Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/rpc.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/rpc.if')
-rw-r--r--policy/modules/services/rpc.if395
1 files changed, 395 insertions, 0 deletions
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
new file mode 100644
index 00000000..7063c42f
--- /dev/null
+++ b/policy/modules/services/rpc.if
@@ -0,0 +1,395 @@
+## <summary>Remote Procedure Call Daemon.</summary>
+
+########################################
+## <summary>
+## RPC stub interface. No access allowed.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_stub',`
+ gen_require(`
+ type exports_t;
+ ')
+')
+
+#######################################
+## <summary>
+## The template to define a rpc domain.
+## </summary>
+## <param name="domain_prefix">
+## <summary>
+## Domain prefix to be used.
+## </summary>
+## </param>
+#
+template(`rpc_domain_template',`
+ gen_require(`
+ attribute rpc_domain;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ type $1_t, rpc_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ domain_use_interactive_fds($1_t)
+
+ ########################################
+ #
+ # Policy
+ #
+
+ auth_use_nsswitch($1_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get
+## attributes of export files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`rpc_dontaudit_getattr_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ dontaudit $1 exports_t:file getattr;
+')
+
+########################################
+## <summary>
+## Read export files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Write export files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_write_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ allow $1 exports_t:file write;
+')
+
+########################################
+## <summary>
+## Execute nfsd in the nfsd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_t, nfsd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nfsd_exec_t, nfsd_t)
+')
+
+#######################################
+## <summary>
+## Execute nfsd init scripts in
+## the initrc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_nfsd',`
+ gen_require(`
+ type nfsd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nfsd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Execute rpcd in the rpcd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_t, rpcd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
+')
+
+#######################################
+## <summary>
+## Execute rpcd init scripts in
+## the initrc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rpc_initrc_domtrans_rpcd',`
+ gen_require(`
+ type rpcd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Read nfs exported content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_read_nfs_content',`
+ gen_require(`
+ type nfsd_ro_t, nfsd_rw_t;
+ ')
+
+ allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
+ allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nfs exported read write content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_rw_content',`
+ gen_require(`
+ type nfsd_rw_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+ manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nfs exported read only content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_manage_nfs_ro_content',`
+ gen_require(`
+ type nfsd_ro_t;
+ ')
+
+ manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+ manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
+')
+
+########################################
+## <summary>
+## Read and write to nfsd tcp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_tcp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:tcp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Read and write to nfsd udp sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_udp_rw_nfs_sockets',`
+ gen_require(`
+ type nfsd_t;
+ ')
+
+ allow $1 nfsd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+## Search nfs lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_search_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 var_lib_nfs_t:dir search;
+')
+
+########################################
+## <summary>
+## Read nfs lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_read_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## nfs lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_manage_nfs_state_data',`
+ gen_require(`
+ type var_lib_nfs_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+
+ ifdef(`distro_gentoo',`
+ rw_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ ')
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an rpc environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpc_admin',`
+ gen_require(`
+ attribute rpc_domain;
+ type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+ type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ type nfsd_t, rpcd_t;
+ ')
+
+ allow $1 rpc_domain:process { ptrace signal_perms };
+ ps_process_pattern($1, rpc_domain)
+
+ init_startstop_service($1, $2, nfsd_t, nfsd_initrc_exec_t)
+ init_startstop_service($1, $2, rpcd_t, rpcd_initrc_exec_t)
+
+ files_list_etc($1)
+ admin_pattern($1, { gssd_keytab_t exports_t })
+
+ files_list_var_lib($1)
+ admin_pattern($1, var_lib_nfs_t)
+
+ files_list_pids($1)
+ admin_pattern($1, rpcd_var_run_t)
+
+ files_list_all($1)
+ admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
+
+ files_list_tmp($1)
+ admin_pattern($1, gssd_tmp_t)
+
+ fs_search_nfsd_fs($1)
+')