[selinux-policy: 797/3172] add rpc
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:13:55 UTC 2010
commit 43989f82f8b15d9b182506632fc52a62f7d86964
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 24 01:53:13 2005 +0000
add rpc
refpolicy/Changelog | 1 +
refpolicy/policy/global_tunables | 9 +
refpolicy/policy/modules/kernel/filesystem.if | 161 +++++++++++++++
refpolicy/policy/modules/kernel/kernel.if | 56 ++++++
refpolicy/policy/modules/kernel/kernel.te | 47 +++++
refpolicy/policy/modules/services/portmap.if | 37 ++++
refpolicy/policy/modules/services/portmap.te | 5 +
refpolicy/policy/modules/services/rpc.fc | 25 +++
refpolicy/policy/modules/services/rpc.if | 263 +++++++++++++++++++++++++
refpolicy/policy/modules/services/rpc.te | 143 ++++++++++++++
refpolicy/policy/modules/system/authlogin.if | 63 ++++++
refpolicy/policy/modules/system/files.if | 153 ++++++++++++++
refpolicy/policy/modules/system/init.te | 9 +
refpolicy/policy/modules/system/userdomain.if | 48 +++++
refpolicy/policy/modules/system/userdomain.te | 4 +
15 files changed, 1024 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 15dd368..c92a2d1 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -13,6 +13,7 @@
pegasus
postfix
radius
+ rpc
spamassassin
xdm
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 933d75c..68f3292 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -23,6 +23,9 @@ gen_tunable(allow_ftpd_anon_write,false)
## Allow gpg executable stack
gen_tunable(allow_gpg_execstack,false)
+## Allow gssd to read temp directory.
+gen_tunable(allow_gssd_read_tmp,true)
+
## Allow Apache to modify public files
## used for public file transfer services.
gen_tunable(allow_httpd_anon_write,false)
@@ -84,6 +87,12 @@ gen_tunable(httpd_unified,false)
## Generally this is used for dynamic DNS.
gen_tunable(named_write_master_zones,false)
+## Allow nfs to be exported read/write.
+gen_tunable(nfs_export_all_rw,false)
+
+## Allow nfs to be exported read only
+gen_tunable(nfs_export_all_ro,false)
+
## Allow pppd to load kernel modules for certain modems
gen_tunable(pppd_can_insmod,false)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d5c32a9..3ce30eb 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -526,6 +526,58 @@ interface(`fs_read_cifs_files',`
########################################
## <summary>
+## Read all noxattrfs directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_list_noxattr_fs',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir r_dir_perms;
+
+')
+
+########################################
+## <summary>
+## Read all noxattrfs files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_read_noxattr_fs_files',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir search;
+ allow $1 noxattrfs:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Read all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`fs_read_noxattr_fs_symlinks',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ allow $1 noxattrfs:dir search;
+ allow $1 noxattrfs:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read
## files on a CIFS or SMB filesystem.
## </summary>
@@ -1152,6 +1204,78 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
+## Read directories of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_dirs',`
+ gen_require(`
+ type rpc_pipefs_t;
+ class dir { getattr read search };
+ ')
+
+ allow $1 rpc_pipefs_t:dir { getattr read search };
+
+')
+
+########################################
+## <summary>
+## Read files of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_files',`
+ gen_require(`
+ type rpc_pipefs_t;
+ class file { read getattr };
+ ')
+
+ allow $1 rpc_pipefs_t:file { read getattr };
+
+')
+
+########################################
+## <summary>
+## Read symbolic links of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_symlinks',`
+ gen_require(`
+ type rpc_pipefs_t;
+ class lnk_file { getattr read };
+ ')
+
+ allow $1 rpc_pipefs_t:lnk_file { getattr read };
+
+')
+
+########################################
+## <summary>
+## Read sockets of RPC file system pipes.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the symbolic links.
+## </param>
+#
+interface(`fs_read_rpc_sockets',`
+ gen_require(`
+ type rpc_pipefs_t;
+ class sock_file { read write };
+ ')
+
+ allow $1 rpc_pipefs_t:sock_file { read write };
+
+')
+
+########################################
+## <summary>
## Create, read, write, and delete directories
## on a NFS filesystem.
## </summary>
@@ -1399,6 +1523,43 @@ interface(`fs_getattr_nfsd_fs',`
########################################
## <summary>
+## Search NFS server directories.
+## </summary>
+## <param name="domain">
+## The type of the domain doing the
+## search on nfsd directories.
+## </param>
+#
+interface(`fs_search_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ class dir search;
+ ')
+
+ allow $1 nfsd_fs_t:dir search;
+')
+
+########################################
+## <summary>
+## Read and write NFS server files.
+## </summary>
+## <param name="domain">
+## The type of the domain doing the
+## read or write on nfsd files.
+## </param>
+#
+interface(`fs_rw_nfsd_fs',`
+ gen_require(`
+ type nfsd_fs_t;
+ class file rw_file_perms;
+ ')
+
+ allow $1 nfsd_fs_t:file rw_file_perms;
+')
+
+
+########################################
+## <summary>
## Mount a RAM filesystem.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index ad4a432..21b89ab 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -724,6 +724,23 @@ interface(`kernel_dontaudit_search_network_state',`
########################################
## <summary>
+## Allow searching of network state directory.
+## </summary>
+## <param name="domain">
+## The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_search_network_state',`
+ gen_require(`
+ type proc_net_t;
+ ')
+
+ allow $1 proc_net_t:dir search;
+')
+
+########################################
+## <summary>
## Allow caller to read the network state information.
## </summary>
## <param name="domain">
@@ -745,6 +762,27 @@ interface(`kernel_read_network_state',`
########################################
## <summary>
+## Allow caller to read the network state symbolic links.
+## </summary>
+## <param name="domain">
+## The process type reading the state.
+## </param>
+##
+#
+interface(`kernel_read_network_state_symlinks',`
+ gen_require(`
+ type proc_t, proc_net_t;
+ class dir r_dir_perms;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 proc_t:dir search;
+ allow $1 proc_net_t:dir r_dir_perms;
+ allow $1 proc_net_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -763,6 +801,24 @@ interface(`kernel_dontaudit_search_sysctl',`
########################################
## <summary>
+## Allow access to read sysctl directories.
+## </summary>
+## <param name="domain">
+## The process type to allow to read sysctl directories.
+## </param>
+##
+#
+interface(`kernel_read_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 sysctl_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Allow caller to read the device sysctls.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 39b9e4e..87f988e 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -221,6 +221,53 @@ ifdef(`targeted_policy',`
unconfined_domain_template(kernel_t)
')
+optional_policy(`rpc.te',`
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ allow kernel_t self:tcp_socket create_stream_socket_perms;
+ allow kernel_t self:udp_socket { connect };
+ allow kernel_t self:tcp_socket connected_socket_perms;
+ allow kernel_t self:udp_socket connected_socket_perms;
+
+ # nfs kernel server needs kernel UDP access. It is less risky and painful
+ # to just give it everything.
+ corenet_udp_sendrecv_all_if(kernel_t)
+ corenet_udp_sendrecv_all_nodes(kernel_t)
+ corenet_tcp_bind_all_nodes(kernel_t)
+ corenet_udp_bind_all_nodes(kernel_t)
+ corenet_tcp_sendrecv_all_ports(kernel_t)
+ corenet_udp_sendrecv_all_ports(kernel_t)
+
+ auth_dontaudit_getattr_shadow(kernel_t)
+
+ sysnet_read_config(kernel_t)
+
+ rpc_manage_nfs_ro_content(kernel_t)
+ rpc_manage_nfs_rw_content(kernel_t)
+
+ rpc_udp_rw_nfs_sockets(kernel_t)
+ #rpc_udp_sendto_sockets(kernel_t)
+ rpc_udp_sendto_nfs(kernel_t)
+
+ tunable_policy(`nfs_export_all_ro',`
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_read_all_dirs_except_shadow(kernel_t)
+ auth_read_all_files_except_shadow(kernel_t)
+ auth_read_all_symlinks_except_shadow(kernel_t)
+ ')
+
+ tunable_policy(`nfs_export_all_rw',`
+ fs_list_noxattr_fs(kernel_t)
+ fs_read_noxattr_fs_files(kernel_t)
+ fs_read_noxattr_fs_symlinks(kernel_t)
+
+ auth_manage_all_files_except_shadow(kernel_t)
+ ')
+')
+
########################################
#
# Unlabeled process local policy
diff --git a/refpolicy/policy/modules/services/portmap.if b/refpolicy/policy/modules/services/portmap.if
index c2934b9..ba50160 100644
--- a/refpolicy/policy/modules/services/portmap.if
+++ b/refpolicy/policy/modules/services/portmap.if
@@ -77,3 +77,40 @@ interface(`portmap_udp_sendto',`
allow $1 portmap_t:udp_socket sendto;
allow portmap_t $1:udp_socket recvfrom;
')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic from portmap.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`portmap_udp_sendrecv',`
+ gen_require(`
+ type portmap_t;
+ ')
+
+ allow $1 portmap_t:udp_socket sendto;
+ allow portmap_t $1:udp_socket recvfrom;
+ allow portmap_t $1:udp_socket sendto;
+ allow $1 portmap_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Connect to portmap over a TCP socket
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`portmap_tcp_connect',`
+ gen_require(`
+ type portmap_t;
+ ')
+
+ allow $1 portmap_t:tcp_socket { connectto recvfrom };
+ allow portmap_t $1:tcp_socket { acceptfrom recvfrom };
+ kernel_tcp_recvfrom($1)
+')
diff --git a/refpolicy/policy/modules/services/portmap.te b/refpolicy/policy/modules/services/portmap.te
index be80b85..5c4e9ce 100644
--- a/refpolicy/policy/modules/services/portmap.te
+++ b/refpolicy/policy/modules/services/portmap.te
@@ -45,6 +45,7 @@ kernel_read_kernel_sysctl(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
kernel_udp_sendfrom(portmap_t)
+kernel_tcp_recvfrom(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
@@ -118,6 +119,10 @@ optional_policy(`nscd.te',`
nscd_use_socket(portmap_t)
')
+optional_policy(`rpc.te',`
+ rpc_udp_sendto_nfs(portmap_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(portmap_t)
')
diff --git a/refpolicy/policy/modules/services/rpc.fc b/refpolicy/policy/modules/services/rpc.fc
new file mode 100644
index 0000000..ac3475e
--- /dev/null
+++ b/refpolicy/policy/modules/services/rpc.fc
@@ -0,0 +1,25 @@
+#
+# /etc
+#
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
+
+#
+# /sbin
+#
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/exportfs -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc.idmapd -- gen_context(system_u:object_r:rpc_exec_t,s0)
+/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+/usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+
+#
+# /var
+#
+/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpc_var_run_t,s0)
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpc_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
new file mode 100644
index 0000000..06e0066
--- /dev/null
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -0,0 +1,263 @@
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
+
+#######################################
+## <summary>
+## The template to define a rpc domain.
+## </summary>
+## <desc>
+## <p>
+## This template creates a domain to be used for
+## a new rpc daemon.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The type of daemon to be used.
+## </param>
+#
+template(`rpc_domain_template', `
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t;
+ type $1_exec_t;
+ init_daemon_domain($1_t,$1_exec_t)
+ domain_use_wide_inherit_fd($1_t)
+
+ ####################################
+ #
+ # Local Policy
+ #
+
+ dontaudit $1_t self:capability { net_admin sys_tty_config };
+ allow $1_t self:capability net_bind_service;
+ allow $1_t self:process signal_perms;
+ allow $1_t self:unix_dgram_socket create_socket_perms;
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_t self:netlink_route_socket r_netlink_socket_perms;
+ allow $1_t self:tcp_socket create_stream_socket_perms;
+ allow $1_t self:udp_socket create_socket_perms;
+
+ allow $1_t var_lib_nfs_t:dir create_dir_perms;
+ allow $1_t var_lib_nfs_t:file create_file_perms;
+
+ kernel_list_proc($1_t)
+ kernel_read_proc_symlinks($1_t)
+ kernel_read_kernel_sysctl($1_t)
+ # bind to arbitary unused ports
+ kernel_rw_rpc_sysctl($1_t)
+
+ dev_read_sysfs($1_t)
+
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_udp_sendrecv_all_if($1_t)
+ corenet_raw_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_all_nodes($1_t)
+ corenet_udp_sendrecv_all_nodes($1_t)
+ corenet_raw_sendrecv_all_nodes($1_t)
+ corenet_tcp_sendrecv_all_ports($1_t)
+ corenet_udp_sendrecv_all_ports($1_t)
+ corenet_tcp_bind_all_nodes($1_t)
+ corenet_udp_bind_all_nodes($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_bind_reserved_port($1_t)
+ corenet_tcp_connect_all_ports($1_t)
+ # do not log when it tries to bind to a port belonging to another domain
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
+ # bind to arbitary unused ports
+ corenet_tcp_bind_generic_port($1_t)
+
+ fs_search_auto_mountpoints($1_t)
+
+ term_dontaudit_use_console($1_t)
+
+ files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib_dir($1_t)
+
+ init_use_fd($1_t)
+ init_use_script_pty($1_t)
+
+ libs_use_ld_so($1_t)
+ libs_use_shared_libs($1_t)
+
+ logging_send_syslog_msg($1_t)
+
+ miscfiles_read_localization($1_t)
+
+ sysnet_read_config($1_t)
+
+ userdom_dontaudit_use_unpriv_user_fd($1_t)
+
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty($1_t)
+ term_dontaudit_use_generic_pty($1_t)
+ files_dontaudit_read_root_file($1_t)
+ ')
+
+ optional_policy(`mount.te',`
+ mount_send_nfs_client_request($1_t)
+ ')
+
+ optional_policy(`nis.te',`
+ nis_use_ypbind($1_t)
+ ')
+
+ optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole($1_t)
+ ')
+
+ optional_policy(`udev.te', `
+ udev_read_db($1_t)
+ ')
+
+ ifdef(`TODO',`
+ optional_policy(`rhgb.te',`
+ rhgb_domain($1_t)
+ ')
+ ')
+')
+
+########################################
+## <summary>
+## Send UDP network traffic to rpc and recieve UDP traffic from rpc.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`rpc_udp_sendto',`
+ gen_require(`
+ type rpc_t;
+ ')
+
+ allow $1 rpc_t:udp_socket sendto;
+ allow rpc_t $1:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Allow read access to exports.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`rpc_read_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Allow write access to exports.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`rpc_write_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file write;
+')
+
+########################################
+## <summary>
+## Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+ domain_auto_trans($1,nfsd_exec_t,nfsd_t)
+
+ allow $1 nfsd_t:fd use;
+ allow nfsd_t $1:fd use;
+ allow nfsd_t $1:fifo_file rw_file_perms;
+ allow nfsd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`rpc_manage_nfs_rw_content',`
+ gen_require(`
+ type nfsd_rw_t;
+ ')
+
+ allow $1 nfsd_rw_t:dir manage_dir_perms;
+ allow $1 nfsd_rw_t:file manage_file_perms;
+ allow $1 nfsd_rw_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to create read and write NFS directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`rpc_manage_nfs_ro_content',`
+ gen_require(`
+ type nfsd_ro_t;
+ ')
+
+ allow $1 nfsd_ro_t:dir manage_dir_perms;
+ allow $1 nfsd_ro_t:file manage_file_perms;
+ allow $1 nfsd_ro_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Allow domain to read and write to an NFS UDP socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket rw_socket_perms;
+
+')
+
+########################################
+## <summary>
+## Allow NFS to send UDP network traffic
+## the specified domain and recieve from it.
+## </summary>
+## <param name="domain">
+## The type of the receiving domain.
+## </param>
+#
+interface(`rpc_udp_sendto_nfs',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow nfsd_t $1:udp_socket sendto;
+ allow $1 nfsd_t:udp_socket recvfrom;
+')
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
new file mode 100644
index 0000000..19e8aab
--- /dev/null
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -0,0 +1,143 @@
+
+policy_module(rpc,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type exports_t;
+files_type(exports_t)
+
+rpc_domain_template(gssd)
+
+type gssd_tmp_t;
+files_tmp_file(gssd_tmp_t)
+
+type rpc_var_run_t;
+files_pid_file(rpc_var_run_t)
+
+# rpc_t is the domain of rpc daemons.
+# rpc_exec_t is the type of rpc daemon programs.
+rpc_domain_template(rpc)
+
+rpc_domain_template(nfsd)
+
+type nfsd_rw_t;
+files_type(nfsd_rw_t)
+
+type nfsd_ro_t;
+files_type(nfsd_ro_t)
+
+type var_lib_nfs_t;
+files_type(var_lib_nfs_t)
+
+########################################
+#
+# RPC local policy
+#
+
+allow rpc_t self:fifo_file rw_file_perms;
+allow rpc_t self:file { getattr read };
+
+dontaudit userdomain exports_t:file getattr;
+allow rpc_t rpc_var_run_t:file create_file_perms;
+allow rpc_t rpc_var_run_t:dir create_dir_perms;
+allow rpc_t rpc_var_run_t:dir setattr;
+files_create_pid(rpc_t,rpc_var_run_t)
+
+kernel_search_network_state(rpc_t)
+# for rpc.rquotad
+kernel_read_sysctl(rpc_t)
+
+fs_read_rpc_dirs(rpc_t)
+fs_read_rpc_files(rpc_t)
+fs_read_rpc_symlinks(rpc_t)
+fs_read_rpc_sockets(rpc_t)
+term_use_controlling_term(rpc_t)
+
+seutil_dontaudit_search_config(rpc_t)
+
+# rpc_t needs to talk to the portmap_t domain
+portmap_udp_sendrecv(rpc_t)
+
+ifdef(`distro_redhat', `
+ allow rpc_t self:capability { chown dac_override setgid setuid };
+')
+
+########################################
+#
+# NFSD local policy
+#
+
+allow nfsd_t self:capability { sys_admin sys_resource };
+
+allow nfsd_t exports_t:file { getattr read };
+allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
+
+# for /proc/fs/nfs/exports - should we have a new type?
+kernel_read_system_state(nfsd_t)
+kernel_read_network_state(nfsd_t)
+kernel_udp_sendfrom(nfsd_t)
+kernel_tcp_recvfrom(nfsd_t)
+
+fs_mount_nfsd_fs(nfsd_t)
+fs_search_nfsd_fs(nfsd_t)
+fs_getattr_all_fs(nfsd_t)
+fs_rw_nfsd_fs(nfsd_t)
+
+term_use_controlling_term(nfsd_t)
+
+# does not really need this, but it is easier to just allow it
+files_search_pids(nfsd_t)
+# for exportfs and rpc.mountd
+files_getattr_tmp_dir(nfsd_t)
+
+portmap_tcp_connect(nfsd_t)
+portmap_udp_sendrecv(nfsd_t)
+
+tunable_policy(`nfs_export_all_rw',`
+ auth_read_all_dirs_except_shadow(nfsd_t)
+ fs_read_noxattr_fs_files(nfsd_t)
+')
+
+tunable_policy(`nfs_export_all_ro',`
+ auth_read_all_dirs_except_shadow(nfsd_t)
+ fs_read_noxattr_fs_files(nfsd_t)
+')
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setuid };
+allow gssd_t self:fifo_file { read write };
+
+allow gssd_t gssd_tmp_t:dir create_dir_perms;
+allow gssd_t gssd_tmp_t:file create_file_perms;
+files_create_tmp_files(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+
+dev_read_urand(gssd_t)
+
+fs_read_rpc_dirs(gssd_t)
+fs_read_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+
+files_read_tmp(gssd_t)
+files_read_tmp_files(gssd_t)
+files_read_tmp_symlinks(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_unpriv_user_tmp(gssd_t)
+ userdom_read_unpriv_user_tmp_files(gssd_t)
+ userdom_read_unpriv_user_tmp_symlinks(gssd_t)
+')
+
+optional_policy(`kerberos.te',`
+ kerberos_use(gssd_t)
+ kerberos_read_keytab(gssd_t)
+')
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 5dc7695..1829987 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -650,6 +650,69 @@ interface(`auth_delete_pam_console_data',`
########################################
## <summary>
+## Read all directories on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_dirs_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_dirs_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_files_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_files_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
+## Read all symbolic links on the filesystem, except
+## the shadow passwords and listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`auth_read_all_symlinks_except_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+
+ files_read_all_symlinks_except($1,$2 -shadow_t)
+')
+
+########################################
+## <summary>
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </summary>
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index a306ffe..59d562a 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -403,6 +403,73 @@ interface(`files_read_all_files',`
########################################
## <summary>
+## Read all directories on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_dirs_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all files on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_files_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:file r_file_perms;
+
+')
+
+########################################
+## <summary>
+## Read all symbloic links on the filesystem, except
+## the listed exceptions.
+## </summary>
+## <param name="domain">
+## The type of the domain perfoming this action.
+## </param>
+## <param name="exception_types" optional="true">
+## The types to be excluded. Each type or attribute
+## must be negated by the caller.
+## </param>
+#
+interface(`files_read_all_symlinks_except',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 { file_type $2 }:dir search;
+ allow $1 { file_type $2 }:lnk_file r_file_perms;
+
+')
+
+########################################
+## <summary>
## Get the attributes of all symbolic links.
## </summary>
## <param name="domain">
@@ -1941,6 +2008,23 @@ interface(`files_dontaudit_getattr_tmp_dir',`
########################################
## <summary>
+## Allow domain to getattr on /tmp directory.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+ gen_require(`
+ type tmp_t;
+ class dir getattr;
+ ')
+
+ allow $1 tmp_t:dir getattr;
+')
+
+########################################
+## <summary>
## Search the tmp directory (/tmp).
## </summary>
## <param name="domain">
@@ -1958,6 +2042,57 @@ interface(`files_search_tmp',`
########################################
## <summary>
+## Read the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp',`
+ gen_require(`
+ type tmp_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 tmp_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read files in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ class file r_file_perms;
+ ')
+
+ allow $1 tmp_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read symbolic links in the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_read_tmp_symlinks',`
+ gen_require(`
+ type tmp_t;
+ class lnk_file r_file_perms;
+ ')
+
+ allow $1 tmp_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -2371,6 +2506,24 @@ interface(`files_create_var',`
########################################
## <summary>
+## Search directories in /var/lib.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`files_search_var_lib_dir',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir search;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir search;
+')
+
+########################################
+## <summary>
## Get the attributes of the /var/lib directory.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ae6c889..70c9cd6 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -426,6 +426,11 @@ ifdef(`distro_redhat',`
optional_policy(`bind.te',`
bind_manage_config_dir(initrc_t)
')
+
+ optional_policy(`rpc.te',`
+ #for /etc/rc.d/init.d/nfs to create /etc/exports
+ rpc_write_exports(initrc_t)
+ ')
')
ifdef(`targeted_policy',`
@@ -551,6 +556,10 @@ optional_policy(`raid.te',`
raid_manage_mdadm_pid(initrc_t)
')
+optional_policy(`rpc.te',`
+ rpc_read_exports(initrc_t)
+')
+
optional_policy(`postgresql.te',`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 541f199..5cef4cc 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2247,6 +2247,54 @@ interface(`userdom_read_unpriv_user_home_files',`
########################################
## <summary>
+## Read all unprivileged users temporary directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_list_unpriv_user_tmp',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read all unprivileged users temporary files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_read_unpriv_user_tmp_files',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:file { read getattr };
+')
+
+########################################
+## <summary>
+## Read all unprivileged users temporary symbolic links.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`userdom_read_unpriv_user_tmp_symlinks',`
+ gen_require(`
+ attribute user_tmpfile;
+ ')
+
+ allow $1 user_tmpfile:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index cda95a5..e23c94d 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -218,6 +218,10 @@ ifdef(`targeted_policy',`
netutils_run_traceroute(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`rpc.te',`
+ rpc_domtrans_nfsd(sysadm_t)
+ ')
+
optional_policy(`ntp.te',`
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
More information about the scm-commits
mailing list