add tcpd

2005-08-11 15:17:13 +00:00 · 2005-08-11 15:17:13 +00:00 · 4aa0dc20b4
parent e694b51e6b
commit 4aa0dc20b4
5 changed files with 85 additions and 0 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -12,6 +12,7 @@
 		quota
 		su
 		sudo
+		tcpd
 		tmpreaper
 		updfstab

--- a/refpolicy/policy/modules/services/inetd.if
+++ b/refpolicy/policy/modules/services/inetd.if
@ -131,3 +131,28 @@ interface(`inetd_tcp_connect',`
 	#allow inetd_t kernel_t:tcp_socket recvfrom;
 	#allow $1 kernel_t:tcp_socket recvfrom;
 ')
+
+########################################
+## <summary>
+##	Run inetd child process in the inet child domain
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`inetd_domtrans_child',`
+	gen_require(`
+		type inetd_child_t, inetd_child_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
+
+	allow $1 inetd_child_t:fd use;
+	allow inetd_child_t $1:fd use;
+	allow inetd_child_t $1:fifo_file rw_file_perms;
+	allow inetd_child_t $1:process sigchld;
+')
--- a/refpolicy/policy/modules/services/tcpd.fc
+++ b/refpolicy/policy/modules/services/tcpd.fc
@ -0,0 +1,2 @@
+
+/usr/sbin/tcpd		--	context_template(system_u:object_r:tcpd_exec_t,s0)
--- a/refpolicy/policy/modules/services/tcpd.if
+++ b/refpolicy/policy/modules/services/tcpd.if
@ -0,0 +1 @@
+## <summary>Policy for TCP daemon.</summary>
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@ -0,0 +1,56 @@
+
+policy_module(tcpd,1.0)
+
+########################################
+#
+# Declarations
+#
+type tcpd_t;
+type tcpd_exec_t;
+inetd_tcp_service_domain(tcpd_t,tcpd_exec_t)
+role system_r types tcpd_t;
+
+type tcpd_tmp_t;
+files_tmp_file(tcpd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+allow tcpd_t self:tcp_socket create_stream_socket_perms;
+
+allow tcpd_t tcpd_tmp_t:dir create_dir_perms;
+allow tcpd_t tcpd_tmp_t:file create_file_perms;
+files_create_tmp_files(tcpd_t, tcpd_tmp_t, { file dir })
+
+corenet_raw_sendrecv_all_if(tcpd_t)
+corenet_tcp_sendrecv_all_if(tcpd_t)
+corenet_raw_sendrecv_all_nodes(tcpd_t)
+corenet_tcp_sendrecv_all_nodes(tcpd_t)
+corenet_tcp_sendrecv_all_ports(tcpd_t)
+corenet_tcp_bind_all_nodes(tcpd_t)
+
+fs_getattr_xattr_fs(tcpd_t)
+
+# Run other daemons in the inetd child domain.
+corecmd_search_bin(tcpd_t)
+corecmd_search_sbin(tcpd_t)
+
+files_read_etc_files(tcpd_t)
+# no good reason for files_dontaudit_search_var, probably nscd
+files_dontaudit_search_var(tcpd_t)
+
+libs_use_ld_so(tcpd_t)
+libs_use_shared_libs(tcpd_t)
+
+logging_send_syslog_msg(tcpd_t)
+
+miscfiles_read_localization(tcpd_t)
+
+sysnet_read_config(tcpd_t)
+
+inetd_domtrans_child(tcpd_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(tcpd_t)
+')
				`@ -0,0 +1,2 @@`

				`/usr/sbin/tcpd -- context_template(system_u:object_r:tcpd_exec_t,s0)`
				`@ -0,0 +1 @@`
				`## <summary>Policy for TCP daemon.</summary>`