selinux-policy/policy/modules/services/afs.te
Dominick Grift ef521e9919 Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
2010-09-22 15:41:43 +02:00

360 lines
11 KiB
Plaintext

policy_module(afs, 1.6.1)
########################################
#
# Declarations
#
type afs_t;
type afs_exec_t;
init_daemon_domain(afs_t, afs_exec_t)
type afs_bosserver_t;
type afs_bosserver_exec_t;
init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
type afs_cache_t;
files_type(afs_cache_t)
type afs_config_t;
files_type(afs_config_t)
type afs_dbdir_t;
files_type(afs_dbdir_t)
# exported files
type afs_files_t;
files_type(afs_files_t)
type afs_fsserver_t;
type afs_fsserver_exec_t;
domain_type(afs_fsserver_t)
domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t)
role system_r types afs_fsserver_t;
type afs_initrc_exec_t;
init_script_file(afs_initrc_exec_t)
type afs_ka_db_t;
files_type(afs_ka_db_t)
type afs_kaserver_t;
type afs_kaserver_exec_t;
domain_type(afs_kaserver_t)
domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t)
role system_r types afs_kaserver_t;
type afs_logfile_t;
logging_log_file(afs_logfile_t)
type afs_pt_db_t;
files_type(afs_pt_db_t)
type afs_ptserver_t;
type afs_ptserver_exec_t;
domain_type(afs_ptserver_t)
domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t)
role system_r types afs_ptserver_t;
type afs_vl_db_t;
files_type(afs_vl_db_t)
type afs_vlserver_t;
type afs_vlserver_exec_t;
domain_type(afs_vlserver_t)
domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t)
role system_r types afs_vlserver_t;
########################################
#
# afs client local policy
#
allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
allow afs_t self:process { setsched signal };
allow afs_t self:udp_socket create_socket_perms;
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(afs_t, afs_cache_t, afs_cache_t)
manage_dirs_pattern(afs_t, afs_cache_t, afs_cache_t)
files_var_filetrans(afs_t, afs_cache_t, { file dir })
kernel_rw_afs_state(afs_t)
corenet_all_recvfrom_unlabeled(afs_t)
corenet_all_recvfrom_netlabel(afs_t)
corenet_tcp_sendrecv_generic_if(afs_t)
corenet_udp_sendrecv_generic_if(afs_t)
corenet_tcp_sendrecv_generic_node(afs_t)
corenet_udp_sendrecv_generic_node(afs_t)
corenet_tcp_sendrecv_all_ports(afs_t)
corenet_udp_sendrecv_all_ports(afs_t)
corenet_udp_bind_generic_node(afs_t)
files_mounton_mnt(afs_t)
files_read_etc_files(afs_t)
files_read_usr_files(afs_t)
files_rw_etc_runtime_files(afs_t)
fs_getattr_xattr_fs(afs_t)
fs_mount_nfs(afs_t)
fs_read_nfs_symlinks(afs_t)
logging_send_syslog_msg(afs_t)
miscfiles_read_localization(afs_t)
sysnet_dns_name_resolve(afs_t)
ifdef(`hide_broken_symptoms',`
kernel_rw_unlabeled_files(afs_t)
')
########################################
#
# AFS bossserver local policy
#
allow afs_bosserver_t self:process { setsched signal_perms };
allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
allow afs_bosserver_t self:udp_socket create_socket_perms;
can_exec(afs_bosserver_t, afs_bosserver_exec_t)
manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
allow afs_bosserver_t afs_fsserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
allow afs_bosserver_t afs_kaserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
allow afs_bosserver_t afs_ptserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
allow afs_bosserver_t afs_vlserver_t:process signal_perms;
domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
corenet_all_recvfrom_unlabeled(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_tcp_sendrecv_generic_node(afs_bosserver_t)
corenet_udp_sendrecv_generic_node(afs_bosserver_t)
corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
corenet_udp_sendrecv_all_ports(afs_bosserver_t)
corenet_udp_bind_generic_node(afs_bosserver_t)
corenet_udp_bind_afs_bos_port(afs_bosserver_t)
corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
files_read_etc_files(afs_bosserver_t)
files_list_home(afs_bosserver_t)
files_read_usr_files(afs_bosserver_t)
miscfiles_read_localization(afs_bosserver_t)
seutil_read_config(afs_bosserver_t)
sysnet_read_config(afs_bosserver_t)
########################################
#
# fileserver local policy
#
allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
allow afs_fsserver_t self:udp_socket create_socket_perms;
read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
allow afs_fsserver_t afs_config_t:dir list_dir_perms;
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
allow afs_fsserver_t afs_files_t:filesystem getattr;
manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file })
can_exec(afs_fsserver_t, afs_fsserver_exec_t)
manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_system_state(afs_fsserver_t)
kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_generic_node(afs_fsserver_t)
corenet_udp_bind_generic_node(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
corenet_udp_bind_afs_fs_port(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
files_read_etc_files(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
files_read_usr_files(afs_fsserver_t)
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
fs_getattr_xattr_fs(afs_fsserver_t)
term_dontaudit_use_console(afs_fsserver_t)
init_dontaudit_use_script_fds(afs_fsserver_t)
logging_send_syslog_msg(afs_fsserver_t)
miscfiles_read_localization(afs_fsserver_t)
seutil_read_config(afs_fsserver_t)
sysnet_read_config(afs_fsserver_t)
userdom_dontaudit_use_user_terminals(afs_fsserver_t)
########################################
#
# kaserver local policy
#
allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
allow afs_kaserver_t self:udp_socket create_socket_perms;
manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t)
manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t)
filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file)
manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
corenet_all_recvfrom_unlabeled(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_tcp_sendrecv_generic_node(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
corenet_udp_sendrecv_all_ports(afs_kaserver_t)
corenet_udp_bind_generic_node(afs_kaserver_t)
corenet_udp_bind_afs_ka_port(afs_kaserver_t)
corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
files_read_etc_files(afs_kaserver_t)
files_list_home(afs_kaserver_t)
files_read_usr_files(afs_kaserver_t)
miscfiles_read_localization(afs_kaserver_t)
seutil_read_config(afs_kaserver_t)
sysnet_read_config(afs_kaserver_t)
userdom_dontaudit_use_user_terminals(afs_kaserver_t)
########################################
#
# ptserver local policy
#
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
allow afs_ptserver_t self:udp_socket create_socket_perms;
read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
allow afs_ptserver_t afs_config_t:dir list_dir_perms;
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
corenet_all_recvfrom_unlabeled(afs_ptserver_t)
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
corenet_tcp_sendrecv_generic_node(afs_ptserver_t)
corenet_udp_sendrecv_generic_node(afs_ptserver_t)
corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
corenet_udp_sendrecv_all_ports(afs_ptserver_t)
corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
files_read_etc_files(afs_ptserver_t)
miscfiles_read_localization(afs_ptserver_t)
sysnet_read_config(afs_ptserver_t)
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
#
# vlserver local policy
#
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
allow afs_vlserver_t self:udp_socket create_socket_perms;
read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
allow afs_vlserver_t afs_config_t:dir list_dir_perms;
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
corenet_all_recvfrom_unlabeled(afs_vlserver_t)
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
corenet_tcp_sendrecv_generic_node(afs_vlserver_t)
corenet_udp_sendrecv_generic_node(afs_vlserver_t)
corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
corenet_udp_sendrecv_all_ports(afs_vlserver_t)
corenet_udp_bind_generic_node(afs_vlserver_t)
corenet_udp_bind_afs_vl_port(afs_vlserver_t)
corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
files_read_etc_files(afs_vlserver_t)
miscfiles_read_localization(afs_vlserver_t)
sysnet_read_config(afs_vlserver_t)
userdom_dontaudit_use_user_terminals(afs_vlserver_t)