source: selinux/build/openafs.te @ 444

Last change on this file since 444 was 97, checked in by presbrey, 18 years ago
openafs module typo
File size: 2.8 KB
Line 
1# Joe Presbrey
2# presbrey@mit.edu
3# 2006/1/15
4
5policy_module(openafs,1.0.0)
6
7type afs_t;
8type afs_bin_t;
9domain_type(afs_t)
10domain_entry_file(afs_t, afs_bin_t)
11corecmd_executable_file(afs_bin_t)
12
13role system_r types afs_t;
14role user_r types afs_t;
15
16type afsd_t;
17type afsd_exec_t;
18domain_type(afsd_t)
19init_daemon_domain(afsd_t, afsd_exec_t)
20
21type afsd_etc_t;
22type afsd_cache_t;
23files_type(afsd_etc_t)
24files_type(afsd_cache_t)
25
26allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms;
27allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms;
28
29########################################
30#
31# AFS local policy
32
33files_read_etc_files(afs_t)
34files_read_etc_runtime_files(afs_t)
35libs_use_ld_so(afs_t)
36libs_use_shared_libs(afs_t)
37miscfiles_read_localization(afs_t)
38
39files_read_etc_files(afsd_t)
40files_rw_etc_runtime_files(afsd_t)
41libs_use_ld_so(afsd_t)
42libs_use_shared_libs(afsd_t)
43miscfiles_read_localization(afsd_t)
44
45init_use_fds(afsd_t)
46init_use_script_ptys(afsd_t)
47domain_use_interactive_fds(afsd_t)
48term_use_console(afsd_t)
49
50files_mounton_default(afsd_t)
51kernel_read_system_state(afsd_t)
52kernel_write_proc_files(afsd_t)
53fs_mount_nfs(afsd_t)
54fs_remount_nfs(afsd_t)
55fs_unmount_nfs(afsd_t)
56fs_manage_nfs_dirs(afsd_t)
57fs_manage_nfs_files(afsd_t)
58fs_manage_nfs_symlinks(afsd_t)
59fs_manage_nfs_named_pipes(afsd_t)
60fs_manage_nfs_named_sockets(afsd_t)
61
62allow afsd_t self:dir mounton;
63allow afsd_t self:process setsched;
64allow afsd_t self:capability { sys_admin sys_nice sys_tty_config };
65
66sysnet_dns_name_resolve(afsd_t)
67corenet_tcp_sendrecv_all_nodes(afsd_t)
68corenet_udp_sendrecv_all_nodes(afsd_t)
69
70# some redundancy here
71afs_access(afsd_t);
72
73require {
74        type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t;
75        type netif_t, node_t;
76        type kernel_t;
77}
78allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms;
79allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:udp_socket all_udp_socket_perms;
80allow afsd_t netif_t:netif { udp_recv udp_send };
81allow afsd_t node_t:node { udp_recv udp_send };
82
83allow kernel_t afsd_t:udp_socket all_udp_socket_perms;
84
85allow afsd_t kernel_t:key all_key_perms;
86allow kernel_t self:key all_key_perms;
87
88require {
89        type inaddr_any_node_t;
90};
91
92afs_access(afs_t)
93allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms;
94allow afs_t self:udp_socket all_udp_socket_perms;
95allow afs_t afsd_t:udp_socket all_udp_socket_perms;
96allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms;
97allow afs_t netif_t:netif { udp_recv udp_send };
98allow afs_t node_t:node { udp_recv udp_send };
99allow afs_t proc_t:file { ioctl read write };
100term_use_all_user_ptys(afs_t)
101
102require { type sshd_t; };
103dontaudit afs_t sshd_t:key all_key_perms;
Note: See TracBrowser for help on using the repository browser.