[people/stevee/selinux-policy.git] / policy / modules / services / cachefilesd.te

###############################################################################
#
# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
#            Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################

#
# This security policy governs access by the CacheFiles kernel module and
# userspace management daemon to the files and directories in the on-disk
# cache, on behalf of the processes accessing the cache through a network
# filesystem such as NFS
#
policy_module(cachefilesd, 1.0.17)

###############################################################################
#
# Declarations
#

#
# Files in the cache are created by the cachefiles module with security ID
# cachefiles_var_t
#
type cachefiles_var_t;
files_type(cachefiles_var_t)

#
# The /dev/cachefiles character device has security ID cachefiles_dev_t
#
type cachefiles_dev_t;
dev_node(cachefiles_dev_t)

#
# The cachefilesd daemon normally runs with security ID cachefilesd_t
#
type cachefilesd_t;
type cachefilesd_exec_t;
domain_type(cachefilesd_t)
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)

#
# The cachefilesd daemon pid file context
#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)

#
# The CacheFiles kernel module causes processes accessing the cache files to do
# so acting as security ID cachefiles_kernel_t
#
type cachefiles_kernel_t;
domain_type(cachefiles_kernel_t)
domain_obj_id_change_exemption(cachefiles_kernel_t)
role system_r types cachefiles_kernel_t;

###############################################################################
#
# Permit RPM to deal with files in the cache
#
rpm_use_script_fds(cachefilesd_t)

###############################################################################
#
# cachefilesd local policy
#
# These define what cachefilesd is permitted to do.  This doesn't include very
# much: startup stuff, logging, pid file, scanning the cache superstructure and
# deleting files from the cache.  It is not permitted to read/write files in
# the cache.
#
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
# rules.
#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };

# Basic access
files_read_etc_files(cachefilesd_t)
libs_use_ld_so(cachefilesd_t)
libs_use_shared_libs(cachefilesd_t)
miscfiles_read_localization(cachefilesd_t)
logging_send_syslog_msg(cachefilesd_t)
init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)

# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_file(cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
files_create_as_is_all_files(cachefilesd_t)

# Allow access to cachefiles device file
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;

# Allow access to cache superstructure
allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };

# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)

###############################################################################
#
# When cachefilesd invokes the kernel module to begin caching, it has to tell
# the kernel module the security context in which it should act, and this
# policy has to approve that.
#
# There are two parts to this:
#
#   (1) the security context used by the module to access files in the cache,
#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
#
allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };

#
#   (2) the label that will be assigned to new files and directories created in
#       the cache by the module, which will be the same as the label on the
#       directory pointed to by the 'dir' command.
#
allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };

###############################################################################
#
# cachefiles kernel module local policy
#
# This governs what the kernel module is allowed to do the contents of the
# cache.
#
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
allow cachefiles_kernel_t initrc_t:process sigchld;

manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)

fs_getattr_xattr_fs(cachefiles_kernel_t)

dev_search_sysfs(cachefiles_kernel_t)
Commit	Line	Data
3eaa9939 DW	1	###############################################################################
	2	#
	3	# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
	4	# Written by David Howells (dhowells@redhat.com)
	5	# Karl MacMillan (kmacmill@redhat.com)
	6	#
	7	# This program is free software; you can redistribute it and/or
	8	# modify it under the terms of the GNU General Public License
	9	# as published by the Free Software Foundation; either version
	10	# 2 of the License, or (at your option) any later version.
	11	#
	12	###############################################################################
	13
	14	#
	15	# This security policy governs access by the CacheFiles kernel module and
	16	# userspace management daemon to the files and directories in the on-disk
	17	# cache, on behalf of the processes accessing the cache through a network
	18	# filesystem such as NFS
	19	#
9a0f7994	20	policy_module(cachefilesd, 1.0.17)
3eaa9939 DW	21
	22	###############################################################################
	23	#
	24	# Declarations
	25	#
3eaa9939 DW	26
	27	#
	28	# Files in the cache are created by the cachefiles module with security ID
	29	# cachefiles_var_t
	30	#
	31	type cachefiles_var_t;
	32	files_type(cachefiles_var_t)
	33
	34	#
	35	# The /dev/cachefiles character device has security ID cachefiles_dev_t
	36	#
	37	type cachefiles_dev_t;
	38	dev_node(cachefiles_dev_t)
	39
	40	#
	41	# The cachefilesd daemon normally runs with security ID cachefilesd_t
	42	#
	43	type cachefilesd_t;
	44	type cachefilesd_exec_t;
	45	domain_type(cachefilesd_t)
	46	init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
	47
	48	#
	49	# The cachefilesd daemon pid file context
	50	#
	51	type cachefilesd_var_run_t;
	52	files_pid_file(cachefilesd_var_run_t)
	53
	54	#
	55	# The CacheFiles kernel module causes processes accessing the cache files to do
	56	# so acting as security ID cachefiles_kernel_t
	57	#
	58	type cachefiles_kernel_t;
	59	domain_type(cachefiles_kernel_t)
	60	domain_obj_id_change_exemption(cachefiles_kernel_t)
	61	role system_r types cachefiles_kernel_t;
	62
	63	###############################################################################
	64	#
	65	# Permit RPM to deal with files in the cache
	66	#
	67	rpm_use_script_fds(cachefilesd_t)
	68
	69	###############################################################################
	70	#
	71	# cachefilesd local policy
	72	#
	73	# These define what cachefilesd is permitted to do. This doesn't include very
	74	# much: startup stuff, logging, pid file, scanning the cache superstructure and
	75	# deleting files from the cache. It is not permitted to read/write files in
	76	# the cache.
	77	#
	78	# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
	79	# rules.
	80	#
9a0f7994	81	allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
3eaa9939 DW	82
	83	# Basic access
	84	files_read_etc_files(cachefilesd_t)
	85	libs_use_ld_so(cachefilesd_t)
	86	libs_use_shared_libs(cachefilesd_t)
	87	miscfiles_read_localization(cachefilesd_t)
	88	logging_send_syslog_msg(cachefilesd_t)
	89	init_dontaudit_use_script_ptys(cachefilesd_t)
	90	term_dontaudit_use_generic_ptys(cachefilesd_t)
	91	term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
	92
	93	# Allow manipulation of pid file
	94	allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
9a0f7994 DG	95	manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
9a0f7994 DG	96	manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
3eaa9939	97	files_pid_file(cachefilesd_var_run_t)
9a0f7994	98	files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
3eaa9939 DW	99	files_create_as_is_all_files(cachefilesd_t)
	100
	101	# Allow access to cachefiles device file
9a0f7994	102	allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
3eaa9939 DW	103
3eaa9939 DW	104	# Allow access to cache superstructure
9a0f7994 DG	105	allow cachefilesd_t cachefiles_var_t:dir { rw_dir_perms rmdir };
9a0f7994 DG	106	allow cachefilesd_t cachefiles_var_t:file { getattr rename unlink };
3eaa9939 DW	107
	108	# Permit statfs on the backing filesystem
	109	fs_getattr_xattr_fs(cachefilesd_t)
	110
	111	###############################################################################
	112	#
	113	# When cachefilesd invokes the kernel module to begin caching, it has to tell
	114	# the kernel module the security context in which it should act, and this
	115	# policy has to approve that.
	116	#
	117	# There are two parts to this:
	118	#
	119	# (1) the security context used by the module to access files in the cache,
	120	# as set by the 'secctx' command in /etc/cachefilesd.conf, and
	121	#
9a0f7994	122	allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
3eaa9939 DW	123
	124	#
	125	# (2) the label that will be assigned to new files and directories created in
	126	# the cache by the module, which will be the same as the label on the
	127	# directory pointed to by the 'dir' command.
	128	#
9a0f7994	129	allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
3eaa9939 DW	130
	131	###############################################################################
	132	#
	133	# cachefiles kernel module local policy
	134	#
	135	# This governs what the kernel module is allowed to do the contents of the
	136	# cache.
	137	#
	138	allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
	139	allow cachefiles_kernel_t initrc_t:process sigchld;
	140
9a0f7994 DG	141	manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
9a0f7994 DG	142	manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
3eaa9939 DW	143
	144	fs_getattr_xattr_fs(cachefiles_kernel_t)
	145
	146	dev_search_sysfs(cachefiles_kernel_t)