167 lines
5.2 KiB
Plaintext
167 lines
5.2 KiB
Plaintext
#
|
|
# Policy for AFS server
|
|
#
|
|
|
|
type afs_files_t, file_type;
|
|
type afs_config_t, file_type, sysadmfile;
|
|
type afs_logfile_t, file_type, logfile;
|
|
type afs_dbdir_t, file_type;
|
|
|
|
allow afs_files_t afs_files_t:filesystem associate;
|
|
# df should show sizes
|
|
allow sysadm_t afs_files_t:filesystem getattr;
|
|
|
|
#
|
|
# Macros for defining AFS server domains
|
|
#
|
|
|
|
define(`afs_server_domain',`
|
|
type afs_$1server_t, domain $2;
|
|
type afs_$1server_exec_t, file_type, sysadmfile;
|
|
|
|
role system_r types afs_$1server_t;
|
|
|
|
allow afs_$1server_t afs_config_t:file r_file_perms;
|
|
allow afs_$1server_t afs_config_t:dir r_dir_perms;
|
|
allow afs_$1server_t afs_logfile_t:file create_file_perms;
|
|
allow afs_$1server_t afs_logfile_t:dir create_dir_perms;
|
|
allow afs_$1server_t afs_$1_port_t:udp_socket name_bind;
|
|
uses_shlib(afs_$1server_t)
|
|
can_network(afs_$1server_t)
|
|
read_locale(afs_$1server_t)
|
|
|
|
dontaudit afs_$1server_t { var_t var_run_t }:file r_file_perms;
|
|
dontaudit afs_$1server_t { var_t var_run_t }:dir r_dir_perms;
|
|
dontaudit afs_$1server_t admin_tty_type:chr_file rw_file_perms;
|
|
')
|
|
|
|
define(`afs_under_bos',`
|
|
domain_auto_trans(afs_bosserver_t, afs_$1server_exec_t, afs_$1server_t)
|
|
allow afs_$1server_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_$1server_t etc_t:{ file lnk_file } r_file_perms;
|
|
allow afs_$1server_t net_conf_t:file r_file_perms;
|
|
allow afs_bosserver_t afs_$1server_t:process signal_perms;
|
|
')
|
|
|
|
define(`afs_server_db',`
|
|
type afs_$1_db_t, file_type;
|
|
|
|
allow afs_$1server_t afs_$1_db_t:file create_file_perms;
|
|
file_type_auto_trans(afs_$1server_t, afs_dbdir_t, afs_$1_db_t, file);
|
|
')
|
|
|
|
|
|
#
|
|
# bosserver
|
|
#
|
|
|
|
afs_server_domain(`bos')
|
|
base_file_read_access(afs_bosserver_t)
|
|
|
|
domain_auto_trans(initrc_t, afs_bosserver_exec_t, afs_bosserver_t)
|
|
|
|
allow afs_bosserver_t self:process { fork setsched signal_perms };
|
|
allow afs_bosserver_t afs_bosserver_exec_t:file { execute_no_trans rx_file_perms };
|
|
allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
|
|
allow afs_bosserver_t afs_config_t:file create_file_perms;
|
|
allow afs_bosserver_t afs_config_t:dir create_dir_perms;
|
|
|
|
allow afs_bosserver_t etc_t:{file lnk_file} r_file_perms;
|
|
allow afs_bosserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
|
|
allow afs_bosserver_t device_t:dir r_dir_perms;
|
|
|
|
# allow sysadm to use bos
|
|
allow afs_bosserver_t sysadm_t:udp_socket { sendto recvfrom };
|
|
allow sysadm_t afs_bosserver_t:udp_socket { recvfrom sendto };
|
|
|
|
#
|
|
# fileserver, volserver, and salvager
|
|
#
|
|
|
|
afs_server_domain(`fs',`,privlog')
|
|
afs_under_bos(`fs')
|
|
|
|
base_file_read_access(afs_fsserver_t)
|
|
file_type_auto_trans(afs_fsserver_t, afs_config_t, afs_files_t)
|
|
|
|
allow afs_fsserver_t self:process { fork sigchld setsched signal_perms };
|
|
allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
|
|
allow afs_fsserver_t self:fifo_file { rw_file_perms };
|
|
can_exec(afs_fsserver_t, afs_fsserver_exec_t)
|
|
allow afs_fsserver_t afs_files_t:file create_file_perms;
|
|
allow afs_fsserver_t afs_files_t:dir create_dir_perms;
|
|
allow afs_fsserver_t afs_config_t:file create_file_perms;
|
|
allow afs_fsserver_t afs_config_t:dir create_dir_perms;
|
|
|
|
allow afs_fsserver_t afs_fs_port_t:tcp_socket name_bind;
|
|
allow afs_fsserver_t { afs_files_t fs_t }:filesystem getattr;
|
|
|
|
allow afs_fsserver_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
|
|
allow afs_fsserver_t device_t:dir r_dir_perms;
|
|
allow afs_fsserver_t etc_runtime_t:{file lnk_file} r_file_perms;
|
|
allow afs_fsserver_t { var_run_t var_t } :dir r_dir_perms;
|
|
|
|
allow afs_fsserver_t proc_t:dir r_dir_perms;
|
|
allow afs_fsserver_t { self proc_t } : { file lnk_file } r_file_perms;
|
|
allow afs_fsserver_t { self proc_t } : dir r_dir_perms;
|
|
|
|
# fs communicates with other servers
|
|
allow afs_fsserver_t self:unix_dgram_socket create_socket_perms;
|
|
allow afs_fsserver_t self:tcp_socket { connectto acceptfrom recvfrom };
|
|
allow afs_fsserver_t self:udp_socket { sendto recvfrom };
|
|
allow afs_fsserver_t { afs_vlserver_t afs_ptserver_t }:udp_socket { recvfrom };
|
|
allow afs_fsserver_t sysadm_t:udp_socket { sendto recvfrom };
|
|
allow sysadm_t afs_fsserver_t:udp_socket { recvfrom sendto };
|
|
|
|
dontaudit afs_fsserver_t self:capability fsetid;
|
|
dontaudit afs_fsserver_t console_device_t:chr_file rw_file_perms;
|
|
dontaudit afs_fsserver_t initrc_t:fd use;
|
|
dontaudit afs_fsserver_t mnt_t:dir search;
|
|
|
|
|
|
#
|
|
# kaserver
|
|
#
|
|
|
|
afs_server_domain(`ka')
|
|
afs_under_bos(`ka')
|
|
afs_server_db(`ka')
|
|
|
|
base_file_read_access(afs_kaserver_t)
|
|
|
|
allow afs_kaserver_t kerberos_port_t:udp_socket name_bind;
|
|
allow afs_kaserver_t self:capability { net_bind_service };
|
|
allow afs_kaserver_t afs_config_t:file create_file_perms;
|
|
allow afs_kaserver_t afs_config_t:dir rw_dir_perms;
|
|
|
|
# allow sysadm to use kas
|
|
allow afs_kaserver_t sysadm_t:udp_socket { sendto recvfrom };
|
|
allow sysadm_t afs_kaserver_t:udp_socket { recvfrom sendto };
|
|
|
|
|
|
#
|
|
# ptserver
|
|
#
|
|
|
|
afs_server_domain(`pt')
|
|
afs_under_bos(`pt')
|
|
afs_server_db(`pt')
|
|
|
|
# allow users to use pts
|
|
allow afs_ptserver_t userdomain:udp_socket { sendto recvfrom };
|
|
allow userdomain afs_ptserver_t:udp_socket { recvfrom sendto };
|
|
allow afs_ptserver_t afs_fsserver_t:udp_socket { recvfrom };
|
|
|
|
|
|
#
|
|
# vlserver
|
|
#
|
|
|
|
afs_server_domain(`vl')
|
|
afs_under_bos(`vl')
|
|
afs_server_db(`vl')
|
|
|
|
allow afs_vlserver_t sysadm_t:udp_socket { sendto recvfrom };
|
|
allow sysadm_t afs_vlserver_t:udp_socket { recvfrom sendto };
|
|
allow afs_vlserver_t afs_fsserver_t:udp_socket { recvfrom };
|