selinux-policy/strict/domains/program/tcpd.te

#DESC Tcpd - Access control facilities from internet services
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: tcpd
# Depends: inetd.te
#

#################################
#
# Rules for the tcpd_t domain.
#
type tcpd_t, domain, privlog;
role system_r types tcpd_t;
uses_shlib(tcpd_t)
type tcpd_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)

allow tcpd_t fs_t:filesystem getattr;

# no good reason for this, probably nscd
dontaudit tcpd_t var_t:dir search;

can_network_server(tcpd_t)
can_ypbind(tcpd_t)
allow tcpd_t self:unix_dgram_socket create_socket_perms;
allow tcpd_t self:unix_stream_socket create_socket_perms;
allow tcpd_t etc_t:file { getattr read };
read_locale(tcpd_t)

tmp_domain(tcpd)

# Use sockets inherited from inetd.
allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;

# Run each daemon with a defined domain in its own domain.
# These rules have been moved to each target domain .te file.

# Run other daemons in the inetd_child_t domain.
allow tcpd_t { bin_t sbin_t }:dir search;
domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)

allow tcpd_t device_t:dir search;
initial commit 2005-04-29 17:45:15 +00:00			`#DESC Tcpd - Access control facilities from internet services`
			`#`
			`# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser`
			`# Russell Coker <russell@coker.com.au>`
			`# X-Debian-Packages: tcpd`
			`# Depends: inetd.te`
			`#`

			`#################################`
			`#`
			`# Rules for the tcpd_t domain.`
			`#`
			`type tcpd_t, domain, privlog;`
			`role system_r types tcpd_t;`
			`uses_shlib(tcpd_t)`
			`type tcpd_exec_t, file_type, sysadmfile, exec_type;`
			`domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)`

			`allow tcpd_t fs_t:filesystem getattr;`

			`# no good reason for this, probably nscd`
			`dontaudit tcpd_t var_t:dir search;`

			`can_network_server(tcpd_t)`
			`can_ypbind(tcpd_t)`
			`allow tcpd_t self:unix_dgram_socket create_socket_perms;`
			`allow tcpd_t self:unix_stream_socket create_socket_perms;`
			`allow tcpd_t etc_t:file { getattr read };`
			`read_locale(tcpd_t)`

			`tmp_domain(tcpd)`

			`# Use sockets inherited from inetd.`
			`allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;`

			`# Run each daemon with a defined domain in its own domain.`
			`# These rules have been moved to each target domain .te file.`

			`# Run other daemons in the inetd_child_t domain.`
			`allow tcpd_t { bin_t sbin_t }:dir search;`
			`domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)`

			`allow tcpd_t device_t:dir search;`