Changeset 90 for selinux/build/afsd.te
- Timestamp:
- Jan 20, 2007, 9:31:21 PM (18 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
selinux/build/afsd.te
r82 r90 1 policy_module(afsd,1.0.0) 1 # Joe Presbrey 2 # presbrey@mit.edu 3 # 2006/1/15 2 4 3 ######################################## 4 # 5 # Declarations 6 # 5 policy_module(openafs,1.0.0) 6 7 type afs_t; 8 type afs_bin_t; 9 domain_type(afs_t) 10 domain_entry_file(afs_t, afs_bin_t) 11 corecmd_executable_file(afs_bin_t) 12 13 role system_r types afs_t; 14 role user_r types afs_t; 7 15 8 16 type afsd_t; … … 11 19 init_daemon_domain(afsd_t, afsd_exec_t) 12 20 13 # var/lib files14 21 type afsd_etc_t; 15 22 type afsd_cache_t; 16 #files_type(afsd_etc_t)17 23 files_type(afsd_etc_t) 18 24 files_type(afsd_cache_t) … … 20 26 allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms; 21 27 allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms; 22 #files_var_lib_filetrans(afsd_t,afsd_cache_t, { file dir sock_file })23 28 24 29 ######################################## 25 30 # 26 31 # AFS local policy 32 33 files_read_etc_files(afs_t) 34 files_read_etc_runtime_files(afs_t) 35 libs_use_ld_so(afs_t) 36 libs_use_shared_libs(afs_t) 37 miscfiles_read_localization(afs_t) 27 38 28 39 files_read_etc_files(afsd_t) … … 32 43 miscfiles_read_localization(afsd_t) 33 44 34 # Init script handling35 45 init_use_fds(afsd_t) 36 46 init_use_script_ptys(afsd_t) … … 44 54 fs_remount_nfs(afsd_t) 45 55 fs_unmount_nfs(afsd_t) 56 fs_manage_nfs_dirs(afsd_t) 46 57 fs_manage_nfs_files(afsd_t) 47 58 fs_manage_nfs_symlinks(afsd_t) … … 49 60 fs_manage_nfs_named_sockets(afsd_t) 50 61 51 fs_getattr_xattr_fs(afsd_t);52 53 62 allow afsd_t self:dir mounton; 54 63 allow afsd_t self:process setsched; 55 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config };64 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config }; 56 65 57 #allow afsd_t lo_node_t:node all_node_perms;58 #allow afsd_t net_conf_t:file read;59 66 sysnet_dns_name_resolve(afsd_t) 60 67 corenet_tcp_sendrecv_all_nodes(afsd_t) 61 68 corenet_udp_sendrecv_all_nodes(afsd_t) 62 69 70 # some redundancy here 63 71 afs_access(afsd_t); 64 72 … … 73 81 allow afsd_t node_t:node { udp_recv udp_send }; 74 82 83 allow kernel_t afsd_t:udp_socket all_udp_socket_perms; 84 75 85 allow afsd_t kernel_t:key all_key_perms; 86 allow kernel_t self:key all_key_perms; 87 88 require { 89 type inaddr_any_node_t; 90 }; 91 92 afs_access(afs_t) 93 allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms; 94 allow afs_t self:udp_socket all_udp_socket_perms; 95 allow afs_t afsd_t:udp_socket all_udp_socket_perms; 96 allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms; 97 allow afs_t netif_t:netif { udp_recv udp_send }; 98 allow afs_t node_t:node { udp_recv udp_send }; 99 allow afs_t proc_t:file { ioctl read write }; 100 term_use_all_user_ptys(afs_t)
Note: See TracChangeset
for help on using the changeset viewer.