Changeset 90 for selinux/build/afsd.te


Ignore:
Timestamp:
Jan 20, 2007, 9:31:21 PM (17 years ago)
Author:
presbrey
Message:
OpenAFS Client strict SELinux module
File:
1 edited

Legend:

Unmodified
Added
Removed

  • selinux/build/afsd.te

    r82 r90  
    1 policy_module(afsd,1.0.0)
     1# Joe Presbrey
     2# presbrey@mit.edu
     3# 2006/1/15
    24
    3 ########################################
    4 #
    5 # Declarations
    6 #
     5policy_module(openafs,1.0.0)
     6
     7type afs_t;
     8type afs_bin_t;
     9domain_type(afs_t)
     10domain_entry_file(afs_t, afs_bin_t)
     11corecmd_executable_file(afs_bin_t)
     12
     13role system_r types afs_t;
     14role user_r types afs_t;
    715
    816type afsd_t;
     
    1119init_daemon_domain(afsd_t, afsd_exec_t)
    1220
    13 # var/lib files
    1421type afsd_etc_t;
    1522type afsd_cache_t;
    16 #files_type(afsd_etc_t)
    1723files_type(afsd_etc_t)
    1824files_type(afsd_cache_t)
     
    2026allow afsd_t { afsd_etc_t afsd_cache_t }:dir manage_dir_perms;
    2127allow afsd_t { afsd_etc_t afsd_cache_t }:file_class_set manage_file_perms;
    22 #files_var_lib_filetrans(afsd_t,afsd_cache_t, { file dir sock_file })
    2328
    2429########################################
    2530#
    2631# AFS local policy
     32
     33files_read_etc_files(afs_t)
     34files_read_etc_runtime_files(afs_t)
     35libs_use_ld_so(afs_t)
     36libs_use_shared_libs(afs_t)
     37miscfiles_read_localization(afs_t)
    2738
    2839files_read_etc_files(afsd_t)
     
    3243miscfiles_read_localization(afsd_t)
    3344
    34 # Init script handling
    3545init_use_fds(afsd_t)
    3646init_use_script_ptys(afsd_t)
     
    4454fs_remount_nfs(afsd_t)
    4555fs_unmount_nfs(afsd_t)
     56fs_manage_nfs_dirs(afsd_t)
    4657fs_manage_nfs_files(afsd_t)
    4758fs_manage_nfs_symlinks(afsd_t)
     
    4960fs_manage_nfs_named_sockets(afsd_t)
    5061
    51 fs_getattr_xattr_fs(afsd_t);
    52 
    5362allow afsd_t self:dir mounton;
    5463allow afsd_t self:process setsched;
    55 allow afsd_t self:capability { sys_admin sys_nice sys_tty_config};
     64allow afsd_t self:capability { sys_admin sys_nice sys_tty_config };
    5665
    57 #allow afsd_t lo_node_t:node all_node_perms;
    58 #allow afsd_t net_conf_t:file read;
    5966sysnet_dns_name_resolve(afsd_t)
    6067corenet_tcp_sendrecv_all_nodes(afsd_t)
    6168corenet_udp_sendrecv_all_nodes(afsd_t)
    6269
     70# some redundancy here
    6371afs_access(afsd_t);
    6472
     
    7381allow afsd_t node_t:node { udp_recv udp_send };
    7482
     83allow kernel_t afsd_t:udp_socket all_udp_socket_perms;
     84
    7585allow afsd_t kernel_t:key all_key_perms;
     86allow kernel_t self:key all_key_perms;
     87
     88require {
     89        type inaddr_any_node_t;
     90};
     91
     92afs_access(afs_t)
     93allow afs_t afs_pt_port_t:udp_socket all_udp_socket_perms;
     94allow afs_t self:udp_socket all_udp_socket_perms;
     95allow afs_t afsd_t:udp_socket all_udp_socket_perms;
     96allow afs_t inaddr_any_node_t:udp_socket all_udp_socket_perms;
     97allow afs_t netif_t:netif { udp_recv udp_send };
     98allow afs_t node_t:node { udp_recv udp_send };
     99allow afs_t proc_t:file { ioctl read write };
     100term_use_all_user_ptys(afs_t)
Note: See TracChangeset for help on using the changeset viewer.