psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   cachefilesd.te
Blob Blame History Raw 
###############################################################################
#
# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
# Written by David Howells (dhowells@redhat.com)
#            Karl MacMillan (kmacmill@redhat.com)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version
# 2 of the License, or (at your option) any later version.
#
###############################################################################

#
# This security policy governs access by the CacheFiles kernel module and
# userspace management daemon to the files and directories in the on-disk
# cache, on behalf of the processes accessing the cache through a network
# filesystem such as NFS
#
policy_module(cachefilesd, 1.0.17)

###############################################################################
#
# Declarations
#

#
# Files in the cache are created by the cachefiles module with security ID
# cachefiles_var_t
#
type cachefiles_var_t;
files_type(cachefiles_var_t)

#
# The /dev/cachefiles character device has security ID cachefiles_dev_t
#
type cachefiles_dev_t;
dev_node(cachefiles_dev_t)

#
# The cachefilesd daemon normally runs with security ID cachefilesd_t
#
type cachefilesd_t;
type cachefilesd_exec_t;
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)

#
# The cachefilesd daemon pid file context
#
type cachefilesd_var_run_t;
files_pid_file(cachefilesd_var_run_t)

#
# The CacheFiles kernel module causes processes accessing the cache files to do
# so acting as security ID cachefiles_kernel_t
#
type cachefiles_kernel_t;
domain_type(cachefiles_kernel_t)
domain_obj_id_change_exemption(cachefiles_kernel_t)
role system_r types cachefiles_kernel_t;

###############################################################################
#
# Permit RPM to deal with files in the cache
#
optional_policy(`
	rpm_use_script_fds(cachefilesd_t)
')

###############################################################################
#
# cachefilesd local policy
#
# These define what cachefilesd is permitted to do.  This doesn't include very
# much: startup stuff, logging, pid file, scanning the cache superstructure and
# deleting files from the cache.  It is not permitted to read/write files in
# the cache.
#
# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
# rules.
#
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };

# Allow manipulation of pid file
allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
files_create_as_is_all_files(cachefilesd_t)

# Allow access to cachefiles device file
allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;

# Allow access to cache superstructure
manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)

# Permit statfs on the backing filesystem
fs_getattr_xattr_fs(cachefilesd_t)

# Basic access
logging_send_syslog_msg(cachefilesd_t)
init_dontaudit_use_script_ptys(cachefilesd_t)
term_dontaudit_use_generic_ptys(cachefilesd_t)
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)

###############################################################################
#
# When cachefilesd invokes the kernel module to begin caching, it has to tell
# the kernel module the security context in which it should act, and this
# policy has to approve that.
#
# There are two parts to this:
#
#   (1) the security context used by the module to access files in the cache,
#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
#
allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };

#
#   (2) the label that will be assigned to new files and directories created in
#       the cache by the module, which will be the same as the label on the
#       directory pointed to by the 'dir' command.
#
allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };

###############################################################################
#
# cachefiles kernel module local policy
#
# This governs what the kernel module is allowed to do the contents of the
# cache.
#
allow cachefiles_kernel_t self:capability { dac_override dac_read_search };

manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)

fs_getattr_xattr_fs(cachefiles_kernel_t)

dev_search_sysfs(cachefiles_kernel_t)

init_sigchld_script(cachefiles_kernel_t)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.