1 ## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
3 ########################################
5 ## RPC stub interface. No access allowed.
7 ## <param name="domain" unused="true">
9 ## Domain allowed access.
13 interface(`rpc_stub',`
19 #######################################
21 ## The template to define a rpc domain.
25 ## This template creates a domain to be used for
29 ## <param name="userdomain_prefix">
31 ## The type of daemon to be used.
35 template(`rpc_domain_template', `
36 ########################################
43 init_daemon_domain($1_t, $1_exec_t)
44 domain_use_interactive_fds($1_t)
46 ####################################
51 dontaudit $1_t self:capability { net_admin sys_tty_config };
52 allow $1_t self:capability net_bind_service;
53 allow $1_t self:process signal_perms;
54 allow $1_t self:unix_dgram_socket create_socket_perms;
55 allow $1_t self:unix_stream_socket create_stream_socket_perms;
56 allow $1_t self:tcp_socket create_stream_socket_perms;
57 allow $1_t self:udp_socket create_socket_perms;
59 manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
60 manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
62 kernel_list_proc($1_t)
63 kernel_read_proc_symlinks($1_t)
64 kernel_read_kernel_sysctls($1_t)
65 # bind to arbitary unused ports
66 kernel_rw_rpc_sysctls($1_t)
72 corenet_all_recvfrom_unlabeled($1_t)
73 corenet_all_recvfrom_netlabel($1_t)
74 corenet_tcp_sendrecv_generic_if($1_t)
75 corenet_udp_sendrecv_generic_if($1_t)
76 corenet_tcp_sendrecv_generic_node($1_t)
77 corenet_udp_sendrecv_generic_node($1_t)
78 corenet_tcp_sendrecv_all_ports($1_t)
79 corenet_udp_sendrecv_all_ports($1_t)
80 corenet_tcp_bind_generic_node($1_t)
81 corenet_udp_bind_generic_node($1_t)
82 corenet_tcp_bind_reserved_port($1_t)
83 corenet_tcp_connect_all_ports($1_t)
84 corenet_sendrecv_portmap_client_packets($1_t)
85 # do not log when it tries to bind to a port belonging to another domain
86 corenet_dontaudit_tcp_bind_all_ports($1_t)
87 corenet_dontaudit_udp_bind_all_ports($1_t)
88 # bind to arbitary unused ports
89 corenet_tcp_bind_generic_port($1_t)
90 corenet_udp_bind_generic_port($1_t)
91 corenet_tcp_bind_all_rpc_ports($1_t)
92 corenet_udp_bind_all_rpc_ports($1_t)
93 corenet_sendrecv_generic_server_packets($1_t)
95 fs_rw_rpc_named_pipes($1_t)
96 fs_search_auto_mountpoints($1_t)
98 files_read_etc_files($1_t)
99 files_read_etc_runtime_files($1_t)
100 files_search_var($1_t)
101 files_search_var_lib($1_t)
102 files_list_home($1_t)
104 auth_use_nsswitch($1_t)
106 logging_send_syslog_msg($1_t)
108 miscfiles_read_localization($1_t)
110 userdom_dontaudit_use_unpriv_user_fds($1_t)
113 rpcbind_stream_connect($1_t)
117 seutil_sigchld_newrole($1_t)
125 ########################################
127 ## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
129 ## <param name="domain">
131 ## Domain allowed access.
135 interface(`rpc_udp_send',`
136 refpolicywarn(`$0($*) has been deprecated.')
139 ########################################
141 ## Do not audit attempts to get the attributes
142 ## of the NFS export file.
144 ## <param name="domain">
146 ## Domain to not audit.
150 interface(`rpc_dontaudit_getattr_exports',`
155 dontaudit $1 exports_t:file getattr;
158 ########################################
160 ## Allow read access to exports.
162 ## <param name="domain">
164 ## Domain allowed access.
168 interface(`rpc_read_exports',`
173 allow $1 exports_t:file read_file_perms;
176 ########################################
178 ## Allow write access to exports.
180 ## <param name="domain">
182 ## Domain allowed access.
186 interface(`rpc_write_exports',`
191 allow $1 exports_t:file write;
194 ########################################
196 ## Execute domain in nfsd domain.
198 ## <param name="domain">
200 ## Domain allowed to transition.
204 interface(`rpc_domtrans_nfsd',`
206 type nfsd_t, nfsd_exec_t;
209 domtrans_pattern($1, nfsd_exec_t, nfsd_t)
212 #######################################
214 ## Execute domain in nfsd domain.
216 ## <param name="domain">
218 ## Domain allowed to transition.
222 interface(`rpc_initrc_domtrans_nfsd',`
224 type nfsd_initrc_exec_t;
227 init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
230 ########################################
232 ## Execute domain in rpcd domain.
234 ## <param name="domain">
236 ## Domain allowed to transition.
240 interface(`rpc_domtrans_rpcd',`
242 type rpcd_t, rpcd_exec_t;
245 domtrans_pattern($1, rpcd_exec_t, rpcd_t)
246 allow rpcd_t $1:process signal;
249 #######################################
251 ## Execute domain in rpcd domain.
253 ## <param name="domain">
255 ## Domain allowed to transition.
259 interface(`rpc_initrc_domtrans_rpcd',`
261 type rpcd_initrc_exec_t;
264 init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
267 ########################################
269 ## Read NFS exported content.
271 ## <param name="domain">
273 ## Domain allowed access.
278 interface(`rpc_read_nfs_content',`
280 type nfsd_ro_t, nfsd_rw_t;
283 allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
284 allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
285 allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file { getattr read };
288 ########################################
290 ## Allow domain to create read and write NFS directories.
292 ## <param name="domain">
294 ## Domain allowed access.
299 interface(`rpc_manage_nfs_rw_content',`
304 manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
305 manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
306 manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
309 ########################################
311 ## Allow domain to create read and write NFS directories.
313 ## <param name="domain">
315 ## Domain allowed access.
320 interface(`rpc_manage_nfs_ro_content',`
325 manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
326 manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
327 manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
330 ########################################
332 ## Allow domain to read and write to an NFS UDP socket.
334 ## <param name="domain">
336 ## Domain allowed access.
340 interface(`rpc_udp_rw_nfs_sockets',`
345 allow $1 nfsd_t:udp_socket rw_socket_perms;
348 ########################################
350 ## Send UDP traffic to NFSd. (Deprecated)
352 ## <param name="domain">
354 ## Domain allowed access.
358 interface(`rpc_udp_send_nfs',`
359 refpolicywarn(`$0($*) has been deprecated.')
362 ########################################
364 ## Search NFS state data in /var/lib/nfs.
366 ## <param name="domain">
368 ## Domain allowed access.
372 interface(`rpc_search_nfs_state_data',`
377 files_search_var_lib($1)
378 allow $1 var_lib_nfs_t:dir search;
381 ########################################
383 ## Read NFS state data in /var/lib/nfs.
385 ## <param name="domain">
387 ## Domain allowed access.
391 interface(`rpc_read_nfs_state_data',`
396 files_search_var_lib($1)
397 read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
400 ########################################
402 ## Manage NFS state data in /var/lib/nfs.
404 ## <param name="domain">
406 ## Domain allowed access.
410 interface(`rpc_manage_nfs_state_data',`
415 files_search_var_lib($1)
416 manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)