[people/stevee/selinux-policy.git] / policy / modules / services / cobbler.te

policy_module(cobbler, 1.1.0)

########################################
#
# Cobbler personal declarations.
#

## <desc>
## <p>
## Allow Cobbler to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(cobbler_anon_write, false)
  
## <desc>
## <p>
##     Allow Cobbler to connect to the
##     network using TCP.
## </p>
## </desc>
gen_tunable(cobbler_can_network_connect, false)

## <desc>
## <p>
##     Allow Cobbler to access cifs file systems.
## </p>
## </desc>
gen_tunable(cobbler_use_cifs, false)

## <desc>
## <p>
##     Allow Cobbler to access nfs file systems.
## </p>
## </desc>
gen_tunable(cobbler_use_nfs, false)

type cobblerd_t;
type cobblerd_exec_t;
init_daemon_domain(cobblerd_t, cobblerd_exec_t)

type cobblerd_initrc_exec_t;
init_script_file(cobblerd_initrc_exec_t)

type cobbler_etc_t;
files_config_file(cobbler_etc_t)

type cobbler_var_log_t;
logging_log_file(cobbler_var_log_t)

type cobbler_var_lib_t alias cobbler_content_t;
files_type(cobbler_var_lib_t)

type cobbler_tmp_t;
files_tmp_file(cobbler_tmp_t)

########################################
#
# Cobbler personal policy.
#

allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };

allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
allow cobblerd_t self:tcp_socket create_stream_socket_perms;
allow cobblerd_t self:udp_socket create_socket_perms;
allow cobblerd_t self:unix_dgram_socket create_socket_perms;

list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)

# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;

manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })

# Something really needs to write to cobbler.log. Ideally this should not be happening.
allow cobblerd_t cobbler_var_log_t:file write;

append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)

manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })

kernel_read_system_state(cobblerd_t)
kernel_dontaudit_search_network_state(cobblerd_t)

corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)

corenet_all_recvfrom_netlabel(cobblerd_t)
corenet_all_recvfrom_unlabeled(cobblerd_t)
corenet_sendrecv_cobbler_server_packets(cobblerd_t)
corenet_tcp_bind_cobbler_port(cobblerd_t)
corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
corenet_tcp_connect_ftp_port(cobblerd_t)
corenet_tcp_sendrecv_ftp_port(cobblerd_t)
corenet_sendrecv_ftp_client_packets(cobblerd_t)
corenet_tcp_connect_http_port(cobblerd_t)
corenet_tcp_sendrecv_http_port(cobblerd_t)
corenet_sendrecv_http_client_packets(cobblerd_t)

dev_read_urand(cobblerd_t)

domain_dontaudit_exec_all_entry_files(cobblerd_t)
domain_dontaudit_read_all_domains_state(cobblerd_t)

files_read_etc_files(cobblerd_t)
# mtab
files_read_etc_runtime_files(cobblerd_t)
files_read_usr_files(cobblerd_t)
files_list_boot(cobblerd_t)
files_read_boot_files(cobblerd_t)
files_list_tmp(cobblerd_t)

# read from mounted images (install media)
fs_read_iso9660_files(cobblerd_t)

init_dontaudit_read_all_script_files(cobblerd_t)

term_use_console(cobblerd_t)

miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)

selinux_dontaudit_read_fs(cobblerd_t)

sysnet_read_config(cobblerd_t)
sysnet_rw_dhcp_config(cobblerd_t)
sysnet_write_config(cobblerd_t)

userdom_dontaudit_use_user_terminals(cobblerd_t)
userdom_dontaudit_search_user_home_dirs(cobblerd_t)
userdom_dontaudit_search_admin_dir(cobblerd_t)

tunable_policy(`cobbler_anon_write',`
	miscfiles_manage_public_files(cobblerd_t)
')

tunable_policy(`cobbler_can_network_connect',`
	corenet_tcp_connect_all_ports(cobblerd_t)
	corenet_tcp_sendrecv_all_ports(cobblerd_t)
	corenet_sendrecv_all_client_packets(cobblerd_t)
')

tunable_policy(`cobbler_use_cifs',`
	fs_manage_cifs_dirs(cobblerd_t)
	fs_manage_cifs_files(cobblerd_t)
	fs_manage_cifs_symlinks(cobblerd_t)
')

tunable_policy(`cobbler_use_nfs',`
	fs_manage_nfs_dirs(cobblerd_t)
	fs_manage_nfs_files(cobblerd_t)
	fs_manage_nfs_symlinks(cobblerd_t)
')

optional_policy(`
	# Cobbler traverses /var/www to get to /var/www/cobbler/*
	apache_search_sys_content(cobblerd_t)
')

optional_policy(`
	bind_read_config(cobblerd_t)
	bind_write_config(cobblerd_t)
	bind_domtrans_ndc(cobblerd_t)
	bind_domtrans(cobblerd_t)
	bind_initrc_domtrans(cobblerd_t)
	bind_manage_zone(cobblerd_t)
')

optional_policy(`
	certmaster_exec(cobblerd_t)
')

optional_policy(`
	dhcpd_domtrans(cobblerd_t)
	dhcpd_initrc_domtrans(cobblerd_t)
')

optional_policy(`
	dnsmasq_domtrans(cobblerd_t)
	dnsmasq_initrc_domtrans(cobblerd_t)
	dnsmasq_write_config(cobblerd_t)
')

optional_policy(`
	gnome_dontaudit_search_config(cobblerd_t)
')

optional_policy(`
	rpm_exec(cobblerd_t)
')

optional_policy(`
	rsync_exec(cobblerd_t)
	rsync_manage_config(cobblerd_t)
	# cobbler creates /etc/rsync.conf if its not there.
	rsync_filetrans_config(cobblerd_t, file)
')

optional_policy(`
	# Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
	# tftp_manage_rw_content(cobblerd_t) can be used instead if:
	# 1. cobbler package installs /var/lib/tftpdir/images.
	# 2. no FILES in /var/lib/TFTPDIR are hard linked.
	# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
	# are any of those hard linked?
	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
')

########################################
#
# Cobbler web local policy.
#

apache_content_template(cobbler)
manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
Commit	Line	Data
29af4c13	1	policy_module(cobbler, 1.1.0)
1031ee6f DG	2
	3	########################################
	4	#
	5	# Cobbler personal declarations.
	6	#
	7
	8	## <desc>
	9	## <p>
2968e068 DW	10	## Allow Cobbler to modify public files
2968e068 DW	11	## used for public file transfer services.
1031ee6f DG	12	## </p>
	13	## </desc>
	14	gen_tunable(cobbler_anon_write, false)
3eaa9939 DW	15
	16	## <desc>
	17	## <p>
	18	## Allow Cobbler to connect to the
	19	## network using TCP.
	20	## </p>
	21	## </desc>
	22	gen_tunable(cobbler_can_network_connect, false)
	23
	24	## <desc>
	25	## <p>
	26	## Allow Cobbler to access cifs file systems.
	27	## </p>
	28	## </desc>
	29	gen_tunable(cobbler_use_cifs, false)
	30
	31	## <desc>
	32	## <p>
	33	## Allow Cobbler to access nfs file systems.
	34	## </p>
	35	## </desc>
	36	gen_tunable(cobbler_use_nfs, false)
1031ee6f DG	37
	38	type cobblerd_t;
	39	type cobblerd_exec_t;
	40	init_daemon_domain(cobblerd_t, cobblerd_exec_t)
	41
	42	type cobblerd_initrc_exec_t;
	43	init_script_file(cobblerd_initrc_exec_t)
	44
	45	type cobbler_etc_t;
	46	files_config_file(cobbler_etc_t)
	47
	48	type cobbler_var_log_t;
	49	logging_log_file(cobbler_var_log_t)
	50
2968e068 DW	51	type cobbler_var_lib_t alias cobbler_content_t;
	52	files_type(cobbler_var_lib_t)
	53
3eaa9939 DW	54	type cobbler_tmp_t;
	55	files_tmp_file(cobbler_tmp_t)
	56
1031ee6f DG	57	########################################
1031ee6f DG	58	#
2968e068	59	# Cobbler personal policy.
1031ee6f DG	60	#
1031ee6f DG	61
3eaa9939 DW	62	allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
	63	dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config };
	64
1031ee6f DG	65	allow cobblerd_t self:process { getsched setsched signal };
1031ee6f DG	66	allow cobblerd_t self:fifo_file rw_fifo_file_perms;
3eaa9939	67	allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
1031ee6f	68	allow cobblerd_t self:tcp_socket create_stream_socket_perms;
3eaa9939 DW	69	allow cobblerd_t self:udp_socket create_socket_perms;
3eaa9939 DW	70	allow cobblerd_t self:unix_dgram_socket create_socket_perms;
1031ee6f	71
a2524cfa	72	list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
1031ee6f DG	73	read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
1031ee6f DG	74
2968e068 DW	75	# Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t.
2968e068 DW	76	dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms;
3eaa9939	77
2968e068 DW	78	manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
	79	manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
	80	manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
	81	files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file })
3eaa9939 DW	82
	83	# Something really needs to write to cobbler.log. Ideally this should not be happening.
	84	allow cobblerd_t cobbler_var_log_t:file write;
1031ee6f DG	85
	86	append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
	87	create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
	88	read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
	89	setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
	90	logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
	91
3eaa9939 DW	92	manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
	93	manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
	94	files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
	95
27eab81f	96	kernel_read_system_state(cobblerd_t)
3eaa9939	97	kernel_dontaudit_search_network_state(cobblerd_t)
27eab81f	98
1031ee6f DG	99	corecmd_exec_bin(cobblerd_t)
	100	corecmd_exec_shell(cobblerd_t)
	101
	102	corenet_all_recvfrom_netlabel(cobblerd_t)
	103	corenet_all_recvfrom_unlabeled(cobblerd_t)
2968e068 DW	104	corenet_sendrecv_cobbler_server_packets(cobblerd_t)
2968e068 DW	105	corenet_tcp_bind_cobbler_port(cobblerd_t)
1031ee6f DG	106	corenet_tcp_bind_generic_node(cobblerd_t)
	107	corenet_tcp_sendrecv_generic_if(cobblerd_t)
	108	corenet_tcp_sendrecv_generic_node(cobblerd_t)
	109	corenet_tcp_sendrecv_generic_port(cobblerd_t)
3eaa9939	110	corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
3eaa9939 DW	111	# sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect.
	112	corenet_tcp_connect_ftp_port(cobblerd_t)
	113	corenet_tcp_sendrecv_ftp_port(cobblerd_t)
	114	corenet_sendrecv_ftp_client_packets(cobblerd_t)
	115	corenet_tcp_connect_http_port(cobblerd_t)
	116	corenet_tcp_sendrecv_http_port(cobblerd_t)
	117	corenet_sendrecv_http_client_packets(cobblerd_t)
1031ee6f DG	118
	119	dev_read_urand(cobblerd_t)
	120
3eaa9939 DW	121	domain_dontaudit_exec_all_entry_files(cobblerd_t)
	122	domain_dontaudit_read_all_domains_state(cobblerd_t)
	123
	124	files_read_etc_files(cobblerd_t)
	125	# mtab
	126	files_read_etc_runtime_files(cobblerd_t)
1031ee6f	127	files_read_usr_files(cobblerd_t)
1031ee6f	128	files_list_boot(cobblerd_t)
3eaa9939	129	files_read_boot_files(cobblerd_t)
1031ee6f	130	files_list_tmp(cobblerd_t)
3eaa9939 DW	131
	132	# read from mounted images (install media)
	133	fs_read_iso9660_files(cobblerd_t)
	134
	135	init_dontaudit_read_all_script_files(cobblerd_t)
	136
	137	term_use_console(cobblerd_t)
1031ee6f	138
1031ee6f DG	139	miscfiles_read_localization(cobblerd_t)
	140	miscfiles_read_public_files(cobblerd_t)
	141
3eaa9939 DW	142	selinux_dontaudit_read_fs(cobblerd_t)
3eaa9939 DW	143
1031ee6f DG	144	sysnet_read_config(cobblerd_t)
	145	sysnet_rw_dhcp_config(cobblerd_t)
	146	sysnet_write_config(cobblerd_t)
	147
3eaa9939 DW	148	userdom_dontaudit_use_user_terminals(cobblerd_t)
	149	userdom_dontaudit_search_user_home_dirs(cobblerd_t)
	150	userdom_dontaudit_search_admin_dir(cobblerd_t)
	151
1031ee6f DG	152	tunable_policy(`cobbler_anon_write',`
	153	miscfiles_manage_public_files(cobblerd_t)
	154	')
	155
3eaa9939 DW	156	tunable_policy(`cobbler_can_network_connect',`
	157	corenet_tcp_connect_all_ports(cobblerd_t)
	158	corenet_tcp_sendrecv_all_ports(cobblerd_t)
	159	corenet_sendrecv_all_client_packets(cobblerd_t)
	160	')
	161
	162	tunable_policy(`cobbler_use_cifs',`
	163	fs_manage_cifs_dirs(cobblerd_t)
	164	fs_manage_cifs_files(cobblerd_t)
	165	fs_manage_cifs_symlinks(cobblerd_t)
	166	')
	167
	168	tunable_policy(`cobbler_use_nfs',`
	169	fs_manage_nfs_dirs(cobblerd_t)
	170	fs_manage_nfs_files(cobblerd_t)
	171	fs_manage_nfs_symlinks(cobblerd_t)
	172	')
	173
	174	optional_policy(`
	175	# Cobbler traverses /var/www to get to /var/www/cobbler/*
	176	apache_search_sys_content(cobblerd_t)
	177	')
	178
1031ee6f DG	179	optional_policy(`
	180	bind_read_config(cobblerd_t)
	181	bind_write_config(cobblerd_t)
	182	bind_domtrans_ndc(cobblerd_t)
	183	bind_domtrans(cobblerd_t)
	184	bind_initrc_domtrans(cobblerd_t)
	185	bind_manage_zone(cobblerd_t)
	186	')
	187
3eaa9939 DW	188	optional_policy(`
	189	certmaster_exec(cobblerd_t)
	190	')
	191
1031ee6f DG	192	optional_policy(`
	193	dhcpd_domtrans(cobblerd_t)
	194	dhcpd_initrc_domtrans(cobblerd_t)
	195	')
	196
	197	optional_policy(`
	198	dnsmasq_domtrans(cobblerd_t)
	199	dnsmasq_initrc_domtrans(cobblerd_t)
	200	dnsmasq_write_config(cobblerd_t)
	201	')
	202
3eaa9939 DW	203	optional_policy(`
	204	gnome_dontaudit_search_config(cobblerd_t)
	205	')
	206
1031ee6f DG	207	optional_policy(`
	208	rpm_exec(cobblerd_t)
	209	')
	210
	211	optional_policy(`
3eaa9939 DW	212	rsync_exec(cobblerd_t)
	213	rsync_manage_config(cobblerd_t)
	214	# cobbler creates /etc/rsync.conf if its not there.
	215	rsync_filetrans_config(cobblerd_t, file)
1031ee6f DG	216	')
	217
	218	optional_policy(`
3eaa9939 DW	219	# Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images.
	220	# tftp_manage_rw_content(cobblerd_t) can be used instead if:
	221	# 1. cobbler package installs /var/lib/tftpdir/images.
	222	# 2. no FILES in /var/lib/TFTPDIR are hard linked.
	223	# Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg)
	224	# are any of those hard linked?
2968e068	225	tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
1031ee6f	226	')
a2524cfa JS	227
	228	########################################
	229	#
	230	# Cobbler web local policy.
	231	#
	232
2968e068 DW	233	apache_content_template(cobbler)
	234	manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
	235	manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)