134 lines
3.4 KiB
Plaintext
134 lines
3.4 KiB
Plaintext
policy_module(rsync, 1.10.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow rsync to export any files/directories read only.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(rsync_export_all_ro, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow rsync to modify public files
|
|
## used for public file transfer services. Files/Directories must be
|
|
## labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_rsync_anon_write, false)
|
|
|
|
type rsync_t;
|
|
type rsync_exec_t;
|
|
init_daemon_domain(rsync_t, rsync_exec_t)
|
|
application_executable_file(rsync_exec_t)
|
|
role system_r types rsync_t;
|
|
|
|
type rsync_etc_t;
|
|
files_config_file(rsync_etc_t)
|
|
|
|
type rsync_data_t;
|
|
files_type(rsync_data_t)
|
|
|
|
type rsync_log_t;
|
|
logging_log_file(rsync_log_t)
|
|
|
|
type rsync_tmp_t;
|
|
files_tmp_file(rsync_tmp_t)
|
|
|
|
type rsync_var_run_t;
|
|
files_pid_file(rsync_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
|
|
allow rsync_t self:process signal_perms;
|
|
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
|
allow rsync_t self:tcp_socket create_stream_socket_perms;
|
|
allow rsync_t self:udp_socket connected_socket_perms;
|
|
|
|
# for identd
|
|
# cjp: this should probably only be inetd_child_t rules?
|
|
# search home and kerberos also.
|
|
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
#end for identd
|
|
|
|
allow rsync_t rsync_etc_t:file read_file_perms;
|
|
|
|
allow rsync_t rsync_data_t:dir list_dir_perms;
|
|
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
|
|
manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
|
|
logging_log_filetrans(rsync_t, rsync_log_t, file)
|
|
|
|
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
|
|
manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
|
|
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
|
|
files_pid_filetrans(rsync_t, rsync_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(rsync_t)
|
|
kernel_read_system_state(rsync_t)
|
|
kernel_read_network_state(rsync_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(rsync_t)
|
|
corenet_all_recvfrom_netlabel(rsync_t)
|
|
corenet_tcp_sendrecv_generic_if(rsync_t)
|
|
corenet_udp_sendrecv_generic_if(rsync_t)
|
|
corenet_tcp_sendrecv_generic_node(rsync_t)
|
|
corenet_udp_sendrecv_generic_node(rsync_t)
|
|
corenet_tcp_sendrecv_all_ports(rsync_t)
|
|
corenet_udp_sendrecv_all_ports(rsync_t)
|
|
corenet_tcp_bind_generic_node(rsync_t)
|
|
corenet_tcp_bind_rsync_port(rsync_t)
|
|
corenet_sendrecv_rsync_server_packets(rsync_t)
|
|
|
|
dev_read_urand(rsync_t)
|
|
|
|
fs_getattr_xattr_fs(rsync_t)
|
|
|
|
files_read_etc_files(rsync_t)
|
|
files_search_home(rsync_t)
|
|
|
|
auth_use_nsswitch(rsync_t)
|
|
|
|
logging_send_syslog_msg(rsync_t)
|
|
|
|
miscfiles_read_localization(rsync_t)
|
|
miscfiles_read_public_files(rsync_t)
|
|
|
|
tunable_policy(`allow_rsync_anon_write',`
|
|
miscfiles_manage_public_files(rsync_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(rsync_t, rsync_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(rsync_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_service_domain(rsync_t, rsync_exec_t)
|
|
')
|
|
|
|
tunable_policy(`rsync_export_all_ro',`
|
|
fs_read_noxattr_fs_files(rsync_t)
|
|
fs_read_nfs_files(rsync_t)
|
|
fs_read_cifs_files(rsync_t)
|
|
auth_read_all_dirs_except_auth_files(rsync_t)
|
|
auth_read_all_files_except_auth_files(rsync_t)
|
|
auth_read_all_symlinks_except_auth_files(rsync_t)
|
|
auth_tunable_read_shadow(rsync_t)
|
|
')
|
|
auth_can_read_shadow_passwords(rsync_t)
|