selinux-policy/policy/modules/services/rpc.te

238 lines
5.2 KiB
Plaintext

policy_module(rpc, 1.12.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
gen_tunable(allow_gssd_read_tmp, true)
## <desc>
## <p>
## Allow nfs servers to modify public files
## used for public file transfer services. Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_nfsd_anon_write, false)
type exports_t;
files_config_file(exports_t)
rpc_domain_template(gssd)
type gssd_tmp_t;
files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
# rpcd_t is the domain of rpc daemons.
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
type rpcd_initrc_exec_t;
init_script_file(rpcd_initrc_exec_t);
rpc_domain_template(nfsd)
type nfsd_initrc_exec_t;
init_script_file(nfsd_initrc_exec_t);
type nfsd_rw_t;
files_type(nfsd_rw_t)
type nfsd_ro_t;
files_type(nfsd_ro_t)
type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)
########################################
#
# RPC local policy
#
allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
files_pid_filetrans(rpcd_t, rpcd_var_run_t, file)
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
kernel_read_system_state(rpcd_t)
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
corecmd_exec_bin(rpcd_t)
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
optional_policy(`
automount_signal(rpcd_t)
automount_dontaudit_write_pipes(rpcd_t)
')
optional_policy(`
nis_read_ypserv_config(rpcd_t)
')
########################################
#
# NFSD local policy
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
dev_rw_lvm_control(nfsd_t)
# does not really need this, but it is easier to just allow it
files_search_pids(nfsd_t)
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
files_read_etc_runtime_files(nfsd_t)
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
')
tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
dev_getattr_all_chr_files(nfsd_t)
files_getattr_all_pipes(nfsd_t)
files_getattr_all_sockets(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
auth_read_all_dirs_except_shadow(nfsd_t)
auth_read_all_files_except_shadow(nfsd_t)
')
########################################
#
# GSSD local policy
#
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_file_perms;
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
kernel_search_network_sysctl(gssd_t)
kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
files_read_usr_symlinks(gssd_t)
files_dontaudit_write_var_dirs(gssd_t)
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_certs(gssd_t)
mount_signal(gssd_t)
userdom_signal_all_users(gssd_t)
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
')
optional_policy(`
automount_signal(gssd_t)
')
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
')
optional_policy(`
pcscd_read_pub_files(gssd_t)
')
optional_policy(`
xserver_rw_xdm_tmp_files(gssd_t)
')