selinux-policy/policy/modules/services/snmp.if

## <summary>Simple network management protocol services</summary>

########################################
## <summary>
##	Connect to snmpd using a unix domain stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_stream_connect',`
	gen_require(`
		type snmpd_t, snmpd_var_lib_t;
	')

	files_search_var_lib($1)
	stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
')

########################################
## <summary>
##	Use snmp over a TCP connection.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_tcp_connect',`
	refpolicywarn(`$0($*) has been deprecated.')
')

########################################
## <summary>
##	Send and receive UDP traffic to SNMP  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_udp_chat',`
	refpolicywarn(`$0($*) has been deprecated.')
')

########################################
## <summary>
##	Read snmpd libraries.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snmp_read_snmp_var_lib_files',`
	gen_require(`
		type snmpd_var_lib_t;
	')

	files_search_var_lib($1)
	allow $1 snmpd_var_lib_t:dir list_dir_perms;
	read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
	read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
')

########################################
## <summary>
##	dontaudit Read snmpd libraries.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`snmp_dontaudit_read_snmp_var_lib_files',`
	gen_require(`
		type snmpd_var_lib_t;
	')

	dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
	dontaudit $1 snmpd_var_lib_t:file read_file_perms;
	dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
')

########################################
## <summary>
##	dontaudit write snmpd libraries files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`snmp_dontaudit_write_snmp_var_lib_files',`
	gen_require(`
		type snmpd_var_lib_t;
	')

	dontaudit $1 snmpd_var_lib_t:file write;
')

########################################
## <summary>
##	All of the rules required to administrate
##	an snmp environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the snmp domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`snmp_admin',`
	gen_require(`
		type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
		type snmpd_var_lib_t, snmpd_var_run_t;
	')

	allow $1 snmpd_t:process { ptrace signal_perms };
	ps_process_pattern($1, snmpd_t)

	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 snmpd_initrc_exec_t system_r;
	allow $2 system_r;

	logging_list_logs($1)
	admin_pattern($1, snmpd_log_t)

	files_list_var_lib($1)
	admin_pattern($1, snmpd_var_lib_t)

	files_list_pids($1)
	admin_pattern($1, snmpd_var_run_t)
')
add snmp 2005-09-16 14:54:36 +00:00			`## <summary>Simple network management protocol services</summary>`
add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00
Snmp patch from Dan Walsh. 2010-01-07 14:00:48 +00:00			`########################################`
			`## <summary>`
			`## Connect to snmpd using a unix domain stream socket.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`snmp_stream_connect',`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			gen_require(`
Snmp patch from Dan Walsh. 2010-01-07 14:00:48 +00:00			`type snmpd_t, snmpd_var_lib_t;`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`')`
Snmp patch from Dan Walsh. 2010-01-07 14:00:48 +00:00
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`files_search_var_lib($1)`
			`stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)`
Snmp patch from Dan Walsh. 2010-01-07 14:00:48 +00:00			`')`

add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00			`########################################`
			`## <summary>`
remove dead selopt rules 2006-08-15 20:00:58 +00:00			`## Use snmp over a TCP connection. (Deprecated)`
add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00			`## </param>`
			`#`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			interface(`snmp_tcp_connect',`
remove dead selopt rules 2006-08-15 20:00:58 +00:00			refpolicywarn(`$0($*) has been deprecated.')
add radius and amanda, which I forgot to ci 2005-10-22 22:51:01 +00:00			`')`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00
			`########################################`
			`## <summary>`
remove dead selopt rules 2006-08-15 20:00:58 +00:00			`## Send and receive UDP traffic to SNMP (Deprecated)`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`## </param>`
			`#`
			interface(`snmp_udp_chat',`
remove dead selopt rules 2006-08-15 20:00:58 +00:00			refpolicywarn(`$0($*) has been deprecated.')
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Read snmpd libraries.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`## </param>`
			`#`
another slew of renaming 2006-02-02 21:08:12 +00:00			interface(`snmp_read_snmp_var_lib_files',`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			gen_require(`
			`type snmpd_var_lib_t;`
			`')`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00
Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift <domg472@gmail.com> Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift <domg472@gmail.com> Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. 2010-09-15 19:37:38 +00:00			`files_search_var_lib($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 snmpd_var_lib_t:dir list_dir_perms;`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)`
			`read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)`
add mrtg, bug 1394 2006-01-31 21:43:09 +00:00			`')`
patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00
			`########################################`
			`## <summary>`
			`## dontaudit Read snmpd libraries.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00			`## Domain to not audit.`
patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`snmp_dontaudit_read_snmp_var_lib_files',`
			gen_require(`
			`type snmpd_var_lib_t;`
			`')`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;`
			`dontaudit $1 snmpd_var_lib_t:file read_file_perms;`
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Signed-off-by: Dominick Grift <domg472@gmail.com> Use permission sets where possible. Signed-off-by: Dominick Grift <domg472@gmail.com> Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. 2010-09-15 20:09:15 +00:00			`dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;`
patch from dan Wed, 20 Sep 2006 12:12:49 -0400 2006-09-22 17:14:35 +00:00			`')`
patch from dan, Thu, 2007-01-25 at 08:12 -0500 2007-02-16 23:01:42 +00:00
			`########################################`
			`## <summary>`
			`## dontaudit write snmpd libraries files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`snmp_dontaudit_write_snmp_var_lib_files',`
			gen_require(`
			`type snmpd_var_lib_t;`
			`')`

			`dontaudit $1 snmpd_var_lib_t:file write;`
			`')`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
			`########################################`
			`## <summary>`
Snmp patch from Dan Walsh. 2010-01-07 14:00:48 +00:00			`## All of the rules required to administrate`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`## an snmp environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the snmp domain.`
			`## </summary>`
			`## </param>`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`## <rolecap/>`
			`#`
			interface(`snmp_admin',`
			gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. 2010-09-20 17:44:58 +00:00			`type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;`
trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00			`type snmpd_var_lib_t, snmpd_var_run_t;`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`')`

The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. Signed-off-by: Dominick Grift <domg472@gmail.com> The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. 2010-09-16 06:40:52 +00:00			`allow $1 snmpd_t:process { ptrace signal_perms };`
trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00			`ps_process_pattern($1, snmpd_t)`
trunk: additional whitespace fixes. 2008-10-17 15:52:39 +00:00
trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00			`init_labeled_script_domtrans($1, snmpd_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 snmpd_initrc_exec_t system_r;`
			`allow $2 system_r;`

trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`logging_list_logs($1)`
trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00			`admin_pattern($1, snmpd_log_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
			`files_list_var_lib($1)`
trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00			`admin_pattern($1, snmpd_var_lib_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
			`files_list_pids($1)`
trunk: 3 patches from dan. 2008-12-03 15:21:33 +00:00			`admin_pattern($1, snmpd_var_run_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`')`