policy_module(rpc,1.2.15)

########################################
#
# Declarations
#

type exports_t;
files_type(exports_t)

rpc_domain_template(gssd)

type gssd_tmp_t;
files_tmp_file(gssd_tmp_t)

type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)

# rpcd_t is the domain of rpc daemons.
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)

rpc_domain_template(nfsd)

type nfsd_rw_t;
files_type(nfsd_rw_t)

type nfsd_ro_t;
files_type(nfsd_ro_t)

type var_lib_nfs_t;
files_mountpoint(var_lib_nfs_t)

########################################
#
# RPC local policy
#

allow rpcd_t self:capability { chown dac_override setgid setuid };
allow rpcd_t self:fifo_file rw_file_perms;

allow rpcd_t rpcd_var_run_t:file manage_file_perms;
allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)

kernel_read_system_state(rpcd_t) 
kernel_search_network_state(rpcd_t) 
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)  

fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_read_rpc_sockets(rpcd_t) 
term_use_controlling_term(rpcd_t)

# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)

miscfiles_read_certs(rpcd_t)

seutil_dontaudit_search_config(rpcd_t)

optional_policy(`
	nis_read_ypserv_config(rpcd_t)
')

########################################
#
# NFSD local policy
#

allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };

allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;

# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t) 
kernel_read_network_state(nfsd_t) 

fs_mount_nfsd_fs(nfsd_t) 
fs_search_nfsd_fs(nfsd_t) 
fs_getattr_all_fs(nfsd_t) 
fs_rw_nfsd_fs(nfsd_t) 

term_use_controlling_term(nfsd_t) 

# does not really need this, but it is easier to just allow it
files_search_pids(nfsd_t) 
# for exportfs and rpc.mountd
files_getattr_tmp_dirs(nfsd_t) 
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)

# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)

# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
	miscfiles_manage_public_files(nfsd_t)
') 

tunable_policy(`nfs_export_all_rw',`
	fs_read_noxattr_fs_files(nfsd_t) 
	auth_manage_all_files_except_shadow(nfsd_t)
')

tunable_policy(`nfs_export_all_ro',`
	fs_read_noxattr_fs_files(nfsd_t) 
	auth_read_all_files_except_shadow(nfsd_t)
')

########################################
#
# GSSD local policy
#

allow gssd_t self:capability { dac_override dac_read_search setuid };
allow gssd_t self:fifo_file { read write };

allow gssd_t gssd_tmp_t:dir create_dir_perms;
allow gssd_t gssd_tmp_t:file create_file_perms;
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })

kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)	

fs_list_rpc(gssd_t) 
fs_read_rpc_sockets(gssd_t) 
fs_read_rpc_files(gssd_t) 

files_list_tmp(gssd_t) 
files_read_generic_tmp_files(gssd_t) 
files_read_generic_tmp_symlinks(gssd_t) 

tunable_policy(`allow_gssd_read_tmp',`
	userdom_list_unpriv_users_tmp(gssd_t) 
	userdom_read_unpriv_users_tmp_files(gssd_t) 
	userdom_read_unpriv_users_tmp_symlinks(gssd_t) 
')

optional_policy(`
	kerberos_use(gssd_t)
	kerberos_read_keytab(gssd_t) 
')