac_override setgid setuid }; ') optional_policy(`nis.te',` nis_read_ypserv_config(rpcd_t) ') # FIXME dontaudit userdomain exports_t:file getattr; ######################################## # # NFSD local policy # allow nfsd_t self:capability { sys_admin sys_resource }; allow nfsd_t exports_t:file { getattr read }; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_udp_sendfrom(nfsd_t) kernel_tcp_recvfrom(nfsd_t) corenet_udp_bind_generic_port(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_rw_nfsd_fs(nfsd_t) term_use_controlling_term(nfsd_t) # does not really need this, but it is easier to just allow it files_search_pids(nfsd_t) # for exportfs and rpc.mountd files_getattr_tmp_dir(nfsd_t) # cjp: this should really have its own type files_manage_mounttab(rpcd_t) tunable_policy(`nfs_export_all_rw',` auth_read_all_dirs_except_shadow(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) ') tunable_policy(`nfs_export_all_ro',` auth_read_all_dirs_except_shadow(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) ') ######################################## # # GSSD local policy # allow gssd_t self:capability { dac_override dac_read_search setuid }; allow gssd_t self:fifo_file { read write }; allow gssd_t gssd_tmp_t:dir create_dir_perms; allow gssd_t gssd_tmp_t:file create_file_perms; files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir }) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) dev_read_urand(gssd_t) fs_read_rpc_dirs(gssd_t) fs_read_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) files_list_tmp(gssd_t) files_read_generic_tmp_files(gssd_t) files_read_generic_tmp_symlinks(gssd_t) tunable_policy(`allow_gssd_read_tmp',` userdom_list_unpriv_user_tmp(gssd_t) userdom_read_unpriv_user_tmp_files(gssd_t) userdom_read_unpriv_user_tmp_symlinks(gssd_t) ') optional_policy(`kerberos.te',` kerberos_use(gssd_t) kerberos_read_keytab(gssd_t) ')