############################################################################### # # Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved. # Written by David Howells (dhowells@redhat.com) # Karl MacMillan (kmacmill@redhat.com) # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version # 2 of the License, or (at your option) any later version. # ############################################################################### # # This security policy governs access by the CacheFiles kernel module and # userspace management daemon to the files and directories in the on-disk # cache, on behalf of the processes accessing the cache through a network # filesystem such as NFS # policy_module(cachefilesd, 1.0.17) ############################################################################### # # Declarations # # # Files in the cache are created by the cachefiles module with security ID # cachefiles_var_t # type cachefiles_var_t; files_type(cachefiles_var_t) # # The /dev/cachefiles character device has security ID cachefiles_dev_t # type cachefiles_dev_t; dev_node(cachefiles_dev_t) # # The cachefilesd daemon normally runs with security ID cachefilesd_t # type cachefilesd_t; type cachefilesd_exec_t; init_daemon_domain(cachefilesd_t, cachefilesd_exec_t) # # The cachefilesd daemon pid file context # type cachefilesd_var_run_t; files_pid_file(cachefilesd_var_run_t) # # The CacheFiles kernel module causes processes accessing the cache files to do # so acting as security ID cachefiles_kernel_t # type cachefiles_kernel_t; domain_type(cachefiles_kernel_t) domain_obj_id_change_exemption(cachefiles_kernel_t) role system_r types cachefiles_kernel_t; ############################################################################### # # Permit RPM to deal with files in the cache # optional_policy(` rpm_use_script_fds(cachefilesd_t) ') ############################################################################### # # cachefilesd local policy # # These define what cachefilesd is permitted to do. This doesn't include very # much: startup stuff, logging, pid file, scanning the cache superstructure and # deleting files from the cache. It is not permitted to read/write files in # the cache. # # Check in /usr/share/selinux/devel/include/ for macros to use instead of allow # rules. # allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override }; # Allow manipulation of pid file allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms; manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t) files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file) files_create_as_is_all_files(cachefilesd_t) # Allow access to cachefiles device file allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms; # Allow access to cache superstructure manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t) # Permit statfs on the backing filesystem fs_getattr_xattr_fs(cachefilesd_t) # Basic access logging_send_syslog_msg(cachefilesd_t) init_dontaudit_use_script_ptys(cachefilesd_t) term_dontaudit_use_generic_ptys(cachefilesd_t) term_dontaudit_getattr_unallocated_ttys(cachefilesd_t) ############################################################################### # # When cachefilesd invokes the kernel module to begin caching, it has to tell # the kernel module the security context in which it should act, and this # policy has to approve that. # # There are two parts to this: # # (1) the security context used by the module to access files in the cache, # as set by the 'secctx' command in /etc/cachefilesd.conf, and # allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override }; # # (2) the label that will be assigned to new files and directories created in # the cache by the module, which will be the same as the label on the # directory pointed to by the 'dir' command. # allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as }; ############################################################################### # # cachefiles kernel module local policy # # This governs what the kernel module is allowed to do the contents of the # cache. # allow cachefiles_kernel_t self:capability { dac_override dac_read_search }; manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t) fs_getattr_xattr_fs(cachefiles_kernel_t) dev_search_sysfs(cachefiles_kernel_t) init_sigchld_script(cachefiles_kernel_t)