1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
186 lines
4.1 KiB
Plaintext
186 lines
4.1 KiB
Plaintext
|
|
policy_module(rpc,1.5.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow gssd to read temp directory.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_gssd_read_tmp,true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow nfs servers to modify public files
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_nfsd_anon_write,false)
|
|
|
|
type exports_t;
|
|
files_type(exports_t)
|
|
|
|
rpc_domain_template(gssd)
|
|
|
|
type gssd_tmp_t;
|
|
files_tmp_file(gssd_tmp_t)
|
|
|
|
type rpcd_var_run_t;
|
|
files_pid_file(rpcd_var_run_t)
|
|
|
|
# rpcd_t is the domain of rpc daemons.
|
|
# rpc_exec_t is the type of rpc daemon programs.
|
|
rpc_domain_template(rpcd)
|
|
|
|
rpc_domain_template(nfsd)
|
|
|
|
type nfsd_rw_t;
|
|
files_type(nfsd_rw_t)
|
|
|
|
type nfsd_ro_t;
|
|
files_type(nfsd_ro_t)
|
|
|
|
type var_lib_nfs_t;
|
|
files_mountpoint(var_lib_nfs_t)
|
|
|
|
########################################
|
|
#
|
|
# RPC local policy
|
|
#
|
|
|
|
allow rpcd_t self:capability { chown dac_override setgid setuid };
|
|
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow rpcd_t rpcd_var_run_t:dir setattr;
|
|
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
|
|
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
|
|
|
|
kernel_read_system_state(rpcd_t)
|
|
kernel_search_network_state(rpcd_t)
|
|
# for rpc.rquotad
|
|
kernel_read_sysctl(rpcd_t)
|
|
|
|
fs_list_rpc(rpcd_t)
|
|
fs_read_rpc_files(rpcd_t)
|
|
fs_read_rpc_symlinks(rpcd_t)
|
|
fs_read_rpc_sockets(rpcd_t)
|
|
term_use_controlling_term(rpcd_t)
|
|
|
|
# cjp: this should really have its own type
|
|
files_manage_mounttab(rpcd_t)
|
|
|
|
miscfiles_read_certs(rpcd_t)
|
|
|
|
seutil_dontaudit_search_config(rpcd_t)
|
|
|
|
optional_policy(`
|
|
nis_read_ypserv_config(rpcd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# NFSD local policy
|
|
#
|
|
|
|
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
|
|
|
allow nfsd_t exports_t:file { getattr read };
|
|
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
|
|
|
# for /proc/fs/nfs/exports - should we have a new type?
|
|
kernel_read_system_state(nfsd_t)
|
|
kernel_read_network_state(nfsd_t)
|
|
|
|
corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
|
corenet_udp_bind_all_rpc_ports(nfsd_t)
|
|
|
|
fs_mount_nfsd_fs(nfsd_t)
|
|
fs_search_nfsd_fs(nfsd_t)
|
|
fs_getattr_all_fs(nfsd_t)
|
|
fs_rw_nfsd_fs(nfsd_t)
|
|
|
|
term_use_controlling_term(nfsd_t)
|
|
|
|
# does not really need this, but it is easier to just allow it
|
|
files_search_pids(nfsd_t)
|
|
# for exportfs and rpc.mountd
|
|
files_getattr_tmp_dirs(nfsd_t)
|
|
# cjp: this should really have its own type
|
|
files_manage_mounttab(rpcd_t)
|
|
|
|
# Read access to public_content_t and public_content_rw_t
|
|
miscfiles_read_public_files(nfsd_t)
|
|
|
|
# Write access to public_content_t and public_content_rw_t
|
|
tunable_policy(`allow_nfsd_anon_write',`
|
|
miscfiles_manage_public_files(nfsd_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_rw',`
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
auth_manage_all_files_except_shadow(nfsd_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_ro',`
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
auth_read_all_files_except_shadow(nfsd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# GSSD local policy
|
|
#
|
|
|
|
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
|
|
allow gssd_t self:process { getsched setsched };
|
|
allow gssd_t self:fifo_file rw_file_perms;
|
|
|
|
manage_dirs_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
|
manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
|
|
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
|
|
|
kernel_read_network_state(gssd_t)
|
|
kernel_read_network_state_symlinks(gssd_t)
|
|
kernel_search_network_sysctl(gssd_t)
|
|
|
|
corecmd_exec_bin(gssd_t)
|
|
|
|
fs_list_rpc(gssd_t)
|
|
fs_read_rpc_sockets(gssd_t)
|
|
fs_read_rpc_files(gssd_t)
|
|
|
|
files_list_tmp(gssd_t)
|
|
files_read_usr_symlinks(gssd_t)
|
|
|
|
miscfiles_read_certs(gssd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
files_read_generic_tmp_files(gssd_t)
|
|
files_read_generic_tmp_symlinks(gssd_t)
|
|
# Manage the users kerberos tgt file
|
|
files_manage_generic_tmp_files(gssd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_gssd_read_tmp',`
|
|
userdom_list_unpriv_users_tmp(gssd_t)
|
|
userdom_read_unpriv_users_tmp_files(gssd_t)
|
|
userdom_read_unpriv_users_tmp_symlinks(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(gssd_t)
|
|
kerberos_read_keytab(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcscd_read_pub_files(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_rw_xdm_tmp_files(gssd_t)
|
|
')
|