oreonproject/Oreon-Lime-R2
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/rsync.te

198 lines
4.7 KiB
Text
Raw Blame History

policy_module(rsync, 1.13.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow rsync to run as a client
## </p>
## </desc>
gen_tunable(rsync_client, false)
## <desc>
## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
gen_tunable(rsync_export_all_ro, false)
## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services. Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(rsync_anon_write, false)
## <desc>
## <p>
## Allow rsync server to manage all files/directories on the system.
## </p>
## </desc>
gen_tunable(rsync_full_access, false)
## <desc>
## <p>
## Allow rsync sys_admin capability.
## This capability is required to restore files
## with extended attributes in the "trusted" namespace.
## </p>
## </desc>
gen_tunable(rsync_sys_admin, false)
type rsync_t;
type rsync_exec_t;
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
init_daemon_domain(rsync_t, rsync_exec_t)
type rsync_etc_t;
files_config_file(rsync_etc_t)
type rsync_data_t;
files_type(rsync_data_t)
type rsync_log_t;
logging_log_file(rsync_log_t)
type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)
type rsync_var_run_t;
files_pid_file(rsync_var_run_t)
########################################
#
# Local policy
#
allow rsync_t self:capability { chown dac_read_search fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
allow rsync_t self:udp_socket connected_socket_perms;
# for identd
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
allow rsync_t rsync_data_t:dir_file_class_set getattr;
allow rsync_t rsync_data_t:socket_class_set getattr;
allow rsync_t rsync_data_t:sock_file setattr;
manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
files_pid_filetrans(rsync_t, rsync_var_run_t, file)
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
corenet_udp_sendrecv_generic_node(rsync_t)
corenet_tcp_sendrecv_all_ports(rsync_t)
corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
corenet_sendrecv_rsync_server_packets(rsync_t)
dev_read_urand(rsync_t)
fs_getattr_xattr_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
files_search_home(rsync_t)
auth_use_nsswitch(rsync_t)
logging_send_syslog_msg(rsync_t)
miscfiles_read_public_files(rsync_t)
userdom_home_manager(rsync_t)
optional_policy(`
daemontools_service_domain(rsync_t, rsync_exec_t)
')
optional_policy(`
glusterd_stream_connect(rsync_t)
')
optional_policy(`
kerberos_use(rsync_t)
')
optional_policy(`
inetd_service_domain(rsync_t, rsync_exec_t)
')
optional_policy(`
mta_send_mail(rsync_t)
')
tunable_policy(`rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
tunable_policy(`rsync_full_access',`
allow rsync_t self:capability { dac_read_search };
files_manage_non_auth_files(rsync_t)
')
tunable_policy(`rsync_sys_admin',`
allow rsync_t self:capability sys_admin;
')
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
fs_read_nfs_files(rsync_t)
fs_read_fusefs_files(rsync_t)
fs_read_cifs_files(rsync_t)
files_list_non_auth_dirs(rsync_t)
files_read_non_auth_files(rsync_t)
files_read_non_auth_symlinks(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
tunable_policy(`rsync_client',`
corenet_tcp_connect_rsync_port(rsync_t)
corenet_tcp_connect_ssh_port(rsync_t)
manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
')
optional_policy(`
tunable_policy(`rsync_client',`
ssh_exec(rsync_t)
')
')
auth_can_read_shadow_passwords(rsync_t)
optional_policy(`
swift_manage_data_files(rsync_t)
swift_manage_lock(rsync_t)
swift_filetrans_named_lock(rsync_t)
')
Reference in a new issue View git blame Copy permalink