add mls port support
This commit is contained in:
parent
085faa06ff
commit
0d0d2bafd6
@ -1296,24 +1296,24 @@ nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2)
|
||||
|
||||
define(`determine_reserved_capability',`dnl
|
||||
ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
|
||||
ifelse($3,`',`',`determine_reserved_capability(shiftn(2,$*))')dnl end inner ifelse
|
||||
ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
|
||||
')dnl end outer ifelse
|
||||
') dnl end determine reserved capability
|
||||
|
||||
define(`determine_reserved_capability_depend',`dnl
|
||||
ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
|
||||
ifelse($3,`',`',`determine_reserved_capability_depend(shiftn(2,$*))')dnl end inner ifelse
|
||||
ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
|
||||
')dnl end outer ifelse
|
||||
') dnl end determine reserved capability depend
|
||||
|
||||
define(`declare_ports',`dnl
|
||||
ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
|
||||
portcon $2 $3 system_u:object_r:$1
|
||||
ifelse(`$4',`',`',`declare_ports($1,shiftn(3,$*))')dnl
|
||||
portcon $2 $3 context_template(system_u:object_r:$1,$4)
|
||||
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
|
||||
')
|
||||
|
||||
#
|
||||
# network_port(port_name,protocol portnum [,protocol portnum[,...]])
|
||||
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
|
||||
#
|
||||
define(`network_port',`
|
||||
ifdef(`interface_pass',`
|
||||
|
@ -31,58 +31,58 @@ type port_t, port_type;
|
||||
#
|
||||
type reserved_port_t, port_type, reserved_port_type;
|
||||
|
||||
network_port(amanda, udp,10080, tcp,10080, udp,10081, tcp,10081, tcp,10082, tcp,10083)
|
||||
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
||||
dnl network_port(biff) # no defined portcon in current strict
|
||||
network_port(dbskkd, tcp,1178)
|
||||
network_port(dhcpc, udp,68)
|
||||
network_port(dhcpd, udp,67)
|
||||
network_port(dict, tcp,2628)
|
||||
network_port(dns, udp,53, tcp,53)
|
||||
network_port(fingerd, tcp,79)
|
||||
network_port(ftp_data, tcp,20)
|
||||
network_port(ftp, tcp,21)
|
||||
network_port(http_cache, tcp,3128, udp,3130, tcp,8080)
|
||||
network_port(http, tcp,80, tcp,443)
|
||||
network_port(howl, tcp,5335, udp,5353)
|
||||
network_port(dbskkd, tcp,1178,s0)
|
||||
network_port(dhcpc, udp,68,s0)
|
||||
network_port(dhcpd, udp,67,s0)
|
||||
network_port(dict, tcp,2628,s0)
|
||||
network_port(dns, udp,53,s0, tcp,53,s0)
|
||||
network_port(fingerd, tcp,79,s0)
|
||||
network_port(ftp_data, tcp,20,s0)
|
||||
network_port(ftp, tcp,21,s0)
|
||||
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
|
||||
network_port(http, tcp,80,s0, tcp,443,s0)
|
||||
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
||||
dnl network_port(i18n_input) # no defined portcon in current strict
|
||||
network_port(inetd_child, tcp,7, udp,7, tcp,9, udp,9, tcp,13, udp,13, tcp,19, udp,19, tcp,37, udp,37, tcp,113, tcp,512, tcp,543, tcp,544, tcp,891, udp,891, tcp,892, udp,892, tcp,2105)
|
||||
network_port(innd, tcp,119)
|
||||
network_port(ipp, tcp,631, udp,631)
|
||||
network_port(kerberos_admin, tcp,464, udp,464, tcp,749)
|
||||
network_port(kerberos_master, tcp,4444, udp,4444)
|
||||
network_port(kerberos, tcp,88, udp,88, tcp,750, udp,750)
|
||||
network_port(ktalkd, udp,517, udp,518)
|
||||
network_port(ldap, tcp,389, udp,389, tcp,636, udp,636)
|
||||
network_port(mail, tcp,2000)
|
||||
network_port(mysqld, tcp,3306)
|
||||
network_port(nmbd, udp,137, udp,138, udp,139)
|
||||
network_port(pop, tcp,106, tcp,109, tcp,110)
|
||||
network_port(portmap, udp,111, tcp,111)
|
||||
network_port(postgresql, tcp,5432)
|
||||
network_port(printer, tcp,515)
|
||||
network_port(pxe, udp,4011)
|
||||
network_port(radacct, udp,1646, udp,1813)
|
||||
network_port(radius, udp,1645, udp,1812)
|
||||
network_port(rsh, tcp,514)
|
||||
network_port(rsync, tcp,873, udp,873)
|
||||
network_port(smbd, tcp,137-139, tcp,445)
|
||||
network_port(smtp, tcp,25, tcp,465, tcp,587)
|
||||
network_port(snmp, udp,161, udp,162, tcp,199)
|
||||
network_port(ssh, tcp,22)
|
||||
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
|
||||
network_port(innd, tcp,119,s0)
|
||||
network_port(ipp, tcp,631,s0, udp,631,s0)
|
||||
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
||||
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
||||
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
||||
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
||||
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
||||
network_port(mail, tcp,2000,s0)
|
||||
network_port(mysqld, tcp,3306,s0)
|
||||
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
|
||||
network_port(portmap, udp,111,s0, tcp,111,s0)
|
||||
network_port(postgresql, tcp,5432,s0)
|
||||
network_port(printer, tcp,515,s0)
|
||||
network_port(pxe, udp,4011,s0)
|
||||
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
||||
network_port(radius, udp,1645,s0, udp,1812,s0)
|
||||
network_port(rsh, tcp,514,s0)
|
||||
network_port(rsync, tcp,873,s0, udp,873,s0)
|
||||
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
|
||||
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
||||
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
||||
network_port(ssh, tcp,22,s0)
|
||||
dnl network_port(stunnel) # no defined portcon in current strict
|
||||
network_port(swat, tcp,901)
|
||||
network_port(syslogd, udp,514)
|
||||
network_port(telnetd, tcp,23)
|
||||
network_port(tftp, udp,69)
|
||||
network_port(vnc, tcp,5900)
|
||||
network_port(xserver, tcp,6001, tcp,6002, tcp,6003, tcp,6004, tcp,6005, tcp,6006, tcp,6007, tcp,6008, tcp,6009, tcp,6010, tcp,6011, tcp,6012, tcp,6013, tcp,6014, tcp,6015, tcp,6016, tcp,6017, tcp,6018, tcp,6019)
|
||||
network_port(zebra, tcp,2601)
|
||||
network_port(swat, tcp,901,s0)
|
||||
network_port(syslogd, udp,514,s0)
|
||||
network_port(telnetd, tcp,23,s0)
|
||||
network_port(tftp, udp,69,s0)
|
||||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(zebra, tcp,2601,s0)
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
# these entries just cover any remaining reserved ports not otherwise
|
||||
# declared or omitted due to removal of a domain.
|
||||
portcon tcp 1-1023 system_u:object_r:reserved_port_t
|
||||
portcon udp 1-1023 system_u:object_r:reserved_port_t
|
||||
portcon tcp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
|
||||
portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user