init repo.

selinux/cachefilesd.fc

@@ -0,0 +1,29 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the contexts to be assigned to various files and directories of
+# importance to the CacheFiles kernel module and userspace management daemon.
+#
+
+# cachefilesd executable will have:
+# label: system_u:object_r:cachefilesd_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+/sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
+/var/fscache(/.*)?		gen_context(system_u:object_r:cachefiles_var_t,s0)
+/var/cache/fscache(/.*)?	gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefiles_var_t,s0)

selinux/cachefilesd.if

@@ -0,0 +1,41 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# Define the policy interface for the CacheFiles userspace management daemon.
+#
+
+## <summary>policy for cachefilesd</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run cachefilesd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`cachefilesd_domtrans',`
+	gen_require(`
+		type cachefilesd_t, cachefilesd_exec_t;
+	')
+
+	domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
+
+	allow $1 cachefilesd_t:fd use;
+	allow cachefilesd_t $1:fd use;
+	allow cachefilesd_t $1:fifo_file rw_file_perms;
+	allow cachefilesd_t $1:process sigchld;
+')

selinux/cachefilesd.te

@@ -0,0 +1,146 @@
+###############################################################################
+#
+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#            Karl MacMillan (kmacmill@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version
+# 2 of the License, or (at your option) any later version.
+#
+###############################################################################
+
+#
+# This security policy governs access by the CacheFiles kernel module and
+# userspace management daemon to the files and directories in the on-disk
+# cache, on behalf of the processes accessing the cache through a network
+# filesystem such as NFS
+#
+policy_module(cachefilesd,1.0.17)
+
+###############################################################################
+#
+# Declarations
+#
+require { type kernel_t; }
+
+#
+# Files in the cache are created by the cachefiles module with security ID
+# cachefiles_var_t
+#
+type cachefiles_var_t;
+files_type(cachefiles_var_t)
+
+#
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
+#
+type cachefiles_dev_t;
+dev_node(cachefiles_dev_t)
+
+#
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
+#
+type cachefilesd_t;
+type cachefilesd_exec_t;
+domain_type(cachefilesd_t)
+init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
+
+#
+# The cachefilesd daemon pid file context
+#
+type cachefilesd_var_run_t;
+files_pid_file(cachefilesd_var_run_t)
+
+#
+# The CacheFiles kernel module causes processes accessing the cache files to do
+# so acting as security ID cachefiles_kernel_t
+#
+type cachefiles_kernel_t;
+domain_type(cachefiles_kernel_t)
+domain_obj_id_change_exemption(cachefiles_kernel_t)
+role system_r types cachefiles_kernel_t;
+
+###############################################################################
+#
+# Permit RPM to deal with files in the cache
+#
+rpm_use_script_fds(cachefilesd_t)
+
+###############################################################################
+#
+# cachefilesd local policy
+#
+# These define what cachefilesd is permitted to do.  This doesn't include very
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
+# deleting files from the cache.  It is not permitted to read/write files in
+# the cache.
+#
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
+allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
+
+# Basic access
+files_read_etc_files(cachefilesd_t)
+libs_use_ld_so(cachefilesd_t)
+libs_use_shared_libs(cachefilesd_t)
+miscfiles_read_localization(cachefilesd_t)
+logging_send_syslog_msg(cachefilesd_t)
+init_dontaudit_use_script_ptys(cachefilesd_t)
+term_dontaudit_use_generic_ptys(cachefilesd_t)
+term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
+
+# Allow manipulation of pid file
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
+manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
+files_pid_file(cachefilesd_var_run_t)
+files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
+
+# Allow access to cachefiles device file
+allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
+
+# Allow access to cache superstructure
+allow cachefilesd_t cachefiles_var_t : dir { rw_dir_perms rmdir };
+allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
+
+# Permit statfs on the backing filesystem
+fs_getattr_xattr_fs(cachefilesd_t)
+
+###############################################################################
+#
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
+# the kernel module the security context in which it should act, and this
+# policy has to approve that.
+#
+# There are two parts to this:
+#
+#   (1) the security context used by the module to access files in the cache,
+#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
+#
+allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
+
+#
+#   (2) the label that will be assigned to new files and directories created in
+#       the cache by the module, which will be the same as the label on the
+#       directory pointed to by the 'dir' command.
+#
+allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
+
+###############################################################################
+#
+# cachefiles kernel module local policy
+#
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
+allow cachefiles_kernel_t initrc_t:process sigchld;
+
+manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
+
+fs_getattr_xattr_fs(cachefiles_kernel_t)
+
+dev_search_sysfs(cachefiles_kernel_t)

selinux/move-cache.txt

@@ -0,0 +1,89 @@
+	     =====================================================
+	     RELOCATING THE CACHE WITH SELINUX ENFORCEMENT ENABLED
+	     =====================================================
+
+If the cache is being used on a system on which SELinux is active and running
+in enforcing mode, then the security policy installed by the cachefilesd RPM
+needs to be updated to permit the CacheFiles module and daemon to access the
+cache if the cache is moved.
+
+The simplest way to do this is to add an auxiliary policy to mark out the
+location of the new cache, whilst leaving the old location still available for
+caching.  If anything more is required, then it will be necessary to modify the
+policy that is installed.
+
+Example sources for the installed policy will be themselves installed by the
+cachefilesd RPM in:
+
+	/usr/share/doc/cachefilesd/
+
+See the files named:
+
+	cachefilesd.te
+	cachefilesd.fc
+	cachefilesd.if
+
+The policy actually used for the defaults, however, is part of the SELinux
+package.
+
+
+==========================
+ADDING AN AUXILIARY POLICY
+==========================
+
+Creating and adding an auxiliary policy is very easy.  Follow the following
+steps:
+
+ (0) Check that checkpolicy and selinux-policy* packages are installed.  These
+     are needed to build your policy.
+
+ (1) Create a new directory and go into it.
+
+ (2) Create a source file to reference the security ID already set up for files
+     in the cache as you'll need these to label your own cache directory.
+     Assuming you're going to name your policy "mycache", this would have to be
+     called "mycache.te":
+
+	[mycache.te]
+	policy_module(mycache,1.0.0)
+	require { type cachefiles_var_t; }
+
+ (3) Create a source file to note the directory in which you wish your cache to
+     reside.  This file should be named for your policy, plus a ".fc" suffix:
+
+	[mycache.fc]
+	/mycache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+     This specifies the security ID for the directory in which your cache will
+     live and all its descendents.  Replace "/mycache" with the path to your
+     cache's directory.
+
+ (4) Build the policy:
+
+	make -f /usr/share/selinux/devel/Makefile
+
+ (5) And install it:
+
+	semodule -i mycache.pp
+
+ (6) Create your directory and tell SELinux to label it appropriately:
+
+	mkdir /mycache
+	restorecon /mycache
+
+ (7) Check that the directory is labelled appropriately:
+
+	ls -dZ /mycache
+
+ (8) Modify /etc/cachefilesd.conf to point to the correct directory and then
+     start the cachefilesd service.
+
+
+The auxiliary policy can be later removed by:
+
+	semodule -r mycache.pp
+
+If the policy is updated, then the version number in policy_module() in
+mycache.te should be increased and the module upgraded:
+
+	semodule -u mycache.pp