source: selinux/build/afsd.te @ 90

Last change on this file since 90 was 90, checked in by presbrey, 16 years ago
OpenAFS Client strict SELinux module
File size: 2.7 KB
RevLine 
[90]1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
[28]4
[90]5policy_module(openafs,1.0.0)
[28]6
[90]7type afs_t;
8type afs_bin_t;
9domain_type(afs_t)
10domain_entry_file(afs_t, afs_bin_t)
11corecmd_executable_file(afs_bin_t)
12
13role system_r types afs_t;
14role user_r types afs_t;
15
[28]16type afsd_t;
17type afsd_exec_t;
18domain_type(afsd_t)
19init_daemon_domain(afsd_t, afsd_exec_t)
20
21type afsd_etc_t;
22type afsd_cache_t;
23files_type(afsd_etc_t)
24files_type(afsd_cache_t)
25
26allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms;
27allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms;
28
29########################################
30#
31# AFS local policy
32
[90]33files_read_etc_files(afs_t)
34files_read_etc_runtime_files(afs_t)
35libs_use_ld_so(afs_t)
36libs_use_shared_libs(afs_t)
37miscfiles_read_localization(afs_t)
38
[28]39files_read_etc_files(afsd_t)
40files_rw_etc_runtime_files(afsd_t)
41libs_use_ld_so(afsd_t)
42libs_use_shared_libs(afsd_t)
43miscfiles_read_localization(afsd_t)
44
45init_use_fds(afsd_t)
46init_use_script_ptys(afsd_t)
47domain_use_interactive_fds(afsd_t)
[79]48term_use_console(afsd_t)
[28]49
50files_mounton_default(afsd_t)
51kernel_read_system_state(afsd_t)
52kernel_write_proc_files(afsd_t)
53fs_mount_nfs(afsd_t)
54fs_remount_nfs(afsd_t)
55fs_unmount_nfs(afsd_t)
[90]56fs_manage_nfs_dirs(afsd_t)
[28]57fs_manage_nfs_files(afsd_t)
58fs_manage_nfs_symlinks(afsd_t)
59fs_manage_nfs_named_pipes(afsd_t)
60fs_manage_nfs_named_sockets(afsd_t)
61
62allow afsd_t self:dir mounton;
63allow afsd_t self:process setsched;
[90]64allow afsd_t self:capability { sys_admin sys_nice sys_tty_config };
[28]65
[79]66sysnet_dns_name_resolve(afsd_t)
67corenet_tcp_sendrecv_all_nodes(afsd_t)
68corenet_udp_sendrecv_all_nodes(afsd_t)
69
[90]70# some redundancy here
[82]71afs_access(afsd_t);
[79]72
[28]73require {
74        type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t;
75        type netif_t, node_t;
[79]76        type kernel_t;
[28]77}
78allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms;
79allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:udp_socket all_udp_socket_perms;
80allow afsd_t netif_t:netif { udp_recv udp_send };
81allow afsd_t node_t:node { udp_recv udp_send };
82
[90]83allow kernel_t afsd_t:udp_socket all_udp_socket_perms;
84
[79]85allow afsd_t kernel_t:key all_key_perms;
[90]86allow kernel_t self:key all_key_perms;
87
88require {
89        type inaddr_any_node_t;
90};
91
92afs_access(afs_t)
93allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms;
94allow afs_t self:udp_socket all_udp_socket_perms;
95allow afs_t afsd_t:udp_socket all_udp_socket_perms;
96allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms;
97allow afs_t netif_t:netif { udp_recv udp_send };
98allow afs_t node_t:node { udp_recv udp_send };
99allow afs_t proc_t:file { ioctl read write };
100term_use_all_user_ptys(afs_t)
Note: See TracBrowser for help on using the repository browser.