selinux-policy/policy/modules/services/rsync.te

policy_module(rsync, 1.10.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow rsync to run as a client
## </p>
## </desc>
gen_tunable(rsync_client, false)

## <desc>
## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
gen_tunable(rsync_export_all_ro, false)

## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services.  Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write, false)

type rsync_t;
type rsync_exec_t;
application_executable_file(rsync_exec_t)
role system_r types rsync_t;

type rsync_etc_t;
files_config_file(rsync_etc_t)

type rsync_data_t;
files_type(rsync_data_t)

type rsync_log_t;
logging_log_file(rsync_log_t)

type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)

type rsync_var_run_t;
files_pid_file(rsync_var_run_t)

########################################
#
# Local policy
#

allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
allow rsync_t self:udp_socket connected_socket_perms;

# for identd
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd

read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)

allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)

manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)

manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })

manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
files_pid_filetrans(rsync_t, rsync_var_run_t, file)

kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)

corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
corenet_udp_sendrecv_generic_node(rsync_t)
corenet_tcp_sendrecv_all_ports(rsync_t)
corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
corenet_sendrecv_rsync_server_packets(rsync_t)

dev_read_urand(rsync_t)

fs_getattr_xattr_fs(rsync_t)

files_read_etc_files(rsync_t)
files_search_home(rsync_t)

auth_use_nsswitch(rsync_t)

logging_send_syslog_msg(rsync_t)

miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)

tunable_policy(`allow_rsync_anon_write',`
	miscfiles_manage_public_files(rsync_t)
')

optional_policy(`
	daemontools_service_domain(rsync_t, rsync_exec_t)
')

optional_policy(`
	kerberos_use(rsync_t)
')

optional_policy(`
	inetd_service_domain(rsync_t, rsync_exec_t)
')

tunable_policy(`rsync_export_all_ro',`
	files_getattr_all_pipes(rsync_t)
	fs_read_noxattr_fs_files(rsync_t) 
	fs_read_nfs_files(rsync_t)
	fs_read_cifs_files(rsync_t)
	auth_read_all_dirs_except_shadow(rsync_t)
	auth_read_all_files_except_shadow(rsync_t)
	auth_read_all_symlinks_except_shadow(rsync_t)
	auth_tunable_read_shadow(rsync_t)
')

tunable_policy(`rsync_client',`
	corenet_tcp_connect_rsync_port(rsync_t)
	corenet_tcp_connect_ssh_port(rsync_t)
	manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
	manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
	manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
')

optional_policy(`
	tunable_policy(`rsync_client',`
		ssh_exec(rsync_t) 
	')
')

auth_can_read_shadow_passwords(rsync_t)