policy_module(portslave, 1.4.0) ######################################## # # Declarations # type portslave_t; type portslave_exec_t; init_domain(portslave_t, portslave_exec_t) init_daemon_domain(portslave_t, portslave_exec_t) type portslave_etc_t; files_type(portslave_etc_t) type portslave_lock_t; files_lock_file(portslave_lock_t) ######################################## # # Local policy # # setuid setgid net_admin fsetid for pppd # sys_admin for ctlportslave # net_bind_service for rlogin allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; dontaudit portslave_t self:capability sys_admin; allow portslave_t self:process signal_perms; allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow portslave_t self:fd use; allow portslave_t self:fifo_file rw_fifo_file_perms; allow portslave_t self:unix_dgram_socket create_socket_perms; allow portslave_t self:unix_stream_socket create_stream_socket_perms; allow portslave_t self:unix_dgram_socket sendto; allow portslave_t self:unix_stream_socket connectto; allow portslave_t self:shm create_shm_perms; allow portslave_t self:sem create_sem_perms; allow portslave_t self:msgq create_msgq_perms; allow portslave_t self:msg { send receive }; allow portslave_t self:tcp_socket create_stream_socket_perms; allow portslave_t self:udp_socket create_socket_perms; allow portslave_t portslave_etc_t:dir list_dir_perms; read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) allow portslave_t portslave_lock_t:file manage_file_perms; files_lock_filetrans(portslave_t, portslave_lock_t, file) kernel_read_system_state(portslave_t) kernel_read_kernel_sysctls(portslave_t) corecmd_exec_bin(portslave_t) corecmd_exec_shell(portslave_t) corenet_all_recvfrom_unlabeled(portslave_t) corenet_all_recvfrom_netlabel(portslave_t) corenet_tcp_sendrecv_generic_if(portslave_t) corenet_udp_sendrecv_generic_if(portslave_t) corenet_tcp_sendrecv_all_nodes(portslave_t) corenet_udp_sendrecv_all_nodes(portslave_t) corenet_tcp_sendrecv_all_ports(portslave_t) corenet_udp_sendrecv_all_ports(portslave_t) corenet_rw_ppp_dev(portslave_t) dev_read_sysfs(portslave_t) # for ssh dev_read_urand(portslave_t) domain_use_interactive_fds(portslave_t) files_read_etc_files(portslave_t) files_read_etc_runtime_files(portslave_t) files_exec_etc_files(portslave_t) fs_search_auto_mountpoints(portslave_t) fs_getattr_xattr_fs(portslave_t) term_use_unallocated_ttys(portslave_t) term_setattr_unallocated_ttys(portslave_t) term_use_all_user_ttys(portslave_t) term_search_ptys(portslave_t) auth_rw_login_records(portslave_t) auth_domtrans_chk_passwd(portslave_t) init_rw_utmp(portslave_t) libs_use_ld_so(portslave_t) libs_use_shared_libs(portslave_t) logging_send_syslog_msg(portslave_t) logging_search_logs(portslave_t) sysnet_read_config(portslave_t) userdom_use_unpriv_users_fds(portslave_t) # for ~/.ppprc - if it actually exists then you need some policy to read it userdom_search_all_users_home_dirs(portslave_t) mta_send_mail(portslave_t) # this should probably be a domtrans to pppd # instead of exec. ppp_read_rw_config(portslave_t) ppp_exec(portslave_t) ppp_read_secrets(portslave_t) ppp_manage_pid_files(portslave_t) ppp_pid_filetrans(portslave_t) ssh_exec(portslave_t) optional_policy(` inetd_tcp_service_domain(portslave_t, portslave_exec_t) ') optional_policy(` nis_use_ypbind(portslave_t) ') optional_policy(` seutil_sigchld_newrole(portslave_t) ') optional_policy(` udev_read_db(portslave_t) ')