1 | # Joe Presbrey |
---|
2 | # presbrey@mit.edu |
---|
3 | # 2006/1/15 |
---|
4 | |
---|
5 | policy_module(openafs,1.0.0) |
---|
6 | |
---|
7 | type afs_t; |
---|
8 | type afs_bin_t; |
---|
9 | domain_type(afs_t) |
---|
10 | domain_entry_file(afs_t, afs_bin_t) |
---|
11 | corecmd_executable_file(afs_bin_t) |
---|
12 | |
---|
13 | role system_r types afs_t; |
---|
14 | role user_r types afs_t; |
---|
15 | |
---|
16 | type afsd_t; |
---|
17 | type afsd_exec_t; |
---|
18 | domain_type(afsd_t) |
---|
19 | init_daemon_domain(afsd_t, afsd_exec_t) |
---|
20 | |
---|
21 | type afsd_etc_t; |
---|
22 | type afsd_cache_t; |
---|
23 | files_type(afsd_etc_t) |
---|
24 | files_type(afsd_cache_t) |
---|
25 | |
---|
26 | allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms; |
---|
27 | allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms; |
---|
28 | |
---|
29 | ######################################## |
---|
30 | # |
---|
31 | # AFS local policy |
---|
32 | |
---|
33 | files_read_etc_files(afs_t) |
---|
34 | files_read_etc_runtime_files(afs_t) |
---|
35 | libs_use_ld_so(afs_t) |
---|
36 | libs_use_shared_libs(afs_t) |
---|
37 | miscfiles_read_localization(afs_t) |
---|
38 | |
---|
39 | files_read_etc_files(afsd_t) |
---|
40 | files_rw_etc_runtime_files(afsd_t) |
---|
41 | libs_use_ld_so(afsd_t) |
---|
42 | libs_use_shared_libs(afsd_t) |
---|
43 | miscfiles_read_localization(afsd_t) |
---|
44 | |
---|
45 | init_use_fds(afsd_t) |
---|
46 | init_use_script_ptys(afsd_t) |
---|
47 | domain_use_interactive_fds(afsd_t) |
---|
48 | term_use_console(afsd_t) |
---|
49 | |
---|
50 | files_mounton_default(afsd_t) |
---|
51 | kernel_read_system_state(afsd_t) |
---|
52 | kernel_write_proc_files(afsd_t) |
---|
53 | fs_mount_nfs(afsd_t) |
---|
54 | fs_remount_nfs(afsd_t) |
---|
55 | fs_unmount_nfs(afsd_t) |
---|
56 | fs_manage_nfs_dirs(afsd_t) |
---|
57 | fs_manage_nfs_files(afsd_t) |
---|
58 | fs_manage_nfs_symlinks(afsd_t) |
---|
59 | fs_manage_nfs_named_pipes(afsd_t) |
---|
60 | fs_manage_nfs_named_sockets(afsd_t) |
---|
61 | |
---|
62 | allow afsd_t self:dir mounton; |
---|
63 | allow afsd_t self:process setsched; |
---|
64 | allow afsd_t self:capability { sys_admin sys_nice sys_tty_config }; |
---|
65 | |
---|
66 | sysnet_dns_name_resolve(afsd_t) |
---|
67 | corenet_tcp_sendrecv_all_nodes(afsd_t) |
---|
68 | corenet_udp_sendrecv_all_nodes(afsd_t) |
---|
69 | |
---|
70 | # some redundancy here |
---|
71 | afs_access(afsd_t); |
---|
72 | |
---|
73 | require { |
---|
74 | type afs_bos_port_t,afs_fs_port_t,afs_fs_port_t,afs_ka_port_t,afs_pt_port_t,afs_vl_port_t; |
---|
75 | type netif_t, node_t; |
---|
76 | type kernel_t; |
---|
77 | } |
---|
78 | allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:tcp_socket all_tcp_socket_perms; |
---|
79 | allow afsd_t { self afs_bos_port_t afs_fs_port_t afs_fs_port_t afs_ka_port_t afs_pt_port_t afs_vl_port_t }:udp_socket all_udp_socket_perms; |
---|
80 | allow afsd_t netif_t:netif { udp_recv udp_send }; |
---|
81 | allow afsd_t node_t:node { udp_recv udp_send }; |
---|
82 | |
---|
83 | allow kernel_t afsd_t:udp_socket all_udp_socket_perms; |
---|
84 | |
---|
85 | allow afsd_t kernel_t:key all_key_perms; |
---|
86 | allow kernel_t self:key all_key_perms; |
---|
87 | |
---|
88 | require { |
---|
89 | type inaddr_any_node_t; |
---|
90 | }; |
---|
91 | |
---|
92 | afs_access(afs_t) |
---|
93 | allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms; |
---|
94 | allow afs_t self:udp_socket all_udp_socket_perms; |
---|
95 | allow afs_t afsd_t:udp_socket all_udp_socket_perms; |
---|
96 | allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms; |
---|
97 | allow afs_t netif_t:netif { udp_recv udp_send }; |
---|
98 | allow afs_t node_t:node { udp_recv udp_send }; |
---|
99 | allow afs_t proc_t:file { ioctl read write }; |
---|
100 | term_use_all_user_ptys(afs_t) |
---|