41 lines
1.3 KiB
Plaintext
41 lines
1.3 KiB
Plaintext
|
#DESC yppassdd - NIS password update daemon
|
||
|
#
|
||
|
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||
|
# Depends: portmap.te
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the yppasswdd_t domain.
|
||
|
#
|
||
|
daemon_domain(yppasswdd, `, auth_write, privowner')
|
||
|
|
||
|
# Use capabilities.
|
||
|
allow yppasswdd_t self:capability { net_bind_service };
|
||
|
|
||
|
# Use the network.
|
||
|
can_network_server(yppasswdd_t)
|
||
|
|
||
|
read_sysctl(yppasswdd_t)
|
||
|
|
||
|
# Send to portmap and initrc.
|
||
|
can_udp_send(yppasswdd_t, portmap_t)
|
||
|
can_udp_send(yppasswdd_t, initrc_t)
|
||
|
|
||
|
allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
|
||
|
dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|
||
|
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
|
||
|
|
||
|
allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
|
||
|
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
|
||
|
allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
|
||
|
can_setfscreate(yppasswdd_t)
|
||
|
allow yppasswdd_t proc_t:file getattr;
|
||
|
allow yppasswdd_t { bin_t sbin_t }:dir search;
|
||
|
allow yppasswdd_t bin_t:lnk_file read;
|
||
|
can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
|
||
|
allow yppasswdd_t self:fifo_file rw_file_perms;
|
||
|
rw_dir_create_file(yppasswdd_t, var_yp_t)
|