source: selinux/build/afsd.te @ 82

Last change on this file since 82 was 82, checked in by presbrey, 16 years ago
httpd can resource limit suexec
File size: 2.0 KB
Line 
1policy_module(afsd,1.0.0)
2
3########################################
4#
5# Declarations
6#
7
8type afsd_t;
9type afsd_exec_t;
10domain_type(afsd_t)
11init_daemon_domain(afsd_t, afsd_exec_t)
12
13# var/lib files
14type afsd_etc_t;
15type afsd_cache_t;
16#files_type(afsd_etc_t)
17files_type(afsd_etc_t)
18files_type(afsd_cache_t)
19
20allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms;
21allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms;
22#files_var_lib_filetrans(afsd_t,afsd_cache_t, { file dir sock_file })
23
24########################################
25#
26# AFS local policy
27
28files_read_etc_files(afsd_t)
29files_rw_etc_runtime_files(afsd_t)
30libs_use_ld_so(afsd_t)
31libs_use_shared_libs(afsd_t)
32miscfiles_read_localization(afsd_t)
33
34# Init script handling
35init_use_fds(afsd_t)
36init_use_script_ptys(afsd_t)
37domain_use_interactive_fds(afsd_t)
38term_use_console(afsd_t)
39
40files_mounton_default(afsd_t)
41kernel_read_system_state(afsd_t)
42kernel_write_proc_files(afsd_t)
43fs_mount_nfs(afsd_t)
44fs_remount_nfs(afsd_t)
45fs_unmount_nfs(afsd_t)
46fs_manage_nfs_files(afsd_t)
47fs_manage_nfs_symlinks(afsd_t)
48fs_manage_nfs_named_pipes(afsd_t)
49fs_manage_nfs_named_sockets(afsd_t)
50
51fs_getattr_xattr_fs(afsd_t);
52
53allow afsd_t self:dir mounton;
54allow afsd_t self:process setsched;
55allow afsd_t self:capability { sys_admin sys_nice sys_tty_config};
56
57#allow afsd_t lo_node_t:node all_node_perms;
58#allow afsd_t net_conf_t:file read;
59sysnet_dns_name_resolve(afsd_t)
60corenet_tcp_sendrecv_all_nodes(afsd_t)
61corenet_udp_sendrecv_all_nodes(afsd_t)
62
63afs_access(afsd_t);
64
65require {
66        type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t;
67        type netif_t, node_t;
68        type kernel_t;
69}
70allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms;
71allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:udp_socket all_udp_socket_perms;
72allow afsd_t netif_t:netif { udp_recv udp_send };
73allow afsd_t node_t:node { udp_recv udp_send };
74
75allow afsd_t kernel_t:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.