1 ## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
3 ########################################
5 ## RPC stub interface. No access allowed.
7 ## <param name="domain" unused="true">
9 ## Domain allowed access.
13 interface(`rpc_stub',`
19 #######################################
21 ## The template to define a rpc domain.
25 ## This template creates a domain to be used for
29 ## <param name="userdomain_prefix">
31 ## The type of daemon to be used.
35 template(`rpc_domain_template', `
36 ########################################
43 init_daemon_domain($1_t, $1_exec_t)
44 domain_use_interactive_fds($1_t)
46 ####################################
51 dontaudit $1_t self:capability { net_admin sys_tty_config };
52 allow $1_t self:capability net_bind_service;
53 allow $1_t self:process signal_perms;
54 allow $1_t self:unix_dgram_socket create_socket_perms;
55 allow $1_t self:unix_stream_socket create_stream_socket_perms;
56 allow $1_t self:tcp_socket create_stream_socket_perms;
57 allow $1_t self:udp_socket create_socket_perms;
59 manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
60 manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
62 kernel_list_proc($1_t)
63 kernel_read_proc_symlinks($1_t)
64 kernel_read_kernel_sysctls($1_t)
65 # bind to arbitary unused ports
66 kernel_rw_rpc_sysctls($1_t)
72 corenet_all_recvfrom_unlabeled($1_t)
73 corenet_all_recvfrom_netlabel($1_t)
74 corenet_tcp_sendrecv_generic_if($1_t)
75 corenet_udp_sendrecv_generic_if($1_t)
76 corenet_tcp_sendrecv_generic_node($1_t)
77 corenet_udp_sendrecv_generic_node($1_t)
78 corenet_tcp_sendrecv_all_ports($1_t)
79 corenet_udp_sendrecv_all_ports($1_t)
80 corenet_tcp_bind_generic_node($1_t)
81 corenet_udp_bind_generic_node($1_t)
82 corenet_tcp_bind_reserved_port($1_t)
83 corenet_tcp_connect_all_ports($1_t)
84 corenet_sendrecv_portmap_client_packets($1_t)
85 # do not log when it tries to bind to a port belonging to another domain
86 corenet_dontaudit_tcp_bind_all_ports($1_t)
87 corenet_dontaudit_udp_bind_all_ports($1_t)
88 # bind to arbitary unused ports
89 corenet_tcp_bind_generic_port($1_t)
90 corenet_udp_bind_generic_port($1_t)
91 corenet_tcp_bind_all_rpc_ports($1_t)
92 corenet_udp_bind_all_rpc_ports($1_t)
93 corenet_sendrecv_generic_server_packets($1_t)
95 fs_rw_rpc_named_pipes($1_t)
96 fs_search_auto_mountpoints($1_t)
98 files_read_etc_files($1_t)
99 files_read_etc_runtime_files($1_t)
100 files_search_var($1_t)
101 files_search_var_lib($1_t)
103 auth_use_nsswitch($1_t)
105 logging_send_syslog_msg($1_t)
107 miscfiles_read_localization($1_t)
109 userdom_dontaudit_use_unpriv_user_fds($1_t)
112 seutil_sigchld_newrole($1_t)
120 ########################################
122 ## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
124 ## <param name="domain">
126 ## The type of the process performing this action.
130 interface(`rpc_udp_send',`
131 refpolicywarn(`$0($*) has been deprecated.')
134 ########################################
136 ## Do not audit attempts to get the attributes
137 ## of the NFS export file.
139 ## <param name="domain">
141 ## The type of the process performing this action.
145 interface(`rpc_dontaudit_getattr_exports',`
150 dontaudit $1 exports_t:file getattr;
153 ########################################
155 ## Allow read access to exports.
157 ## <param name="domain">
159 ## The type of the process performing this action.
163 interface(`rpc_read_exports',`
168 allow $1 exports_t:file read_file_perms;
171 ########################################
173 ## Allow write access to exports.
175 ## <param name="domain">
177 ## The type of the process performing this action.
181 interface(`rpc_write_exports',`
186 allow $1 exports_t:file write;
189 ########################################
191 ## Execute domain in nfsd domain.
193 ## <param name="domain">
195 ## The type of the process performing this action.
199 interface(`rpc_domtrans_nfsd',`
201 type nfsd_t, nfsd_exec_t;
204 domtrans_pattern($1, nfsd_exec_t, nfsd_t)
207 ########################################
209 ## Execute domain in nfsd domain.
211 ## <param name="domain">
213 ## The type of the process performing this action.
217 interface(`rpc_domtrans_rpcd',`
219 type rpcd_t, rpcd_exec_t;
222 domtrans_pattern($1, rpcd_exec_t, rpcd_t)
223 allow rpcd_t $1:process signal;
226 ########################################
228 ## Read NFS exported content.
230 ## <param name="domain">
232 ## Domain allowed access.
237 interface(`rpc_read_nfs_content',`
239 type nfsd_ro_t, nfsd_rw_t;
242 allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
243 allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
244 allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
247 ########################################
249 ## Allow domain to create read and write NFS directories.
251 ## <param name="domain">
253 ## Domain allowed access.
258 interface(`rpc_manage_nfs_rw_content',`
263 manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
264 manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
265 manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
268 ########################################
270 ## Allow domain to create read and write NFS directories.
272 ## <param name="domain">
274 ## Domain allowed access.
279 interface(`rpc_manage_nfs_ro_content',`
284 manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
285 manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
286 manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
289 ########################################
291 ## Allow domain to read and write to an NFS UDP socket.
293 ## <param name="domain">
295 ## Domain allowed access.
299 interface(`rpc_udp_rw_nfs_sockets',`
304 allow $1 nfsd_t:udp_socket rw_socket_perms;
307 ########################################
309 ## Send UDP traffic to NFSd. (Deprecated)
311 ## <param name="domain">
313 ## Domain allowed access.
317 interface(`rpc_udp_send_nfs',`
318 refpolicywarn(`$0($*) has been deprecated.')
321 ########################################
323 ## Search NFS state data in /var/lib/nfs.
325 ## <param name="domain">
327 ## Domain allowed access.
331 interface(`rpc_search_nfs_state_data',`
336 files_search_var_lib($1)
337 allow $1 var_lib_nfs_t:dir search;
340 ########################################
342 ## Read NFS state data in /var/lib/nfs.
344 ## <param name="domain">
346 ## Domain allowed access.
350 interface(`rpc_read_nfs_state_data',`
355 files_search_var_lib($1)
356 read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
359 ########################################
361 ## Manage NFS state data in /var/lib/nfs.
363 ## <param name="domain">
365 ## Domain allowed access.
369 interface(`rpc_manage_nfs_state_data',`
374 files_search_var_lib($1)
375 manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)