]>
Commit | Line | Data |
---|---|---|
3eaa9939 DW |
1 | ############################################################################### |
2 | # | |
3 | # Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. | |
4 | # Written by David Howells (dhowells@redhat.com) | |
5 | # Karl MacMillan (kmacmill@redhat.com) | |
6 | # | |
7 | # This program is free software; you can redistribute it and/or | |
8 | # modify it under the terms of the GNU General Public License | |
9 | # as published by the Free Software Foundation; either version | |
10 | # 2 of the License, or (at your option) any later version. | |
11 | # | |
12 | ############################################################################### | |
13 | ||
14 | # | |
15 | # This security policy governs access by the CacheFiles kernel module and | |
16 | # userspace management daemon to the files and directories in the on-disk | |
17 | # cache, on behalf of the processes accessing the cache through a network | |
18 | # filesystem such as NFS | |
19 | # | |
9a0f7994 | 20 | policy_module(cachefilesd, 1.0.17) |
3eaa9939 DW |
21 | |
22 | ############################################################################### | |
23 | # | |
24 | # Declarations | |
25 | # | |
3eaa9939 DW |
26 | |
27 | # | |
28 | # Files in the cache are created by the cachefiles module with security ID | |
29 | # cachefiles_var_t | |
30 | # | |
31 | type cachefiles_var_t; | |
32 | files_type(cachefiles_var_t) | |
33 | ||
34 | # | |
35 | # The /dev/cachefiles character device has security ID cachefiles_dev_t | |
36 | # | |
37 | type cachefiles_dev_t; | |
38 | dev_node(cachefiles_dev_t) | |
39 | ||
40 | # | |
41 | # The cachefilesd daemon normally runs with security ID cachefilesd_t | |
42 | # | |
43 | type cachefilesd_t; | |
44 | type cachefilesd_exec_t; | |
45 | domain_type(cachefilesd_t) | |
46 | init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) | |
47 | ||
48 | # | |
49 | # The cachefilesd daemon pid file context | |
50 | # | |
51 | type cachefilesd_var_run_t; | |
52 | files_pid_file(cachefilesd_var_run_t) | |
53 | ||
54 | # | |
55 | # The CacheFiles kernel module causes processes accessing the cache files to do | |
56 | # so acting as security ID cachefiles_kernel_t | |
57 | # | |
58 | type cachefiles_kernel_t; | |
59 | domain_type(cachefiles_kernel_t) | |
60 | domain_obj_id_change_exemption(cachefiles_kernel_t) | |
61 | role system_r types cachefiles_kernel_t; | |
62 | ||
63 | ############################################################################### | |
64 | # | |
65 | # Permit RPM to deal with files in the cache | |
66 | # | |
67 | rpm_use_script_fds(cachefilesd_t) | |
68 | ||
69 | ############################################################################### | |
70 | # | |
71 | # cachefilesd local policy | |
72 | # | |
73 | # These define what cachefilesd is permitted to do. This doesn't include very | |
74 | # much: startup stuff, logging, pid file, scanning the cache superstructure and | |
75 | # deleting files from the cache. It is not permitted to read/write files in | |
76 | # the cache. | |
77 | # | |
78 | # Check in /usr/share/selinux/devel/include/ for macros to use instead of allow | |
79 | # rules. | |
80 | # | |
9a0f7994 | 81 | allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; |
3eaa9939 DW |
82 | |
83 | # Basic access | |
84 | files_read_etc_files(cachefilesd_t) | |
85 | libs_use_ld_so(cachefilesd_t) | |
86 | libs_use_shared_libs(cachefilesd_t) | |
87 | miscfiles_read_localization(cachefilesd_t) | |
88 | logging_send_syslog_msg(cachefilesd_t) | |
89 | init_dontaudit_use_script_ptys(cachefilesd_t) | |
90 | term_dontaudit_use_generic_ptys(cachefilesd_t) | |
91 | term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) | |
92 | ||
93 | # Allow manipulation of pid file | |
94 | allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; | |
9a0f7994 DG |
95 | manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) |
96 | manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) | |
3eaa9939 | 97 | files_pid_file(cachefilesd_var_run_t) |
9a0f7994 | 98 | files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) |
3eaa9939 DW |
99 | files_create_as_is_all_files(cachefilesd_t) |
100 | ||
101 | # Allow access to cachefiles device file | |
9a0f7994 | 102 | allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; |
3eaa9939 DW |
103 | |
104 | # Allow access to cache superstructure | |
9a0f7994 DG |
105 | allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir }; |
106 | allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink }; | |
3eaa9939 DW |
107 | |
108 | # Permit statfs on the backing filesystem | |
109 | fs_getattr_xattr_fs(cachefilesd_t) | |
110 | ||
111 | ############################################################################### | |
112 | # | |
113 | # When cachefilesd invokes the kernel module to begin caching, it has to tell | |
114 | # the kernel module the security context in which it should act, and this | |
115 | # policy has to approve that. | |
116 | # | |
117 | # There are two parts to this: | |
118 | # | |
119 | # (1) the security context used by the module to access files in the cache, | |
120 | # as set by the 'secctx' command in /etc/cachefilesd.conf, and | |
121 | # | |
9a0f7994 | 122 | allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; |
3eaa9939 DW |
123 | |
124 | # | |
125 | # (2) the label that will be assigned to new files and directories created in | |
126 | # the cache by the module, which will be the same as the label on the | |
127 | # directory pointed to by the 'dir' command. | |
128 | # | |
9a0f7994 | 129 | allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; |
3eaa9939 DW |
130 | |
131 | ############################################################################### | |
132 | # | |
133 | # cachefiles kernel module local policy | |
134 | # | |
135 | # This governs what the kernel module is allowed to do the contents of the | |
136 | # cache. | |
137 | # | |
138 | allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; | |
139 | allow cachefiles_kernel_t initrc_t:process sigchld; | |
140 | ||
9a0f7994 DG |
141 | manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) |
142 | manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) | |
3eaa9939 DW |
143 | |
144 | fs_getattr_xattr_fs(cachefiles_kernel_t) | |
145 | ||
146 | dev_search_sysfs(cachefiles_kernel_t) |