selinux-policy/strict/domains/program/tcpd.te

44 lines
1.2 KiB
Plaintext
Raw Normal View History

2005-04-29 17:45:15 +00:00
#DESC Tcpd - Access control facilities from internet services
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: tcpd
# Depends: inetd.te
#
#################################
#
# Rules for the tcpd_t domain.
#
type tcpd_t, domain, privlog;
role system_r types tcpd_t;
uses_shlib(tcpd_t)
type tcpd_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
allow tcpd_t fs_t:filesystem getattr;
# no good reason for this, probably nscd
dontaudit tcpd_t var_t:dir search;
can_network_server(tcpd_t)
can_ypbind(tcpd_t)
allow tcpd_t self:unix_dgram_socket create_socket_perms;
allow tcpd_t self:unix_stream_socket create_socket_perms;
allow tcpd_t etc_t:file { getattr read };
read_locale(tcpd_t)
tmp_domain(tcpd)
# Use sockets inherited from inetd.
allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Run each daemon with a defined domain in its own domain.
# These rules have been moved to each target domain .te file.
# Run other daemons in the inetd_child_t domain.
allow tcpd_t { bin_t sbin_t }:dir search;
domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
allow tcpd_t device_t:dir search;