#DESC Inetd - Internet services daemon # # Authors: Stephen Smalley and Timothy Fraser # re-written with daemon_domain by Russell Coker # X-Debian-Packages: netkit-inetd openbsd-inetd xinetd # ################################# # # Rules for the inetd_t domain and # the inetd_child_t domain. # daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' ) can_network(inetd_t) allow inetd_t port_type:tcp_socket name_connect; allow inetd_t self:unix_dgram_socket create_socket_perms; allow inetd_t self:unix_stream_socket create_socket_perms; allow inetd_t self:fifo_file rw_file_perms; allow inetd_t etc_t:file { getattr read ioctl }; allow inetd_t self:process setsched; log_domain(inetd) tmp_domain(inetd) # Use capabilities. allow inetd_t self:capability { setuid setgid net_bind_service }; # allow any domain to connect to inetd can_tcp_connect(userdomain, inetd_t) # Run each daemon with a defined domain in its own domain. # These rules have been moved to the individual target domain .te files. # Run other daemons in the inetd_child_t domain. allow inetd_t { bin_t sbin_t }:dir search; allow inetd_t sbin_t:lnk_file read; # Bind to the telnet, ftp, rlogin and rsh ports. ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;') ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;') ifdef(`talk.te', ` allow inetd_t talk_port_t:tcp_socket name_bind; allow inetd_t ntalk_port_t:tcp_socket name_bind; ') allow inetd_t auth_port_t:tcp_socket name_bind; # Communicate with the portmapper. ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)') inetd_child_domain(inetd_child) allow inetd_child_t proc_net_t:dir search; allow inetd_child_t proc_net_t:file { getattr read }; ifdef(`unconfined.te', ` domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t) ') ifdef(`unlimitedInetd', ` unconfined_domain(inetd_t) ')