|
Chris PeBenito |
31b7c0 |
#DESC Rpcd - RPC daemon
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
31b7c0 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# Depends: portmap.te
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: nfs-common
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the rpcd_t and nfsd_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
define(`rpc_domain', `
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
31b7c0 |
daemon_base_domain($1, `, transitionbool')
|
|
Chris PeBenito |
31b7c0 |
', `
|
|
Chris PeBenito |
31b7c0 |
daemon_base_domain($1)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
can_network($1_t)
|
|
Chris PeBenito |
31b7c0 |
allow $1_t port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
31b7c0 |
can_ypbind($1_t)
|
|
Chris PeBenito |
31b7c0 |
allow $1_t { etc_runtime_t etc_t }:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
read_locale($1_t)
|
|
Chris PeBenito |
31b7c0 |
allow $1_t self:capability net_bind_service;
|
|
Chris PeBenito |
31b7c0 |
dontaudit $1_t self:capability net_admin;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow $1_t var_t:dir { getattr search };
|
|
Chris PeBenito |
31b7c0 |
allow $1_t var_lib_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t var_lib_nfs_t:dir create_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t var_lib_nfs_t:file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
# do not log when it tries to bind to a port belonging to another domain
|
|
Chris PeBenito |
31b7c0 |
dontaudit $1_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
# bind to arbitary unused ports
|
|
Chris PeBenito |
31b7c0 |
allow $1_t port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t sysctl_rpc_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow $1_t sysctl_rpc_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
type exports_t, file_type, sysadmfile;
|
|
Chris PeBenito |
31b7c0 |
dontaudit userdomain exports_t:file getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# rpcd_t is the domain of rpc daemons.
|
|
Chris PeBenito |
31b7c0 |
# rpcd_exec_t is the type of rpc daemon programs.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
rpc_domain(rpcd)
|
|
Chris PeBenito |
31b7c0 |
var_run_domain(rpcd)
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t rpcd_var_run_t:dir setattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for rpc.rquotad
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t sysctl_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# rpcd_t needs to talk to the portmap_t domain
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(rpcd_t, portmap_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t exports_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t self:capability { chown dac_override setgid setuid };
|
|
Chris PeBenito |
31b7c0 |
# for /etc/rc.d/init.d/nfs to create /etc/exports
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t exports_t:file write;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t self:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# nfs kernel server needs kernel UDP access. It is less risky and painful
|
|
Chris PeBenito |
31b7c0 |
# to just give it everything.
|
|
Chris PeBenito |
31b7c0 |
can_network_server(kernel_t)
|
|
Chris PeBenito |
31b7c0 |
#can_udp_send(kernel_t, rpcd_t)
|
|
Chris PeBenito |
31b7c0 |
#can_udp_send(rpcd_t, kernel_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
rpc_domain(nfsd)
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(sysadm_t, nfsd_exec_t, nfsd_t)
|
|
Chris PeBenito |
31b7c0 |
role sysadm_r types nfsd_t;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for /proc/fs/nfs/exports - should we have a new type?
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t proc_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t proc_net_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t exports_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t nfsd_fs_t:filesystem mount;
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t nfsd_fs_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t nfsd_fs_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t sysctl_rpc_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t sysctl_rpc_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
type nfsd_rw_t, file_type, sysadmfile, usercanread;
|
|
Chris PeBenito |
31b7c0 |
type nfsd_ro_t, file_type, sysadmfile, usercanread;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
bool nfs_export_all_rw false;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
if(nfs_export_all_rw) {
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(kernel_t, noexattrfile)
|
|
Chris PeBenito |
31b7c0 |
create_dir_file(kernel_t,{ file_type -shadow_t })
|
|
Chris PeBenito |
31b7c0 |
}
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit kernel_t shadow_t:file getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
bool nfs_export_all_ro false;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
if(nfs_export_all_ro) {
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
|
|
Chris PeBenito |
31b7c0 |
}
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
create_dir_file(kernel_t, nfsd_rw_t);
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(kernel_t, nfsd_ro_t);
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow kernel_t nfsd_t:udp_socket rw_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(kernel_t, nfsd_t)
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(nfsd_t, kernel_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# does not really need this, but it is easier to just allow it
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t var_run_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t self:capability { sys_admin sys_resource };
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t fs_type:filesystem getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(nfsd_t, portmap_t)
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(portmap_t, nfsd_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_tcp_connect(nfsd_t, portmap_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for exportfs and rpc.mountd
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t tmp_t:dir getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(rpcd_t, rpc_pipefs_t)
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t rpc_pipefs_t:sock_file { read write };
|
|
Chris PeBenito |
31b7c0 |
dontaudit rpcd_t selinux_config_t:dir { search };
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t proc_net_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
rpc_domain(gssd)
|
|
Chris PeBenito |
31b7c0 |
can_kerberos(gssd_t)
|
|
Chris PeBenito |
31b7c0 |
ifdef(`kerberos.te', `
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t krb5_keytab_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t urandom_device_t:chr_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(gssd_t, tmp_t)
|
|
Chris PeBenito |
31b7c0 |
tmp_domain(gssd)
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t self:fifo_file { read write };
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(gssd_t, proc_net_t)
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t rpc_pipefs_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t rpc_pipefs_t:sock_file { read write };
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t rpc_pipefs_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t self:capability { dac_override dac_read_search setuid };
|
|
Chris PeBenito |
31b7c0 |
allow nfsd_t devtty_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow rpcd_t devtty_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
bool allow_gssd_read_tmp true;
|
|
Chris PeBenito |
31b7c0 |
if (allow_gssd_read_tmp) {
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
#needs to be able to udpate the kerberos ticket file
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(gssd_t, tmp_t)
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t tmp_t:file write;
|
|
Chris PeBenito |
31b7c0 |
', `
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(gssd_t, user_tmpfile)
|
|
Chris PeBenito |
31b7c0 |
allow gssd_t user_tmpfile:file write;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
}
|