1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
324 lines
10 KiB
Plaintext
324 lines
10 KiB
Plaintext
|
|
policy_module(afs,1.1.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type afs_bosserver_t;
|
|
type afs_bosserver_exec_t;
|
|
init_daemon_domain(afs_bosserver_t,afs_bosserver_exec_t)
|
|
|
|
type afs_config_t;
|
|
files_type(afs_config_t)
|
|
|
|
type afs_dbdir_t;
|
|
files_type(afs_dbdir_t)
|
|
|
|
# exported files
|
|
type afs_files_t;
|
|
files_type(afs_files_t)
|
|
|
|
type afs_fsserver_t;
|
|
type afs_fsserver_exec_t;
|
|
domain_type(afs_fsserver_t)
|
|
domain_entry_file(afs_fsserver_t,afs_fsserver_exec_t)
|
|
role system_r types afs_fsserver_t;
|
|
|
|
type afs_ka_db_t;
|
|
files_type(afs_ka_db_t)
|
|
|
|
type afs_kaserver_t;
|
|
type afs_kaserver_exec_t;
|
|
domain_type(afs_kaserver_t)
|
|
domain_entry_file(afs_kaserver_t,afs_kaserver_exec_t)
|
|
role system_r types afs_kaserver_t;
|
|
|
|
type afs_logfile_t;
|
|
logging_log_file(afs_logfile_t)
|
|
|
|
type afs_pt_db_t;
|
|
files_type(afs_pt_db_t)
|
|
|
|
type afs_ptserver_t;
|
|
type afs_ptserver_exec_t;
|
|
domain_type(afs_ptserver_t)
|
|
domain_entry_file(afs_ptserver_t,afs_ptserver_exec_t)
|
|
role system_r types afs_ptserver_t;
|
|
|
|
type afs_vl_db_t;
|
|
files_type(afs_vl_db_t)
|
|
|
|
type afs_vlserver_t;
|
|
type afs_vlserver_exec_t;
|
|
domain_type(afs_vlserver_t)
|
|
domain_entry_file(afs_vlserver_t,afs_vlserver_exec_t)
|
|
role system_r types afs_vlserver_t;
|
|
|
|
########################################
|
|
#
|
|
# AFS bossserver local policy
|
|
#
|
|
|
|
allow afs_bosserver_t self:process { setsched signal_perms };
|
|
allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
|
|
allow afs_bosserver_t self:udp_socket create_socket_perms;
|
|
|
|
can_exec(afs_bosserver_t,afs_bosserver_exec_t)
|
|
|
|
manage_dirs_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
|
|
manage_files_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
|
|
|
|
allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
|
|
|
|
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
|
|
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
|
|
|
|
allow afs_bosserver_t afs_kaserver_t:process signal_perms;
|
|
domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
|
|
|
|
allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
|
|
allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
|
|
|
|
allow afs_bosserver_t afs_ptserver_t:process signal_perms;
|
|
domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
|
|
|
|
allow afs_bosserver_t afs_vlserver_t:process signal_perms;
|
|
domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
|
|
|
|
kernel_read_kernel_sysctls(afs_bosserver_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(afs_bosserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_bosserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
|
|
corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
|
|
corenet_udp_sendrecv_all_nodes(afs_bosserver_t)
|
|
corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
|
|
corenet_udp_sendrecv_all_ports(afs_bosserver_t)
|
|
corenet_udp_bind_all_nodes(afs_bosserver_t)
|
|
corenet_udp_bind_afs_bos_port(afs_bosserver_t)
|
|
corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
|
|
|
|
files_read_etc_files(afs_bosserver_t)
|
|
files_list_home(afs_bosserver_t)
|
|
files_read_usr_files(afs_bosserver_t)
|
|
|
|
libs_use_ld_so(afs_bosserver_t)
|
|
libs_use_shared_libs(afs_bosserver_t)
|
|
|
|
miscfiles_read_localization(afs_bosserver_t)
|
|
|
|
seutil_read_config(afs_bosserver_t)
|
|
|
|
sysnet_read_config(afs_bosserver_t)
|
|
|
|
########################################
|
|
#
|
|
# fileserver local policy
|
|
#
|
|
|
|
allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
|
|
dontaudit afs_fsserver_t self:capability fsetid;
|
|
allow afs_fsserver_t self:process { setsched signal_perms };
|
|
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
|
|
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
|
|
allow afs_fsserver_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
|
|
allow afs_fsserver_t afs_config_t:dir list_dir_perms;
|
|
|
|
manage_dirs_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
|
|
manage_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
|
|
|
|
allow afs_fsserver_t afs_files_t:filesystem getattr;
|
|
manage_dirs_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
|
|
manage_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
|
|
manage_lnk_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
|
|
manage_fifo_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
|
|
manage_sock_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
|
|
filetrans_pattern(afs_fsserver_t,afs_config_t,afs_files_t,{ file lnk_file sock_file fifo_file })
|
|
|
|
can_exec(afs_fsserver_t, afs_fsserver_exec_t)
|
|
|
|
manage_dirs_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
|
|
manage_files_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
|
|
|
|
kernel_read_system_state(afs_fsserver_t)
|
|
kernel_read_kernel_sysctls(afs_fsserver_t)
|
|
|
|
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
|
|
corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
|
|
corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
|
|
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
|
|
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
|
|
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_fsserver_t)
|
|
corenet_tcp_bind_all_nodes(afs_fsserver_t)
|
|
corenet_udp_bind_all_nodes(afs_fsserver_t)
|
|
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
|
|
corenet_udp_bind_afs_fs_port(afs_fsserver_t)
|
|
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
|
|
|
|
files_read_etc_files(afs_fsserver_t)
|
|
files_read_etc_runtime_files(afs_fsserver_t)
|
|
files_list_home(afs_fsserver_t)
|
|
files_read_usr_files(afs_fsserver_t)
|
|
files_list_pids(afs_fsserver_t)
|
|
files_dontaudit_search_mnt(afs_fsserver_t)
|
|
|
|
fs_getattr_xattr_fs(afs_fsserver_t)
|
|
|
|
term_dontaudit_use_console(afs_fsserver_t)
|
|
|
|
init_dontaudit_use_script_fds(afs_fsserver_t)
|
|
|
|
libs_use_ld_so(afs_fsserver_t)
|
|
libs_use_shared_libs(afs_fsserver_t)
|
|
|
|
logging_send_syslog_msg(afs_fsserver_t)
|
|
|
|
miscfiles_read_localization(afs_fsserver_t)
|
|
|
|
seutil_read_config(afs_fsserver_t)
|
|
|
|
sysnet_read_config(afs_fsserver_t)
|
|
|
|
userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
|
|
userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
|
|
|
|
########################################
|
|
#
|
|
# kaserver local policy
|
|
#
|
|
|
|
allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
|
|
allow afs_kaserver_t self:udp_socket create_socket_perms;
|
|
|
|
manage_files_pattern(afs_kaserver_t,afs_config_t,afs_config_t)
|
|
|
|
manage_files_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t)
|
|
filetrans_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t,file)
|
|
|
|
manage_dirs_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
|
|
manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
|
|
|
|
kernel_read_kernel_sysctls(afs_kaserver_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(afs_kaserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_kaserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
|
|
corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
|
|
corenet_udp_sendrecv_all_nodes(afs_kaserver_t)
|
|
corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
|
|
corenet_udp_sendrecv_all_ports(afs_kaserver_t)
|
|
corenet_udp_bind_all_nodes(afs_kaserver_t)
|
|
corenet_udp_bind_afs_ka_port(afs_kaserver_t)
|
|
corenet_udp_bind_kerberos_port(afs_kaserver_t)
|
|
corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
|
|
corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
|
|
|
|
files_read_etc_files(afs_kaserver_t)
|
|
files_list_home(afs_kaserver_t)
|
|
files_read_usr_files(afs_kaserver_t)
|
|
|
|
libs_use_ld_so(afs_kaserver_t)
|
|
libs_use_shared_libs(afs_kaserver_t)
|
|
|
|
miscfiles_read_localization(afs_kaserver_t)
|
|
|
|
seutil_read_config(afs_kaserver_t)
|
|
|
|
sysnet_read_config(afs_kaserver_t)
|
|
|
|
userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
|
|
userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
|
|
|
|
########################################
|
|
#
|
|
# ptserver local policy
|
|
#
|
|
|
|
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
|
|
allow afs_ptserver_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t)
|
|
allow afs_ptserver_t afs_config_t:dir list_dir_perms;
|
|
|
|
manage_dirs_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
|
|
manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
|
|
|
|
manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
|
|
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
|
|
|
|
corenet_all_recvfrom_unlabeled(afs_ptserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_ptserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
|
|
corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
|
|
corenet_udp_sendrecv_all_nodes(afs_ptserver_t)
|
|
corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
|
|
corenet_udp_sendrecv_all_ports(afs_ptserver_t)
|
|
corenet_udp_bind_all_nodes(afs_ptserver_t)
|
|
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
|
|
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
|
|
|
|
files_read_etc_files(afs_ptserver_t)
|
|
|
|
libs_use_ld_so(afs_ptserver_t)
|
|
libs_use_shared_libs(afs_ptserver_t)
|
|
|
|
miscfiles_read_localization(afs_ptserver_t)
|
|
|
|
sysnet_read_config(afs_ptserver_t)
|
|
|
|
userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
|
|
userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
|
|
|
|
########################################
|
|
#
|
|
# vlserver local policy
|
|
#
|
|
|
|
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
|
|
allow afs_vlserver_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t)
|
|
allow afs_vlserver_t afs_config_t:dir list_dir_perms;
|
|
|
|
manage_dirs_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
|
|
manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
|
|
|
|
manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
|
|
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
|
|
|
|
corenet_all_recvfrom_unlabeled(afs_vlserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_vlserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
|
|
corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
|
|
corenet_udp_sendrecv_all_nodes(afs_vlserver_t)
|
|
corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
|
|
corenet_udp_sendrecv_all_ports(afs_vlserver_t)
|
|
corenet_udp_bind_all_nodes(afs_vlserver_t)
|
|
corenet_udp_bind_afs_vl_port(afs_vlserver_t)
|
|
corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
|
|
|
|
files_read_etc_files(afs_vlserver_t)
|
|
|
|
libs_use_ld_so(afs_vlserver_t)
|
|
libs_use_shared_libs(afs_vlserver_t)
|
|
|
|
miscfiles_read_localization(afs_vlserver_t)
|
|
|
|
sysnet_read_config(afs_vlserver_t)
|
|
|
|
userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
|
|
userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)
|