policy/modules/services/afs.te

   1
   2 policy_module(afs,1.1.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type afs_bosserver_t;
  10 type afs_bosserver_exec_t;
  11 init_daemon_domain(afs_bosserver_t,afs_bosserver_exec_t)
  12
  13 type afs_config_t;
  14 files_type(afs_config_t)
  15
  16 type afs_dbdir_t;
  17 files_type(afs_dbdir_t)
  18
  19 # exported files
  20 type afs_files_t;
  21 files_type(afs_files_t)
  22
  23 type afs_fsserver_t;
  24 type afs_fsserver_exec_t;
  25 domain_type(afs_fsserver_t)
  26 domain_entry_file(afs_fsserver_t,afs_fsserver_exec_t)
  27 role system_r types afs_fsserver_t;
  28
  29 type afs_ka_db_t;
  30 files_type(afs_ka_db_t)
  31
  32 type afs_kaserver_t;
  33 type afs_kaserver_exec_t;
  34 domain_type(afs_kaserver_t)
  35 domain_entry_file(afs_kaserver_t,afs_kaserver_exec_t)
  36 role system_r types afs_kaserver_t;
  37
  38 type afs_logfile_t;
  39 logging_log_file(afs_logfile_t)
  40
  41 type afs_pt_db_t;
  42 files_type(afs_pt_db_t)
  43
  44 type afs_ptserver_t;
  45 type afs_ptserver_exec_t;
  46 domain_type(afs_ptserver_t)
  47 domain_entry_file(afs_ptserver_t,afs_ptserver_exec_t)
  48 role system_r types afs_ptserver_t;
  49
  50 type afs_vl_db_t;
  51 files_type(afs_vl_db_t)
  52
  53 type afs_vlserver_t;
  54 type afs_vlserver_exec_t;
  55 domain_type(afs_vlserver_t)
  56 domain_entry_file(afs_vlserver_t,afs_vlserver_exec_t)
  57 role system_r types afs_vlserver_t;
  58
  59 ########################################
  60 #
  61 # AFS bossserver local policy
  62 #
  63
  64 allow afs_bosserver_t self:process { setsched signal_perms };
  65 allow afs_bosserver_t self:tcp_socket create_stream_socket_perms;
  66 allow afs_bosserver_t self:udp_socket create_socket_perms;
  67
  68 can_exec(afs_bosserver_t,afs_bosserver_exec_t)
  69
  70 manage_dirs_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
  71 manage_files_pattern(afs_bosserver_t,afs_config_t,afs_config_t)
  72
  73 allow afs_bosserver_t afs_dbdir_t:dir { search read getattr };
  74
  75 allow afs_bosserver_t afs_fsserver_t:process signal_perms;
  76 domtrans_pattern(afs_bosserver_t, afs_fsserver_exec_t, afs_fsserver_t)
  77
  78 allow afs_bosserver_t afs_kaserver_t:process signal_perms;
  79 domtrans_pattern(afs_bosserver_t, afs_kaserver_exec_t, afs_kaserver_t)
  80
  81 allow afs_bosserver_t afs_logfile_t:file manage_file_perms;
  82 allow afs_bosserver_t afs_logfile_t:dir manage_dir_perms;
  83
  84 allow afs_bosserver_t afs_ptserver_t:process signal_perms;
  85 domtrans_pattern(afs_bosserver_t, afs_ptserver_exec_t, afs_ptserver_t)
  86
  87 allow afs_bosserver_t afs_vlserver_t:process signal_perms;
  88 domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
  89
  90 kernel_read_kernel_sysctls(afs_bosserver_t)
  91
  92 corenet_non_ipsec_sendrecv(afs_bosserver_t)
  93 corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
  94 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
  95 corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
  96 corenet_udp_sendrecv_all_nodes(afs_bosserver_t)
  97 corenet_tcp_sendrecv_all_ports(afs_bosserver_t)
  98 corenet_udp_sendrecv_all_ports(afs_bosserver_t)
  99 corenet_udp_bind_all_nodes(afs_bosserver_t)
 100 corenet_udp_bind_afs_bos_port(afs_bosserver_t)
 101 corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
 102
 103 files_read_etc_files(afs_bosserver_t)
 104 files_list_home(afs_bosserver_t)
 105 files_read_usr_files(afs_bosserver_t)
 106
 107 libs_use_ld_so(afs_bosserver_t)
 108 libs_use_shared_libs(afs_bosserver_t)
 109
 110 miscfiles_read_localization(afs_bosserver_t)
 111
 112 seutil_read_config(afs_bosserver_t)
 113
 114 sysnet_read_config(afs_bosserver_t)
 115
 116 ########################################
 117 #
 118 # fileserver local policy
 119 #
 120
 121 allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
 122 dontaudit afs_fsserver_t self:capability fsetid;
 123 allow afs_fsserver_t self:process { setsched signal_perms };
 124 allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
 125 allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
 126 allow afs_fsserver_t self:udp_socket create_socket_perms;
 127
 128 read_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
 129 allow afs_fsserver_t afs_config_t:dir list_dir_perms;
 130
 131 manage_dirs_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
 132 manage_files_pattern(afs_fsserver_t,afs_config_t,afs_config_t)
 133
 134 allow afs_fsserver_t afs_files_t:filesystem getattr;
 135 manage_dirs_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
 136 manage_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
 137 manage_lnk_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
 138 manage_fifo_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
 139 manage_sock_files_pattern(afs_fsserver_t,afs_files_t,afs_files_t)
 140 filetrans_pattern(afs_fsserver_t,afs_config_t,afs_files_t,{ file lnk_file sock_file fifo_file })
 141
 142 can_exec(afs_fsserver_t, afs_fsserver_exec_t)
 143
 144 manage_dirs_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
 145 manage_files_pattern(afs_fsserver_t,afs_logfile_t,afs_logfile_t)
 146
 147 kernel_read_system_state(afs_fsserver_t)
 148 kernel_read_kernel_sysctls(afs_fsserver_t)
 149
 150 corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
 151 corenet_udp_sendrecv_generic_if(afs_fsserver_t)
 152 corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
 153 corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
 154 corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
 155 corenet_udp_sendrecv_all_ports(afs_fsserver_t)
 156 corenet_non_ipsec_sendrecv(afs_fsserver_t)
 157 corenet_tcp_bind_all_nodes(afs_fsserver_t)
 158 corenet_udp_bind_all_nodes(afs_fsserver_t)
 159 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
 160 corenet_udp_bind_afs_fs_port(afs_fsserver_t)
 161 corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
 162
 163 files_read_etc_files(afs_fsserver_t)
 164 files_read_etc_runtime_files(afs_fsserver_t)
 165 files_list_home(afs_fsserver_t)
 166 files_read_usr_files(afs_fsserver_t)
 167 files_list_pids(afs_fsserver_t)
 168 files_dontaudit_search_mnt(afs_fsserver_t)
 169
 170 fs_getattr_xattr_fs(afs_fsserver_t)
 171
 172 term_dontaudit_use_console(afs_fsserver_t)
 173
 174 init_dontaudit_use_script_fds(afs_fsserver_t)
 175
 176 libs_use_ld_so(afs_fsserver_t)
 177 libs_use_shared_libs(afs_fsserver_t)
 178
 179 logging_send_syslog_msg(afs_fsserver_t)
 180
 181 miscfiles_read_localization(afs_fsserver_t)
 182
 183 seutil_read_config(afs_fsserver_t)
 184
 185 sysnet_read_config(afs_fsserver_t)
 186
 187 userdom_dontaudit_use_sysadm_ttys(afs_fsserver_t)
 188 userdom_dontaudit_use_sysadm_ptys(afs_fsserver_t)
 189
 190 ########################################
 191 #
 192 # kaserver local policy
 193 #
 194
 195 allow afs_kaserver_t self:unix_stream_socket create_stream_socket_perms;
 196 allow afs_kaserver_t self:tcp_socket create_stream_socket_perms;
 197 allow afs_kaserver_t self:udp_socket create_socket_perms;
 198
 199 manage_files_pattern(afs_kaserver_t,afs_config_t,afs_config_t)
 200
 201 manage_files_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t)
 202 filetrans_pattern(afs_kaserver_t,afs_dbdir_t,afs_ka_db_t,file)
 203
 204 manage_dirs_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
 205 manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
 206
 207 kernel_read_kernel_sysctls(afs_kaserver_t)
 208
 209 corenet_non_ipsec_sendrecv(afs_kaserver_t)
 210 corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
 211 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 212 corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
 213 corenet_udp_sendrecv_all_nodes(afs_kaserver_t)
 214 corenet_tcp_sendrecv_all_ports(afs_kaserver_t)
 215 corenet_udp_sendrecv_all_ports(afs_kaserver_t)
 216 corenet_udp_bind_all_nodes(afs_kaserver_t)
 217 corenet_udp_bind_afs_ka_port(afs_kaserver_t)
 218 corenet_udp_bind_kerberos_port(afs_kaserver_t)
 219 corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
 220 corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
 221
 222 files_read_etc_files(afs_kaserver_t)
 223 files_list_home(afs_kaserver_t)
 224 files_read_usr_files(afs_kaserver_t)
 225
 226 libs_use_ld_so(afs_kaserver_t)
 227 libs_use_shared_libs(afs_kaserver_t)
 228
 229 miscfiles_read_localization(afs_kaserver_t)
 230
 231 seutil_read_config(afs_kaserver_t)
 232
 233 sysnet_read_config(afs_kaserver_t)
 234
 235 userdom_dontaudit_use_sysadm_ttys(afs_kaserver_t)
 236 userdom_dontaudit_use_sysadm_ptys(afs_kaserver_t)
 237
 238 ########################################
 239 #
 240 # ptserver local policy
 241 #
 242
 243 allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
 244 allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
 245 allow afs_ptserver_t self:udp_socket create_socket_perms;
 246
 247 read_files_pattern(afs_ptserver_t,afs_config_t,afs_config_t)
 248 allow afs_ptserver_t afs_config_t:dir list_dir_perms;
 249
 250 manage_dirs_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
 251 manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
 252
 253 manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
 254 filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
 255
 256 corenet_non_ipsec_sendrecv(afs_ptserver_t)
 257 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 258 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
 259 corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
 260 corenet_udp_sendrecv_all_nodes(afs_ptserver_t)
 261 corenet_tcp_sendrecv_all_ports(afs_ptserver_t)
 262 corenet_udp_sendrecv_all_ports(afs_ptserver_t)
 263 corenet_udp_bind_all_nodes(afs_ptserver_t)
 264 corenet_udp_bind_afs_pt_port(afs_ptserver_t)
 265 corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 266
 267 files_read_etc_files(afs_ptserver_t)
 268
 269 libs_use_ld_so(afs_ptserver_t)
 270 libs_use_shared_libs(afs_ptserver_t)
 271
 272 miscfiles_read_localization(afs_ptserver_t)
 273
 274 sysnet_read_config(afs_ptserver_t)
 275
 276 userdom_dontaudit_use_sysadm_ttys(afs_ptserver_t)
 277 userdom_dontaudit_use_sysadm_ptys(afs_ptserver_t)
 278
 279 ########################################
 280 #
 281 # vlserver local policy
 282 #
 283
 284 allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
 285 allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
 286 allow afs_vlserver_t self:udp_socket create_socket_perms;
 287
 288 read_files_pattern(afs_vlserver_t,afs_config_t,afs_config_t)
 289 allow afs_vlserver_t afs_config_t:dir list_dir_perms;
 290
 291 manage_dirs_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
 292 manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
 293
 294 manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
 295 filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
 296
 297 corenet_non_ipsec_sendrecv(afs_vlserver_t)
 298 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 299 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
 300 corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
 301 corenet_udp_sendrecv_all_nodes(afs_vlserver_t)
 302 corenet_tcp_sendrecv_all_ports(afs_vlserver_t)
 303 corenet_udp_sendrecv_all_ports(afs_vlserver_t)
 304 corenet_udp_bind_all_nodes(afs_vlserver_t)
 305 corenet_udp_bind_afs_vl_port(afs_vlserver_t)
 306 corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
 307
 308 files_read_etc_files(afs_vlserver_t)
 309
 310 libs_use_ld_so(afs_vlserver_t)
 311 libs_use_shared_libs(afs_vlserver_t)
 312
 313 miscfiles_read_localization(afs_vlserver_t)
 314
 315 sysnet_read_config(afs_vlserver_t)
 316
 317 userdom_dontaudit_use_sysadm_ttys(afs_vlserver_t)
 318 userdom_dontaudit_use_sysadm_ptys(afs_vlserver_t)