policy/modules/services/afs.te

   1
   2 policy_module(afs, 1.3.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type afs_bosserver_t;
  10 type afs_bosserver_exec_t;
  11 init_daemon_domain(afs_bosserver_t, afs_bosserver_exec_t)
  12
  13 type afs_config_t;
  14 files_type(afs_config_t)
  15
  16 type afs_dbdir_t;
  17 files_type(afs_dbdir_t)
  18
  19 # exported files
  20 type afs_files_t;
  21 files_type(afs_files_t)
  22
  23 type afs_fsserver_t;
  24 type afs_fsserver_exec_t;
  25 domain_type(afs_fsserver_t)
  26 domain_entry_file(afs_fsserver_t, afs_fsserver_exec_t)
  27 role system_r types afs_fsserver_t;
  28
  29 type afs_ka_db_t;
  30 files_type(afs_ka_db_t)
  31
  32 type afs_kaserver_t;
  33 type afs_kaserver_exec_t;
  34 domain_type(afs_kaserver_t)
  35 domain_entry_file(afs_kaserver_t, afs_kaserver_exec_t)
  36 role system_r types afs_kaserver_t;
  37
  38 type afs_logfile_t;
  39 logging_log_file(afs_logfile_t)
  40
  41 type afs_pt_db_t;
  42 files_type(afs_pt_db_t)
  43
  44 type afs_ptserver_t;
  45 type afs_ptserver_exec_t;
  46 domain_type(afs_ptserver_t)
  47 domain_entry_file(afs_ptserver_t, afs_ptserver_exec_t)
  48 role system_r types afs_ptserver_t;
  49
  50 type afs_vl_db_t;
  51 files_type(afs_vl_db_t)
  52
  53 type afs_vlserver_t;
  54 type afs_vlserver_exec_t;
  55 domain_type(afs_vlserver_t)
  56 domain_entry_file(afs_vlserver_t, afs_vlserver_exec_t)
  57 role system_r types afs_vlserver_t;
  58
  59 ########################################
  60 #
  61 # AFS bossserver local policy
  62 #
  63
  64 allow afs_bosserver_t self:process { setsched signal_perms };
  65 allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
  66 allow afs_bosserver_t self:udp_socket create_socket_perms;
  67
  68 can_exec(afs_bosserver_t,afs_bosserver_exec_t)
  69
  70 manage_dirs_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
  71 manage_files_pattern(afs_bosserver_t, afs_config_t, afs_config_t)
  72
  73 allow afs_bosserver_t afs_dbdir_t:dir list_dir_perms;
  74
  75 allow afs_bosserver_t afs_fsserver_t:process signal_perms;
  76 domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
  77
  78 allow afs_bosserver_t afs_kaserver_t:process signal_perms;
  79 domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
  80
  81 allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
  82 allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
  83
  84 allow afs_bosserver_t afs_ptserver_t:process signal_perms;
  85 domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
  86
  87 allow afs_bosserver_t afs_vlserver_t:process signal_perms;
  88 domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
  89
  90 kernel_read_kernel_sysctls(afs_bosserver_t)
  91
  92 corenet_all_recvfrom_unlabeled(afs_bosserver_t)
  93 corenet_all_recvfrom_netlabel(afs_bosserver_t)
  94 corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
  95 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
  96 corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
  97 corenet_udp_sendrecv_all_nodes(afs_bosserver_t)
  98 corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
  99 corenet_udp_sendrecv_all_ports(afs_bosserver_t)
 100 corenet_udp_bind_all_nodes(afs_bosserver_t)
 101 corenet_udp_bind_afs_bos_port(afs_bosserver_t)
 102 corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
 103
 104 files_read_etc_files(afs_bosserver_t)
 105 files_list_home(afs_bosserver_t)
 106 files_read_usr_files(afs_bosserver_t)
 107
 108 libs_use_ld_so(afs_bosserver_t)
 109 libs_use_shared_libs(afs_bosserver_t)
 110
 111 miscfiles_read_localization(afs_bosserver_t)
 112
 113 seutil_read_config(afs_bosserver_t)
 114
 115 sysnet_read_config(afs_bosserver_t)
 116
 117 ########################################
 118 #
 119 # fileserver local policy
 120 #
 121
 122 allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
 123 dontaudit afs_fsserver_t self:capability fsetid;
 124 allow afs_fsserver_t self:process { setsched signal_perms };
 125 allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
 126 allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
 127 allow afs_fsserver_t self:udp_socket create_socket_perms;
 128
 129 read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 130 allow afs_fsserver_t afs_config_t:dir list_dir_perms;
 131
 132 manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 133 manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
 134
 135 allow afs_fsserver_t afs_files_t:filesystem getattr;
 136 manage_dirs_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
 137 manage_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
 138 manage_lnk_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
 139 manage_fifo_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
 140 manage_sock_files_pattern(afs_fsserver_t, afs_files_t, afs_files_t)
 141 filetrans_pattern(afs_fsserver_t, afs_config_t, afs_files_t, { file lnk_file sock_file fifo_file })
 142
 143 can_exec(afs_fsserver_t, afs_fsserver_exec_t)
 144
 145 manage_dirs_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
 146 manage_files_pattern(afs_fsserver_t, afs_logfile_t, afs_logfile_t)
 147
 148 kernel_read_system_state(afs_fsserver_t)
 149 kernel_read_kernel_sysctls(afs_fsserver_t)
 150
 151 corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
 152 corenet_udp_sendrecv_generic_if(afs_fsserver_t)
 153 corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
 154 corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
 155 corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
 156 corenet_udp_sendrecv_all_ports(afs_fsserver_t)
 157 corenet_all_recvfrom_unlabeled(afs_fsserver_t)
 158 corenet_all_recvfrom_netlabel(afs_fsserver_t)
 159 corenet_tcp_bind_all_nodes(afs_fsserver_t)
 160 corenet_udp_bind_all_nodes(afs_fsserver_t)
 161 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
 162 corenet_udp_bind_afs_fs_port(afs_fsserver_t)
 163 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
 164
 165 files_read_etc_files(afs_fsserver_t)
 166 files_read_etc_runtime_files(afs_fsserver_t)
 167 files_list_home(afs_fsserver_t)
 168 files_read_usr_files(afs_fsserver_t)
 169 files_list_pids(afs_fsserver_t)
 170 files_dontaudit_search_mnt(afs_fsserver_t)
 171
 172 fs_getattr_xattr_fs(afs_fsserver_t)
 173
 174 term_dontaudit_use_console(afs_fsserver_t)
 175
 176 init_dontaudit_use_script_fds(afs_fsserver_t)
 177
 178 libs_use_ld_so(afs_fsserver_t)
 179 libs_use_shared_libs(afs_fsserver_t)
 180
 181 logging_send_syslog_msg(afs_fsserver_t)
 182
 183 miscfiles_read_localization(afs_fsserver_t)
 184
 185 seutil_read_config(afs_fsserver_t)
 186
 187 sysnet_read_config(afs_fsserver_t)
 188
 189 sysadm_dontaudit_use_terms(afs_fsserver_t)
 190
 191 ########################################
 192 #
 193 # kaserver local policy
 194 #
 195
 196 allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
 197 allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
 198 allow afs_kaserver_t self:udp_socket create_socket_perms;
 199
 200 manage_files_pattern(afs_kaserver_t, afs_config_t, afs_config_t)
 201
 202 manage_files_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t)
 203 filetrans_pattern(afs_kaserver_t, afs_dbdir_t, afs_ka_db_t, file)
 204
 205 manage_dirs_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
 206 manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
 207
 208 kernel_read_kernel_sysctls(afs_kaserver_t)
 209
 210 corenet_all_recvfrom_unlabeled(afs_kaserver_t)
 211 corenet_all_recvfrom_netlabel(afs_kaserver_t)
 212 corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
 213 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 214 corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
 215 corenet_udp_sendrecv_all_nodes(afs_kaserver_t)
 216 corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
 217 corenet_udp_sendrecv_all_ports(afs_kaserver_t)
 218 corenet_udp_bind_all_nodes(afs_kaserver_t)
 219 corenet_udp_bind_afs_ka_port(afs_kaserver_t)
 220 corenet_udp_bind_kerberos_port(afs_kaserver_t)
 221 corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
 222 corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
 223
 224 files_read_etc_files(afs_kaserver_t)
 225 files_list_home(afs_kaserver_t)
 226 files_read_usr_files(afs_kaserver_t)
 227
 228 libs_use_ld_so(afs_kaserver_t)
 229 libs_use_shared_libs(afs_kaserver_t)
 230
 231 miscfiles_read_localization(afs_kaserver_t)
 232
 233 seutil_read_config(afs_kaserver_t)
 234
 235 sysnet_read_config(afs_kaserver_t)
 236
 237 sysadm_dontaudit_use_terms(afs_kaserver_t)
 238
 239 ########################################
 240 #
 241 # ptserver local policy
 242 #
 243
 244 allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
 245 allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
 246 allow afs_ptserver_t self:udp_socket create_socket_perms;
 247
 248 read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t)
 249 allow afs_ptserver_t afs_config_t:dir list_dir_perms;
 250
 251 manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 252 manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
 253
 254 manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
 255 filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
 256
 257 corenet_all_recvfrom_unlabeled(afs_ptserver_t)
 258 corenet_all_recvfrom_netlabel(afs_ptserver_t)
 259 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 260 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
 261 corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
 262 corenet_udp_sendrecv_all_nodes(afs_ptserver_t)
 263 corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
 264 corenet_udp_sendrecv_all_ports(afs_ptserver_t)
 265 corenet_udp_bind_all_nodes(afs_ptserver_t)
 266 corenet_udp_bind_afs_pt_port(afs_ptserver_t)
 267 corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 268
 269 files_read_etc_files(afs_ptserver_t)
 270
 271 libs_use_ld_so(afs_ptserver_t)
 272 libs_use_shared_libs(afs_ptserver_t)
 273
 274 miscfiles_read_localization(afs_ptserver_t)
 275
 276 sysnet_read_config(afs_ptserver_t)
 277
 278 sysadm_dontaudit_use_terms(afs_ptserver_t)
 279
 280 ########################################
 281 #
 282 # vlserver local policy
 283 #
 284
 285 allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
 286 allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
 287 allow afs_vlserver_t self:udp_socket create_socket_perms;
 288
 289 read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t)
 290 allow afs_vlserver_t afs_config_t:dir list_dir_perms;
 291
 292 manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 293 manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
 294
 295 manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
 296 filetrans_pattern(afs_vlserver_t, afs_dbdir_t,afs_vl_db_t, file)
 297
 298 corenet_all_recvfrom_unlabeled(afs_vlserver_t)
 299 corenet_all_recvfrom_netlabel(afs_vlserver_t)
 300 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 301 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
 302 corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
 303 corenet_udp_sendrecv_all_nodes(afs_vlserver_t)
 304 corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
 305 corenet_udp_sendrecv_all_ports(afs_vlserver_t)
 306 corenet_udp_bind_all_nodes(afs_vlserver_t)
 307 corenet_udp_bind_afs_vl_port(afs_vlserver_t)
 308 corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
 309
 310 files_read_etc_files(afs_vlserver_t)
 311
 312 libs_use_ld_so(afs_vlserver_t)
 313 libs_use_shared_libs(afs_vlserver_t)
 314
 315 miscfiles_read_localization(afs_vlserver_t)
 316
 317 sysnet_read_config(afs_vlserver_t)
 318
 319 sysadm_dontaudit_use_terms(afs_vlserver_t)