selinux-policy/mls/domains/program/yppasswdd.te

41 lines
1.3 KiB
Plaintext
Raw Normal View History

2005-11-22 19:28:03 +00:00
#DESC yppassdd - NIS password update daemon
#
# Authors: Dan Walsh <dwalsh@redhat.com>
# Depends: portmap.te
#
#################################
#
# Rules for the yppasswdd_t domain.
#
daemon_domain(yppasswdd, `, auth_write, privowner')
# Use capabilities.
allow yppasswdd_t self:capability { net_bind_service };
# Use the network.
can_network_server(yppasswdd_t)
read_sysctl(yppasswdd_t)
# Send to portmap and initrc.
can_udp_send(yppasswdd_t, portmap_t)
can_udp_send(yppasswdd_t, initrc_t)
allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
can_setfscreate(yppasswdd_t)
allow yppasswdd_t proc_t:file getattr;
allow yppasswdd_t { bin_t sbin_t }:dir search;
allow yppasswdd_t bin_t:lnk_file read;
can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
allow yppasswdd_t self:fifo_file rw_file_perms;
rw_dir_create_file(yppasswdd_t, var_yp_t)