## <summary>Internet services daemon.</summary> ######################################## ## <summary> ## Define the specified domain as a inetd service. ## </summary> ## <desc> ## Define the specified domain as a inetd service. The ## inetd_service_domain(), inetd_tcp_service_domain(), ## or inetd_udp_service_domain() interfaces should be used ## instead of this interface, as this interface only provides ## the common rules to these three interfaces. ## </desc> ## <param name="domain"> ## The type associated with the inetd service process. ## </param> ## <param name="entrypoint"> ## The type associated with the process program. ## </param> # interface(`inetd_core_service_domain',` gen_require(` type inetd_t; role system_r; class fd use; class fifo_file rw_file_perms; class process { sigchld sigkill }; ') domain_type($1) domain_entry_file($1,$2) role system_r types $1; ifdef(`targeted_policy',` # this regex is a hack, since it assumes there is a # _t at the end of the domain type. If there is no _t # at the end of the type, it returns empty! ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',` bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false; define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans')) ') if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) { # can_exec(inetd_t,$2) # cjp: this must be wrong gen_require(` type initrc_t, unconfined_t; ') can_exec({ unconfined_t initrc_t },$2) } else { domain_auto_trans(inetd_t,$2,$1) allow inetd_t $1:fd use; allow $1 inetd_t:fd use; allow $1 inetd_t:fifo_file rw_file_perms; allow $1 inetd_t:process sigchld; dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; allow inetd_t $1:process sigkill; # make sediff happy allow $1 $2:file { rx_file_perms entrypoint }; } ',` domain_auto_trans(inetd_t,$2,$1) allow inetd_t $1:fd use; allow $1 inetd_t:fd use; allow $1 inetd_t:fifo_file rw_file_perms; allow $1 inetd_t:process sigchld; dontaudit inetd_t $1:process { noatsecure siginh rlimitinh }; allow inetd_t $1:process sigkill; # make sediff happy allow $1 $2:file { rx_file_perms entrypoint }; ') ') ######################################## ## <summary> ## Define the specified domain as a TCP inetd service. ## </summary> ## <param name="domain"> ## The type associated with the inetd service process. ## </param> ## <param name="entrypoint"> ## The type associated with the process program. ## </param> # interface(`inetd_tcp_service_domain',` gen_require(` type inetd_t; class tcp_socket rw_stream_socket_perms; ') inetd_core_service_domain($1,$2) allow $1 inetd_t:tcp_socket rw_stream_socket_perms; ') ######################################## ## <summary> ## Define the specified domain as a UDP inetd service. ## </summary> ## <param name="domain"> ## The type associated with the inetd service process. ## </param> ## <param name="entrypoint"> ## The type associated with the process program. ## </param> # interface(`inetd_udp_service_domain',` gen_require(` type inetd_t; class udp_socket rw_socket_perms; ') inetd_core_service_domain($1,$2) allow $1 inetd_t:udp_socket rw_socket_perms; ') ######################################## ## <summary> ## Define the specified domain as a TCP and UDP inetd service. ## </summary> ## <param name="domain"> ## The type associated with the inetd service process. ## </param> ## <param name="entrypoint"> ## The type associated with the process program. ## </param> # interface(`inetd_service_domain',` gen_require(` type inetd_t; class tcp_socket rw_stream_socket_perms; class udp_socket rw_socket_perms; ') inetd_core_service_domain($1,$2) allow $1 inetd_t:tcp_socket rw_stream_socket_perms; allow $1 inetd_t:udp_socket rw_socket_perms; ') ######################################## ## <summary> ## Inherit and use file descriptors from inetd. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`inetd_use_fd',` gen_require(` type inetd_t; class fd use; ') allow $1 inetd_t:fd use; ') ######################################## ## <summary> ## Connect to the inetd service using a TCP connection. ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`inetd_tcp_connect',` gen_require(` type inetd_t; class tcp_socket { connectto acceptfrom recvfrom }; ') allow $1 inetd_t:tcp_socket { connectto recvfrom }; allow inetd_t $1:tcp_socket { acceptfrom recvfrom }; kernel_tcp_recvfrom($1) ') ######################################## ## <summary> ## Run inetd child process in the inet child domain ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`inetd_domtrans_child',` gen_require(` type inetd_child_t, inetd_child_exec_t; class process sigchld; class fd use; class fifo_file rw_file_perms; ') corecmd_search_sbin($1) domain_auto_trans($1,inetd_child_exec_t,inetd_child_t) allow $1 inetd_child_t:fd use; allow inetd_child_t $1:fd use; allow inetd_child_t $1:fifo_file rw_file_perms; allow inetd_child_t $1:process sigchld; ') ######################################## ## <summary> ## Send UDP network traffic to inetd. ## </summary> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`inetd_udp_sendto',` gen_require(` type inetd_t; class udp_socket { sendto recvfrom }; ') allow $1 inetd_t:udp_socket sendto; allow inetd_t $1:udp_socket recvfrom; ')