Changeset 90 for selinux/build
- Timestamp:
- Jan 20, 2007, 9:31:21 PM (18 years ago)
- Location:
- selinux/build
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
TabularUnified selinux/build/afsd.fc ¶
r79 r90 1 # afs executable will have: 2 # label: system_u:object_r:afsd_exec_t 3 # MLS sensitivity: s0 4 # MCS categories: <none> 1 # Joe Presbrey 2 # presbrey@mit.edu 3 # 2006/1/15 5 4 6 5 /afs -d gen_context(system_u:object_r:default_t,s0) … … 9 8 /usr/vice/etc/afsd -- gen_context(system_u:object_r:afsd_exec_t,s0) 10 9 /usr/vice/cache(/.*)? gen_context(system_u:object_r:afsd_cache_t,s0) 10 11 /usr/bin/afsmonitor gen_context(system_u:object_r:afs_bin_t,s0) 12 /usr/bin/bos gen_context(system_u:object_r:afs_bin_t,s0) 13 /usr/bin/fs gen_context(system_u:object_r:afs_bin_t,s0) 14 /usr/bin/kapasswd gen_context(system_u:object_r:afs_bin_t,s0) 15 /usr/bin/klog gen_context(system_u:object_r:afs_bin_t,s0) 16 /usr/bin/klog.krb gen_context(system_u:object_r:afs_bin_t,s0) 17 /usr/bin/kpasswd gen_context(system_u:object_r:afs_bin_t,s0) 18 /usr/bin/pagsh gen_context(system_u:object_r:afs_bin_t,s0) 19 /usr/bin/pagsh.krb gen_context(system_u:object_r:afs_bin_t,s0) 20 /usr/bin/pts gen_context(system_u:object_r:afs_bin_t,s0) 21 /usr/bin/scout gen_context(system_u:object_r:afs_bin_t,s0) 22 /usr/bin/sys gen_context(system_u:object_r:afs_bin_t,s0) 23 /usr/bin/tokens gen_context(system_u:object_r:afs_bin_t,s0) 24 /usr/bin/tokens.krb gen_context(system_u:object_r:afs_bin_t,s0) 25 /usr/bin/translate_et gen_context(system_u:object_r:afs_bin_t,s0) 26 /usr/bin/udebug gen_context(system_u:object_r:afs_bin_t,s0) 27 /usr/bin/unlog gen_context(system_u:object_r:afs_bin_t,s0) 28 /usr/sbin/backup gen_context(system_u:object_r:afs_bin_t,s0) 29 /usr/sbin/butc gen_context(system_u:object_r:afs_bin_t,s0) 30 /usr/sbin/copyauth gen_context(system_u:object_r:afs_bin_t,s0) 31 /usr/sbin/fms gen_context(system_u:object_r:afs_bin_t,s0) 32 /usr/sbin/fstrace gen_context(system_u:object_r:afs_bin_t,s0) 33 /usr/sbin/kas gen_context(system_u:object_r:afs_bin_t,s0) 34 /usr/sbin/kseal gen_context(system_u:object_r:afs_bin_t,s0) 35 /usr/sbin/read_tape gen_context(system_u:object_r:afs_bin_t,s0) 36 /usr/sbin/restorevol gen_context(system_u:object_r:afs_bin_t,s0) 37 /usr/sbin/rxdebug gen_context(system_u:object_r:afs_bin_t,s0) 38 /usr/sbin/uss gen_context(system_u:object_r:afs_bin_t,s0) 39 /usr/sbin/vos gen_context(system_u:object_r:afs_bin_t,s0) 40 /usr/sbin/vsys gen_context(system_u:object_r:afs_bin_t,s0) -
TabularUnified selinux/build/afsd.if ¶
r81 r90 1 ## <summary>policy for afs</summary> 1 # Joe Presbrey 2 # presbrey@mit.edu 3 # 2006/1/15 2 4 3 ########################################4 ## <summary>5 ## Execute a domain transition to run afs.6 ## </summary>7 ## <param name="domain">8 ## <summary>9 ## Domain allowed to transition.10 ## </summary>11 ## </param>12 #13 5 interface(`afsd_domtrans',` 14 6 gen_require(` … … 26 18 interface(`afs_access',` 27 19 gen_require(` 20 type afs_t, afs_bin_t; 28 21 type afsd_t, afsd_etc_t; 29 type autofs_t, nfs_t;30 22 ') 31 allow $1 afsd_t:udp_socket all_udp_socket_perms; 23 24 allow $1 afs_bin_t:file rx_file_perms; 25 domain_auto_trans($1, afs_bin_t, afs_t) 26 allow afs_t $1:fd use; 27 allow afs_t $1:process sigchld; 28 29 allow $1 afsd_t:udp_socket write; 32 30 allow $1 afsd_etc_t:dir r_dir_perms; 33 31 allow $1 afsd_etc_t:file r_file_perms; 34 32 allow $1 afsd_etc_t:lnk_file r_file_perms; 35 allow $1 autofs_t:dir all_dir_perms; 36 allow $1 autofs_t:lnk_file all_lnk_file_perms; 37 allow $1 nfs_t:dir all_dir_perms; 38 allow $1 nfs_t:file all_file_perms; 39 allow $1 nfs_t:lnk_file all_lnk_file_perms; 40 allow $1 nfs_t:sock_file all_sock_file_perms; 41 allow $1 nfs_t:fifo_file all_fifo_file_perms; 42 allow $1 nfs_t:chr_file all_chr_file_perms; 43 allow $1 nfs_t:blk_file all_blk_file_perms; 33 fs_manage_autofs_symlinks($1) 34 fs_manage_nfs_dirs($1) 35 fs_manage_nfs_files($1) 36 fs_manage_nfs_symlinks($1) 37 fs_manage_nfs_named_pipes($1) 38 fs_manage_nfs_named_sockets($1) 44 39 ') -
TabularUnified selinux/build/afsd.te ¶
r82 r90 1 policy_module(afsd,1.0.0) 1 # Joe Presbrey 2 # presbrey@mit.edu 3 # 2006/1/15 2 4 3 ######################################## 4 # 5 # Declarations 6 # 5 policy_module(openafs,1.0.0) 6 7 type afs_t; 8 type afs_bin_t; 9 domain_type(afs_t) 10 domain_entry_file(afs_t, afs_bin_t) 11 corecmd_executable_file(afs_bin_t) 12 13 role system_r types afs_t; 14 role user_r types afs_t; 7 15 8 16 type afsd_t; … … 11 19 init_daemon_domain(afsd_t, afsd_exec_t) 12 20 13 # var/lib files14 21 type afsd_etc_t; 15 22 type afsd_cache_t; 16 #files_type(afsd_etc_t)17 23 files_type(afsd_etc_t) 18 24 files_type(afsd_cache_t) … … 20 26 allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms; 21 27 allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms; 22 #files_var_lib_filetrans(afsd_t,afsd_cache_t, { file dir sock_file })23 28 24 29 ######################################## 25 30 # 26 31 # AFS local policy 32 33 files_read_etc_files(afs_t) 34 files_read_etc_runtime_files(afs_t) 35 libs_use_ld_so(afs_t) 36 libs_use_shared_libs(afs_t) 37 miscfiles_read_localization(afs_t) 27 38 28 39 files_read_etc_files(afsd_t) … … 32 43 miscfiles_read_localization(afsd_t) 33 44 34 # Init script handling35 45 init_use_fds(afsd_t) 36 46 init_use_script_ptys(afsd_t) … … 44 54 fs_remount_nfs(afsd_t) 45 55 fs_unmount_nfs(afsd_t) 56 fs_manage_nfs_dirs(afsd_t) 46 57 fs_manage_nfs_files(afsd_t) 47 58 fs_manage_nfs_symlinks(afsd_t) … … 49 60 fs_manage_nfs_named_sockets(afsd_t) 50 61 51 fs_getattr_xattr_fs(afsd_t);52 53 62 allow afsd_t self:dir mounton; 54 63 allow afsd_t self:process setsched; 55 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config };64 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config }; 56 65 57 #allow afsd_t lo_node_t:node all_node_perms;58 #allow afsd_t net_conf_t:file read;59 66 sysnet_dns_name_resolve(afsd_t) 60 67 corenet_tcp_sendrecv_all_nodes(afsd_t) 61 68 corenet_udp_sendrecv_all_nodes(afsd_t) 62 69 70 # some redundancy here 63 71 afs_access(afsd_t); 64 72 … … 73 81 allow afsd_t node_t:node { udp_recv udp_send }; 74 82 83 allow kernel_t afsd_t:udp_socket all_udp_socket_perms; 84 75 85 allow afsd_t kernel_t:key all_key_perms; 86 allow kernel_t self:key all_key_perms; 87 88 require { 89 type inaddr_any_node_t; 90 }; 91 92 afs_access(afs_t) 93 allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms; 94 allow afs_t self:udp_socket all_udp_socket_perms; 95 allow afs_t afsd_t:udp_socket all_udp_socket_perms; 96 allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms; 97 allow afs_t netif_t:netif { udp_recv udp_send }; 98 allow afs_t node_t:node { udp_recv udp_send }; 99 allow afs_t proc_t:file { ioctl read write }; 100 term_use_all_user_ptys(afs_t)
Note: See TracChangeset
for help on using the changeset viewer.