2 policy_module(rsync, 1.10.0)
4 ########################################
11 ## Allow rsync to export any files/directories read only.
14 gen_tunable(rsync_export_all_ro, false)
18 ## Allow rsync to modify public files
19 ## used for public file transfer services. Files/Directories must be
20 ## labeled public_content_rw_t.
23 gen_tunable(allow_rsync_anon_write, false)
27 init_daemon_domain(rsync_t, rsync_exec_t)
28 application_executable_file(rsync_exec_t)
29 role system_r types rsync_t;
32 files_config_file(rsync_etc_t)
35 files_type(rsync_data_t)
38 logging_log_file(rsync_log_t)
41 files_tmp_file(rsync_tmp_t)
44 files_pid_file(rsync_var_run_t)
46 ########################################
51 allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
52 allow rsync_t self:process signal_perms;
53 allow rsync_t self:fifo_file rw_fifo_file_perms;
54 allow rsync_t self:tcp_socket create_stream_socket_perms;
55 allow rsync_t self:udp_socket connected_socket_perms;
58 # cjp: this should probably only be inetd_child_t rules?
59 # search home and kerberos also.
60 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
63 allow rsync_t rsync_etc_t:file read_file_perms;
65 allow rsync_t rsync_data_t:dir list_dir_perms;
66 read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
67 read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
69 manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
70 logging_log_filetrans(rsync_t, rsync_log_t, file)
72 manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
73 manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
74 files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
76 manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
77 files_pid_filetrans(rsync_t, rsync_var_run_t, file)
79 kernel_read_kernel_sysctls(rsync_t)
80 kernel_read_system_state(rsync_t)
81 kernel_read_network_state(rsync_t)
83 corenet_all_recvfrom_unlabeled(rsync_t)
84 corenet_all_recvfrom_netlabel(rsync_t)
85 corenet_tcp_sendrecv_generic_if(rsync_t)
86 corenet_udp_sendrecv_generic_if(rsync_t)
87 corenet_tcp_sendrecv_generic_node(rsync_t)
88 corenet_udp_sendrecv_generic_node(rsync_t)
89 corenet_tcp_sendrecv_all_ports(rsync_t)
90 corenet_udp_sendrecv_all_ports(rsync_t)
91 corenet_tcp_bind_generic_node(rsync_t)
92 corenet_tcp_bind_rsync_port(rsync_t)
93 corenet_sendrecv_rsync_server_packets(rsync_t)
95 dev_read_urand(rsync_t)
97 fs_getattr_xattr_fs(rsync_t)
99 files_read_etc_files(rsync_t)
100 files_search_home(rsync_t)
102 auth_use_nsswitch(rsync_t)
104 logging_send_syslog_msg(rsync_t)
106 miscfiles_read_localization(rsync_t)
107 miscfiles_read_public_files(rsync_t)
109 tunable_policy(`allow_rsync_anon_write',`
110 miscfiles_manage_public_files(rsync_t)
114 daemontools_service_domain(rsync_t, rsync_exec_t)
118 kerberos_use(rsync_t)
122 inetd_service_domain(rsync_t, rsync_exec_t)
125 tunable_policy(`rsync_export_all_ro',`
126 fs_read_noxattr_fs_files(rsync_t)
127 fs_read_nfs_files(rsync_t)
128 fs_read_cifs_files(rsync_t)
129 auth_read_all_dirs_except_shadow(rsync_t)
130 auth_read_all_files_except_shadow(rsync_t)
131 auth_read_all_symlinks_except_shadow(rsync_t)
132 auth_tunable_read_shadow(rsync_t)
134 auth_can_read_shadow_passwords(rsync_t)
projects / people / stevee / selinux-policy.git / blob