policy_module(rpc, 1.12.0) ######################################## # # Declarations # ## ##

## Allow gssd to read temp directory. For access to kerberos tgt. ##

##
gen_tunable(allow_gssd_read_tmp, true) ## ##

## Allow nfs servers to modify public files ## used for public file transfer services. Files/Directories must be ## labeled public_content_rw_t. ##

##
gen_tunable(allow_nfsd_anon_write, false) type exports_t; files_config_file(exports_t) rpc_domain_template(gssd) type gssd_tmp_t; files_tmp_file(gssd_tmp_t) type rpcd_var_run_t; files_pid_file(rpcd_var_run_t) # rpcd_t is the domain of rpc daemons. # rpc_exec_t is the type of rpc daemon programs. rpc_domain_template(rpcd) type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t); rpc_domain_template(nfsd) type nfsd_initrc_exec_t; init_script_file(nfsd_initrc_exec_t); type nfsd_rw_t; files_type(nfsd_rw_t) type nfsd_ro_t; files_type(nfsd_ro_t) type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) ######################################## # # RPC local policy # allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid }; allow rpcd_t self:process { getcap setcap }; allow rpcd_t self:fifo_file rw_fifo_file_perms; allow rpcd_t rpcd_var_run_t:dir setattr; manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t) files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir }) # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) kernel_read_system_state(rpcd_t) kernel_read_network_state(rpcd_t) # for rpc.rquotad kernel_read_sysctl(rpcd_t) kernel_rw_fs_sysctls(rpcd_t) kernel_dontaudit_getattr_core_if(rpcd_t) kernel_signal(rpcd_t) corecmd_exec_bin(rpcd_t) files_manage_mounttab(rpcd_t) files_getattr_all_dirs(rpcd_t) fs_list_rpc(rpcd_t) fs_read_rpc_files(rpcd_t) fs_read_rpc_symlinks(rpcd_t) fs_rw_rpc_sockets(rpcd_t) fs_get_all_fs_quotas(rpcd_t) fs_getattr_all_fs(rpcd_t) storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) userdom_signal_unpriv_users(rpcd_t) userdom_read_user_home_content_files(rpcd_t) optional_policy(` automount_signal(rpcd_t) automount_dontaudit_write_pipes(rpcd_t) ') optional_policy(` domain_unconfined_signal(rpcd_t) ') optional_policy(` nis_read_ypserv_config(rpcd_t) ') optional_policy(` rgmanager_manage_tmp_files(rpcd_t) ') ######################################## # # NFSD local policy # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; allow nfsd_t exports_t:file read_file_perms; allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) kernel_setsched(nfsd_t) corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) dev_rw_lvm_control(nfsd_t) # does not really need this, but it is easier to just allow it files_search_pids(nfsd_t) # for exportfs and rpc.mountd files_getattr_tmp_dirs(nfsd_t) # cjp: this should really have its own type files_manage_mounttab(nfsd_t) files_read_etc_runtime_files(nfsd_t) fs_mount_nfsd_fs(nfsd_t) fs_search_nfsd_fs(nfsd_t) fs_getattr_all_fs(nfsd_t) fs_getattr_all_dirs(nfsd_t) fs_rw_nfsd_fs(nfsd_t) storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) ') tunable_policy(`nfs_export_all_rw',` dev_getattr_all_blk_files(nfsd_t) dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) ') tunable_policy(`nfs_export_all_ro',` dev_getattr_all_blk_files(nfsd_t) dev_getattr_all_chr_files(nfsd_t) files_getattr_all_pipes(nfsd_t) files_getattr_all_sockets(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) auth_read_all_dirs_except_shadow(nfsd_t) auth_read_all_files_except_shadow(nfsd_t) ') ######################################## # # GSSD local policy # allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_file_perms; manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) kernel_read_system_state(gssd_t) kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) kernel_search_network_sysctl(gssd_t) kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) files_read_usr_symlinks(gssd_t) files_dontaudit_write_var_dirs(gssd_t) auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) mount_signal(gssd_t) userdom_signal_all_users(gssd_t) tunable_policy(`allow_gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) userdom_write_user_tmp_files(gssd_t) files_read_generic_tmp_files(gssd_t) ') optional_policy(` automount_signal(gssd_t) ') optional_policy(` kerberos_keytab_template(gssd, gssd_t) ') optional_policy(` pcscd_read_pub_files(gssd_t) ') optional_policy(` xserver_rw_xdm_tmp_files(gssd_t) ')