Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/rpc.if

628 lines
12 KiB
Text
Raw Permalink Normal View History

## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
########################################
## <summary>
## RPC stub interface. No access allowed.
## </summary>
## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_stub',`
gen_require(`
type exports_t;
')
')
#######################################
## <summary>
## The template to define a rpc domain.
## </summary>
## <desc>
## <p>
## This template creates a domain to be used for
## a new rpc daemon.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The type of daemon to be used.
## </summary>
## </param>
#
template(`rpc_domain_template',`
gen_require(`
attribute rpc_domain;
')
########################################
#
# Declarations
#
type $1_t, rpc_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
domain_use_interactive_fds($1_t)
####################################
#
# Local Policy
#
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
auth_use_nsswitch($1_t)
logging_send_syslog_msg($1_t)
')
########################################
## <summary>
## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_udp_send',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of the NFS export file.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpc_dontaudit_getattr_exports',`
gen_require(`
type exports_t;
')
dontaudit $1 exports_t:file getattr_file_perms;
')
########################################
## <summary>
## Allow read access to exports.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_read_exports',`
gen_require(`
type exports_t;
')
allow $1 exports_t:file read_file_perms;
')
########################################
## <summary>
## Allow write access to exports.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_write_exports',`
gen_require(`
type exports_t;
')
allow $1 exports_t:file write_file_perms;
')
########################################
## <summary>
## Manage nfs file exports
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_manage_exports',`
gen_require(`
type exports_t;
')
manage_files_pattern($1, exports_t, exports_t)
')
########################################
## <summary>
## Watch nfs file exports
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_watch_exports',`
gen_require(`
type exports_t;
')
files_search_etc($1)
allow $1 exports_t:file watch_file_perms;
')
########################################
## <summary>
## Execute domain in nfsd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_domtrans_nfsd',`
gen_require(`
type nfsd_t, nfsd_exec_t;
')
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
')
#######################################
## <summary>
## Execute domain in nfsd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_initrc_domtrans_nfsd',`
gen_require(`
type nfsd_initrc_exec_t;
')
init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
')
########################################
## <summary>
## Execute nfsd server in the nfsd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_systemctl_nfsd',`
gen_require(`
type nfsd_unit_file_t;
type nfsd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 nfsd_unit_file_t:file read_file_perms;
allow $1 nfsd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, nfsd_t)
')
########################################
## <summary>
## Send kill signals to rpcd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_kill_rpcd',`
gen_require(`
type rpcd_t;
')
allow $1 rpcd_t:process sigkill;
')
########################################
## <summary>
## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_domtrans_rpcd',`
gen_require(`
type rpcd_t, rpcd_exec_t;
')
domtrans_pattern($1, rpcd_exec_t, rpcd_t)
allow rpcd_t $1:process signal;
')
########################################
## <summary>
## Execute rpcd in the rcpd domain, and
## allow the specified role the rpcd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpc_run_rpcd',`
gen_require(`
type rpcd_t;
')
rpc_domtrans_rpcd($1)
role $2 types rpcd_t;
')
#######################################
## <summary>
## Execute domain in rpcd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_initrc_domtrans_rpcd',`
gen_require(`
type rpcd_initrc_exec_t;
')
init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
')
########################################
## <summary>
## Execute rpcd server in the rpcd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_systemctl_rpcd',`
gen_require(`
type rpcd_unit_file_t;
type rpcd_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 rpcd_unit_file_t:file read_file_perms;
allow $1 rpcd_unit_file_t:service manage_service_perms;
ps_process_pattern($1, rpcd_t)
')
########################################
## <summary>
## Allow domain to read and write to an NFS UDP socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_udp_rw_nfs_sockets',`
gen_require(`
type nfsd_t;
')
allow $1 nfsd_t:udp_socket rw_socket_perms;
')
########################################
## <summary>
## Send UDP traffic to NFSd. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_udp_send_nfs',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Search NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_search_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir search_dir_perms;
')
########################################
## <summary>
## List NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_list_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir list_dir_perms;
')
########################################
## <summary>
## Manage NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_manage_nfs_state_data_dir',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
allow $1 var_lib_nfs_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_read_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
')
########################################
## <summary>
## Manage NFS state data in /var/lib/nfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_manage_nfs_state_data',`
gen_require(`
type var_lib_nfs_t;
')
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
allow $1 var_lib_nfs_t:file relabel_file_perms;
')
########################################
## <summary>
## Execute domain in gssd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpc_domtrans_gssd',`
gen_require(`
type gssd_t, gssd_exec_t;
')
domtrans_pattern($1, gssd_exec_t, gssd_t)
')
########################################
## <summary>
## Write keys for all user domains.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_rw_gssd_keys',`
gen_require(`
type gssd_t;
')
allow $1 gssd_t:key { read search setattr view write };
')
########################################
## <summary>
## Transition to alsa named content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_filetrans_var_lib_nfs_content',`
gen_require(`
type var_lib_nfs_t;
')
files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs")
')
#######################################
## <summary>
## All of the rules required to
## administrate an rpc environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpc_admin',`
gen_require(`
attribute rpc_domain;
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
type nfsd_rw_t, gssd_keytab_t;
')
allow $1 rpc_domain:process { ptrace signal_perms };
ps_process_pattern($1, rpc_domain)
init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
domain_system_change_exemption($1)
role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, { gssd_keytab_t exports_t })
files_list_var_lib($1)
admin_pattern($1, var_lib_nfs_t)
files_list_pids($1)
admin_pattern($1, rpcd_var_run_t)
files_list_all($1)
admin_pattern($1, nfsd_rw_t )
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
fs_search_nfsd_fs($1)
')
########################################
## <summary>
## Read gssd process state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_read_gssd_state',`
gen_require(`
type gssd_t;
')
ps_process_pattern($1, gssd_t)
')
########################################
## <summary>
## Read and write to svirt_image devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_gssd_noatsecure',`
gen_require(`
type gssd_t;
')
allow $1 gssd_t:process { noatsecure rlimitinh };
')
########################################
## <summary>
## Send and receive messages from
## ganesha over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpc_dbus_chat_nfsd',`
gen_require(`
type nfsd_t;
class dbus send_msg;
')
allow $1 nfsd_t:dbus send_msg;
allow nfsd_t $1:dbus send_msg;
')