selinux-refpolicy/policy/modules/services/rsync.te

128 lines
3.2 KiB
Plaintext

policy_module(rsync, 1.8.3)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
gen_tunable(rsync_export_all_ro, false)
## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services. Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write, false)
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;
type rsync_data_t;
files_type(rsync_data_t)
type rsync_log_t;
logging_log_file(rsync_log_t)
type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)
type rsync_var_run_t;
files_pid_file(rsync_var_run_t)
########################################
#
# Local policy
#
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
allow rsync_t self:udp_socket connected_socket_perms;
# for identd
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
files_pid_filetrans(rsync_t, rsync_var_run_t, file)
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
corenet_udp_sendrecv_generic_node(rsync_t)
corenet_tcp_sendrecv_all_ports(rsync_t)
corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
corenet_sendrecv_rsync_server_packets(rsync_t)
dev_read_urand(rsync_t)
fs_getattr_xattr_fs(rsync_t)
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
auth_use_nsswitch(rsync_t)
logging_send_syslog_msg(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
optional_policy(`
daemontools_service_domain(rsync_t, rsync_exec_t)
')
optional_policy(`
kerberos_use(rsync_t)
')
optional_policy(`
inetd_service_domain(rsync_t, rsync_exec_t)
')
tunable_policy(`rsync_export_all_ro',`
fs_read_noxattr_fs_files(rsync_t)
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
auth_tunable_read_shadow(rsync_t)
')
auth_can_read_shadow_passwords(rsync_t)