summaryrefslogtreecommitdiff
path: root/policy/modules/services/rsync.te
blob: 97a6086902abf2b2e2467e6fccb1bdccc4f96604 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129


policy_module(rsync, 1.9.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow rsync to export any files/directories read only.
## </p>
## </desc>
gen_tunable(rsync_export_all_ro, false)

## <desc>
## <p>
## Allow rsync to modify public files
## used for public file transfer services.  Files/Directories must be
## labeled public_content_rw_t.
## </p>
## </desc>
gen_tunable(allow_rsync_anon_write, false)

type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t, rsync_exec_t)
application_executable_file(rsync_exec_t)
role system_r types rsync_t;

type rsync_data_t;
files_type(rsync_data_t)

type rsync_log_t;
logging_log_file(rsync_log_t)

type rsync_tmp_t;
files_tmp_file(rsync_tmp_t)

type rsync_var_run_t;
files_pid_file(rsync_var_run_t)

########################################
#
# Local policy
#

allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
allow rsync_t self:udp_socket connected_socket_perms;

# for identd
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
#end for identd

allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)

manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
logging_log_filetrans(rsync_t, rsync_log_t, file)

manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })

manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
files_pid_filetrans(rsync_t, rsync_var_run_t, file)

kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)

corenet_all_recvfrom_unlabeled(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_generic_if(rsync_t)
corenet_udp_sendrecv_generic_if(rsync_t)
corenet_tcp_sendrecv_generic_node(rsync_t)
corenet_udp_sendrecv_generic_node(rsync_t)
corenet_tcp_sendrecv_all_ports(rsync_t)
corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_generic_node(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
corenet_sendrecv_rsync_server_packets(rsync_t)

dev_read_urand(rsync_t)

fs_getattr_xattr_fs(rsync_t)

files_read_etc_files(rsync_t)
files_search_home(rsync_t)

auth_use_nsswitch(rsync_t)

logging_send_syslog_msg(rsync_t)

miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)

tunable_policy(`allow_rsync_anon_write',`
	miscfiles_manage_public_files(rsync_t)
')

optional_policy(`
	daemontools_service_domain(rsync_t, rsync_exec_t)
')

optional_policy(`
	kerberos_use(rsync_t)
')

optional_policy(`
	inetd_service_domain(rsync_t, rsync_exec_t)
')

tunable_policy(`rsync_export_all_ro',`
	fs_read_noxattr_fs_files(rsync_t) 
	fs_read_nfs_files(rsync_t)
	fs_read_cifs_files(rsync_t)
	auth_read_all_dirs_except_shadow(rsync_t)
	auth_read_all_files_except_shadow(rsync_t)
	auth_read_all_symlinks_except_shadow(rsync_t)
	auth_tunable_read_shadow(rsync_t)
')
auth_can_read_shadow_passwords(rsync_t)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-23 01:40:43 +0000