2010-05-24 19:32:01 +00:00
|
|
|
policy_module(snmp, 1.11.0)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-24 07:17:22 +00:00
|
|
|
|
2005-09-16 14:54:36 +00:00
|
|
|
type snmpd_t;
|
|
|
|
type snmpd_exec_t;
|
2008-07-23 21:38:39 +00:00
|
|
|
init_daemon_domain(snmpd_t, snmpd_exec_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2008-12-03 15:21:33 +00:00
|
|
|
type snmpd_initrc_exec_t;
|
|
|
|
init_script_file(snmpd_initrc_exec_t)
|
|
|
|
|
2005-09-16 14:54:36 +00:00
|
|
|
type snmpd_log_t;
|
|
|
|
logging_log_file(snmpd_log_t)
|
|
|
|
|
|
|
|
type snmpd_var_run_t;
|
|
|
|
files_pid_file(snmpd_var_run_t)
|
|
|
|
|
|
|
|
type snmpd_var_lib_t;
|
|
|
|
files_type(snmpd_var_lib_t)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Local policy
|
|
|
|
#
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-24 07:17:22 +00:00
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid sys_ptrace net_admin sys_nice sys_tty_config };
|
2007-05-15 18:06:31 +00:00
|
|
|
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
2010-01-07 14:00:48 +00:00
|
|
|
allow snmpd_t self:process { signal_perms getsched setsched };
|
2006-12-12 20:08:08 +00:00
|
|
|
allow snmpd_t self:fifo_file rw_fifo_file_perms;
|
2005-09-16 14:54:36 +00:00
|
|
|
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
2005-10-13 20:59:36 +00:00
|
|
|
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
2005-10-24 17:06:34 +00:00
|
|
|
allow snmpd_t self:udp_socket connected_stream_socket_perms;
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow snmpd_t snmpd_log_t:file manage_file_perms;
|
2009-06-26 14:40:13 +00:00
|
|
|
logging_log_filetrans(snmpd_t, snmpd_log_t, file)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
|
|
manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
|
|
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
|
|
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
|
|
|
|
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
|
|
|
|
files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2006-04-12 15:04:28 +00:00
|
|
|
kernel_read_device_sysctls(snmpd_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_kernel_sysctls(snmpd_t)
|
2008-12-03 15:21:33 +00:00
|
|
|
kernel_read_fs_sysctls(snmpd_t)
|
2006-01-31 16:49:43 +00:00
|
|
|
kernel_read_net_sysctls(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
kernel_read_proc_symlinks(snmpd_t)
|
|
|
|
kernel_read_system_state(snmpd_t)
|
|
|
|
kernel_read_network_state(snmpd_t)
|
|
|
|
|
2005-12-02 22:06:05 +00:00
|
|
|
corecmd_exec_bin(snmpd_t)
|
|
|
|
corecmd_exec_shell(snmpd_t)
|
|
|
|
|
2007-06-27 15:23:21 +00:00
|
|
|
corenet_all_recvfrom_unlabeled(snmpd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(snmpd_t)
|
2009-01-06 20:24:10 +00:00
|
|
|
corenet_tcp_sendrecv_generic_if(snmpd_t)
|
|
|
|
corenet_udp_sendrecv_generic_if(snmpd_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_sendrecv_generic_node(snmpd_t)
|
|
|
|
corenet_udp_sendrecv_generic_node(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
corenet_tcp_sendrecv_all_ports(snmpd_t)
|
2005-10-24 17:06:34 +00:00
|
|
|
corenet_udp_sendrecv_all_ports(snmpd_t)
|
2009-01-09 19:48:02 +00:00
|
|
|
corenet_tcp_bind_generic_node(snmpd_t)
|
|
|
|
corenet_udp_bind_generic_node(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
corenet_tcp_bind_snmp_port(snmpd_t)
|
|
|
|
corenet_udp_bind_snmp_port(snmpd_t)
|
2006-05-30 19:46:34 +00:00
|
|
|
corenet_sendrecv_snmp_server_packets(snmpd_t)
|
2009-05-14 14:41:50 +00:00
|
|
|
corenet_tcp_connect_agentx_port(snmpd_t)
|
2010-01-07 14:00:48 +00:00
|
|
|
corenet_tcp_bind_agentx_port(snmpd_t)
|
|
|
|
corenet_udp_bind_agentx_port(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
|
|
|
dev_list_sysfs(snmpd_t)
|
|
|
|
dev_read_sysfs(snmpd_t)
|
|
|
|
dev_read_urand(snmpd_t)
|
|
|
|
dev_read_rand(snmpd_t)
|
2006-12-04 20:10:56 +00:00
|
|
|
dev_getattr_usbfs_dirs(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
domain_use_interactive_fds(snmpd_t)
|
2005-10-13 20:59:36 +00:00
|
|
|
domain_signull_all_domains(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
domain_read_all_domains_state(snmpd_t)
|
2008-12-03 15:21:33 +00:00
|
|
|
domain_dontaudit_ptrace_all_domains(snmpd_t)
|
|
|
|
domain_exec_all_entry_files(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
|
|
|
files_read_etc_files(snmpd_t)
|
|
|
|
files_read_usr_files(snmpd_t)
|
|
|
|
files_read_etc_runtime_files(snmpd_t)
|
|
|
|
files_search_home(snmpd_t)
|
|
|
|
|
2006-12-04 20:10:56 +00:00
|
|
|
fs_getattr_all_dirs(snmpd_t)
|
2005-12-02 22:06:05 +00:00
|
|
|
fs_getattr_all_fs(snmpd_t)
|
|
|
|
fs_search_auto_mountpoints(snmpd_t)
|
|
|
|
|
|
|
|
storage_dontaudit_read_fixed_disk(snmpd_t)
|
|
|
|
storage_dontaudit_read_removable_device(snmpd_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
storage_dontaudit_write_removable_device(snmpd_t)
|
2005-12-02 22:06:05 +00:00
|
|
|
|
2008-12-03 15:21:33 +00:00
|
|
|
auth_use_nsswitch(snmpd_t)
|
|
|
|
auth_read_all_dirs_except_shadow(snmpd_t)
|
|
|
|
|
2006-01-18 18:08:39 +00:00
|
|
|
init_read_utmp(snmpd_t)
|
|
|
|
init_dontaudit_write_utmp(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
|
|
|
logging_send_syslog_msg(snmpd_t)
|
|
|
|
|
|
|
|
miscfiles_read_localization(snmpd_t)
|
|
|
|
|
|
|
|
seutil_dontaudit_search_config(snmpd_t)
|
|
|
|
|
|
|
|
sysnet_read_config(snmpd_t)
|
|
|
|
|
2006-02-20 21:33:25 +00:00
|
|
|
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
|
2008-11-05 16:10:46 +00:00
|
|
|
userdom_dontaudit_search_user_home_dirs(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-24 07:17:22 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-16 14:54:36 +00:00
|
|
|
rpm_read_db(snmpd_t)
|
2005-12-01 22:53:20 +00:00
|
|
|
rpm_dontaudit_manage_db(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
')
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-12-01 22:53:20 +00:00
|
|
|
amanda_dontaudit_read_dumpdates(snmpd_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2008-12-03 15:21:33 +00:00
|
|
|
consoletype_exec(snmpd_t)
|
2005-12-02 22:06:05 +00:00
|
|
|
')
|
|
|
|
|
2007-05-07 13:45:17 +00:00
|
|
|
optional_policy(`
|
2007-05-15 18:06:31 +00:00
|
|
|
cups_read_rw_config(snmpd_t)
|
2007-05-07 13:45:17 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2007-05-15 18:06:31 +00:00
|
|
|
mta_read_config(snmpd_t)
|
|
|
|
mta_search_queue(snmpd_t)
|
2005-09-23 21:20:03 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2007-05-15 18:06:31 +00:00
|
|
|
rpc_search_nfs_state_data(snmpd_t)
|
2005-09-16 14:54:36 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2007-05-15 18:06:31 +00:00
|
|
|
sendmail_read_log(snmpd_t)
|
2005-12-02 22:06:05 +00:00
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-16 14:54:36 +00:00
|
|
|
seutil_sigchld_newrole(snmpd_t)
|
|
|
|
')
|
|
|
|
|
2007-05-07 13:45:17 +00:00
|
|
|
optional_policy(`
|
|
|
|
squid_read_config(snmpd_t)
|
|
|
|
')
|
|
|
|
|
2006-03-24 16:13:54 +00:00
|
|
|
optional_policy(`
|
2005-09-16 14:54:36 +00:00
|
|
|
udev_read_db(snmpd_t)
|
|
|
|
')
|
2008-12-03 15:21:33 +00:00
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
virt_stream_connect(snmpd_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
kernel_read_xen_state(snmpd_t)
|
|
|
|
kernel_write_xen_state(snmpd_t)
|
|
|
|
|
|
|
|
xen_stream_connect(snmpd_t)
|
|
|
|
xen_stream_connect_xenstore(snmpd_t)
|
|
|
|
')
|