186 lines
4.1 KiB
Plaintext
186 lines
4.1 KiB
Plaintext
|
|
policy_module(rpc,1.6.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow gssd to read temp directory.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_gssd_read_tmp,true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow nfs servers to modify public files
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_nfsd_anon_write,false)
|
|
|
|
type exports_t;
|
|
files_type(exports_t)
|
|
|
|
rpc_domain_template(gssd)
|
|
|
|
type gssd_tmp_t;
|
|
files_tmp_file(gssd_tmp_t)
|
|
|
|
type rpcd_var_run_t;
|
|
files_pid_file(rpcd_var_run_t)
|
|
|
|
# rpcd_t is the domain of rpc daemons.
|
|
# rpc_exec_t is the type of rpc daemon programs.
|
|
rpc_domain_template(rpcd)
|
|
|
|
rpc_domain_template(nfsd)
|
|
|
|
type nfsd_rw_t;
|
|
files_type(nfsd_rw_t)
|
|
|
|
type nfsd_ro_t;
|
|
files_type(nfsd_ro_t)
|
|
|
|
type var_lib_nfs_t;
|
|
files_mountpoint(var_lib_nfs_t)
|
|
|
|
########################################
|
|
#
|
|
# RPC local policy
|
|
#
|
|
|
|
allow rpcd_t self:capability { chown dac_override setgid setuid };
|
|
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow rpcd_t rpcd_var_run_t:dir setattr;
|
|
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
|
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
|
|
|
kernel_read_system_state(rpcd_t)
|
|
kernel_search_network_state(rpcd_t)
|
|
# for rpc.rquotad
|
|
kernel_read_sysctl(rpcd_t)
|
|
|
|
fs_list_rpc(rpcd_t)
|
|
fs_read_rpc_files(rpcd_t)
|
|
fs_read_rpc_symlinks(rpcd_t)
|
|
fs_read_rpc_sockets(rpcd_t)
|
|
term_use_controlling_term(rpcd_t)
|
|
|
|
# cjp: this should really have its own type
|
|
files_manage_mounttab(rpcd_t)
|
|
|
|
miscfiles_read_certs(rpcd_t)
|
|
|
|
seutil_dontaudit_search_config(rpcd_t)
|
|
|
|
optional_policy(`
|
|
nis_read_ypserv_config(rpcd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# NFSD local policy
|
|
#
|
|
|
|
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
|
|
|
allow nfsd_t exports_t:file { getattr read };
|
|
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
|
|
|
# for /proc/fs/nfs/exports - should we have a new type?
|
|
kernel_read_system_state(nfsd_t)
|
|
kernel_read_network_state(nfsd_t)
|
|
|
|
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
|
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
|
|
|
fs_mount_nfsd_fs(nfsd_t)
|
|
fs_search_nfsd_fs(nfsd_t)
|
|
fs_getattr_all_fs(nfsd_t)
|
|
fs_rw_nfsd_fs(nfsd_t)
|
|
|
|
term_use_controlling_term(nfsd_t)
|
|
|
|
# does not really need this, but it is easier to just allow it
|
|
files_search_pids(nfsd_t)
|
|
# for exportfs and rpc.mountd
|
|
files_getattr_tmp_dirs(nfsd_t)
|
|
# cjp: this should really have its own type
|
|
files_manage_mounttab(rpcd_t)
|
|
|
|
# Read access to public_content_t and public_content_rw_t
|
|
miscfiles_read_public_files(nfsd_t)
|
|
|
|
# Write access to public_content_t and public_content_rw_t
|
|
tunable_policy(`allow_nfsd_anon_write',`
|
|
miscfiles_manage_public_files(nfsd_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_rw',`
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
auth_manage_all_files_except_shadow(nfsd_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_ro',`
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
auth_read_all_files_except_shadow(nfsd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# GSSD local policy
|
|
#
|
|
|
|
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
|
|
allow gssd_t self:process { getsched setsched };
|
|
allow gssd_t self:fifo_file rw_file_perms;
|
|
|
|
manage_dirs_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
|
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
|
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
|
|
|
kernel_read_network_state(gssd_t)
|
|
kernel_read_network_state_symlinks(gssd_t)
|
|
kernel_search_network_sysctl(gssd_t)
|
|
|
|
corecmd_exec_bin(gssd_t)
|
|
|
|
fs_list_rpc(gssd_t)
|
|
fs_read_rpc_sockets(gssd_t)
|
|
fs_read_rpc_files(gssd_t)
|
|
|
|
files_list_tmp(gssd_t)
|
|
files_read_usr_symlinks(gssd_t)
|
|
|
|
miscfiles_read_certs(gssd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
files_read_generic_tmp_files(gssd_t)
|
|
files_read_generic_tmp_symlinks(gssd_t)
|
|
# Manage the users kerberos tgt file
|
|
files_manage_generic_tmp_files(gssd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_gssd_read_tmp',`
|
|
userdom_list_unpriv_users_tmp(gssd_t)
|
|
userdom_read_unpriv_users_tmp_files(gssd_t)
|
|
userdom_read_unpriv_users_tmp_symlinks(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(gssd_t)
|
|
kerberos_read_keytab(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcscd_read_pub_files(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_rw_xdm_tmp_files(gssd_t)
|
|
')
|