9a0f7994cb
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
147 lines
4.9 KiB
Plaintext
147 lines
4.9 KiB
Plaintext
###############################################################################
|
|
#
|
|
# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
|
|
# Written by David Howells (dhowells@redhat.com)
|
|
# Karl MacMillan (kmacmill@redhat.com)
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License
|
|
# as published by the Free Software Foundation; either version
|
|
# 2 of the License, or (at your option) any later version.
|
|
#
|
|
###############################################################################
|
|
|
|
#
|
|
# This security policy governs access by the CacheFiles kernel module and
|
|
# userspace management daemon to the files and directories in the on-disk
|
|
# cache, on behalf of the processes accessing the cache through a network
|
|
# filesystem such as NFS
|
|
#
|
|
policy_module(cachefilesd, 1.0.17)
|
|
|
|
###############################################################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
#
|
|
# Files in the cache are created by the cachefiles module with security ID
|
|
# cachefiles_var_t
|
|
#
|
|
type cachefiles_var_t;
|
|
files_type(cachefiles_var_t)
|
|
|
|
#
|
|
# The /dev/cachefiles character device has security ID cachefiles_dev_t
|
|
#
|
|
type cachefiles_dev_t;
|
|
dev_node(cachefiles_dev_t)
|
|
|
|
#
|
|
# The cachefilesd daemon normally runs with security ID cachefilesd_t
|
|
#
|
|
type cachefilesd_t;
|
|
type cachefilesd_exec_t;
|
|
domain_type(cachefilesd_t)
|
|
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
|
|
|
|
#
|
|
# The cachefilesd daemon pid file context
|
|
#
|
|
type cachefilesd_var_run_t;
|
|
files_pid_file(cachefilesd_var_run_t)
|
|
|
|
#
|
|
# The CacheFiles kernel module causes processes accessing the cache files to do
|
|
# so acting as security ID cachefiles_kernel_t
|
|
#
|
|
type cachefiles_kernel_t;
|
|
domain_type(cachefiles_kernel_t)
|
|
domain_obj_id_change_exemption(cachefiles_kernel_t)
|
|
role system_r types cachefiles_kernel_t;
|
|
|
|
###############################################################################
|
|
#
|
|
# Permit RPM to deal with files in the cache
|
|
#
|
|
rpm_use_script_fds(cachefilesd_t)
|
|
|
|
###############################################################################
|
|
#
|
|
# cachefilesd local policy
|
|
#
|
|
# These define what cachefilesd is permitted to do. This doesn't include very
|
|
# much: startup stuff, logging, pid file, scanning the cache superstructure and
|
|
# deleting files from the cache. It is not permitted to read/write files in
|
|
# the cache.
|
|
#
|
|
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
|
|
# rules.
|
|
#
|
|
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
|
|
|
|
# Basic access
|
|
files_read_etc_files(cachefilesd_t)
|
|
libs_use_ld_so(cachefilesd_t)
|
|
libs_use_shared_libs(cachefilesd_t)
|
|
miscfiles_read_localization(cachefilesd_t)
|
|
logging_send_syslog_msg(cachefilesd_t)
|
|
init_dontaudit_use_script_ptys(cachefilesd_t)
|
|
term_dontaudit_use_generic_ptys(cachefilesd_t)
|
|
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
|
|
|
|
# Allow manipulation of pid file
|
|
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
|
|
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
|
manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
|
files_pid_file(cachefilesd_var_run_t)
|
|
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
|
|
files_create_as_is_all_files(cachefilesd_t)
|
|
|
|
# Allow access to cachefiles device file
|
|
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
|
|
|
|
# Allow access to cache superstructure
|
|
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
|
|
allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };
|
|
|
|
# Permit statfs on the backing filesystem
|
|
fs_getattr_xattr_fs(cachefilesd_t)
|
|
|
|
###############################################################################
|
|
#
|
|
# When cachefilesd invokes the kernel module to begin caching, it has to tell
|
|
# the kernel module the security context in which it should act, and this
|
|
# policy has to approve that.
|
|
#
|
|
# There are two parts to this:
|
|
#
|
|
# (1) the security context used by the module to access files in the cache,
|
|
# as set by the 'secctx' command in /etc/cachefilesd.conf, and
|
|
#
|
|
allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
|
|
|
|
#
|
|
# (2) the label that will be assigned to new files and directories created in
|
|
# the cache by the module, which will be the same as the label on the
|
|
# directory pointed to by the 'dir' command.
|
|
#
|
|
allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
|
|
|
|
###############################################################################
|
|
#
|
|
# cachefiles kernel module local policy
|
|
#
|
|
# This governs what the kernel module is allowed to do the contents of the
|
|
# cache.
|
|
#
|
|
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
|
|
allow cachefiles_kernel_t initrc_t:process sigchld;
|
|
|
|
manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
|
manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
|
|
|
fs_getattr_xattr_fs(cachefiles_kernel_t)
|
|
|
|
dev_search_sysfs(cachefiles_kernel_t)
|