policy_module(corenetwork,1.0) ######################################## # # Declarations # attribute netif_type; attribute node_type; attribute port_type; attribute reserved_port_type; type ppp_device_t; dev_node(ppp_device_t) # # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* # type tun_tap_device_t; dev_node(tun_tap_device_t) ######################################## # # Ports # # # port_t is the default type of INET port numbers. # type port_t, port_type; sid port context_template(system_u:object_r:port_t,s0) # # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) dnl network_port(biff) # no defined portcon in current strict network_port(dbskkd, tcp,1178,s0) network_port(dhcpc, udp,68,s0) network_port(dhcpd, udp,67,s0) network_port(dict, tcp,2628,s0) network_port(dns, udp,53,s0, tcp,53,s0) network_port(fingerd, tcp,79,s0) network_port(ftp_data, tcp,20,s0) network_port(ftp, tcp,21,s0) network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0) network_port(http, tcp,80,s0, tcp,443,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) dnl network_port(i18n_input) # no defined portcon in current strict network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0) network_port(innd, tcp,119,s0) network_port(ipp, tcp,631,s0, udp,631,s0) network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0) network_port(mail, tcp,2000,s0) network_port(mysqld, tcp,3306,s0) network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postgresql, tcp,5432,s0) network_port(printer, tcp,515,s0) network_port(pxe, udp,4011,s0) network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0) network_port(ssh, tcp,22,s0) dnl network_port(stunnel) # no defined portcon in current strict network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) network_port(vnc, tcp,5900,s0) network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0) network_port(zebra, tcp,2601,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise # declared or omitted due to removal of a domain. portcon tcp 1-1023 context_template(system_u:object_r:reserved_port_t, s0) portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0) ######################################## # # Network nodes # # # node_t is the default type of network nodes. # The node_*_t types are used for specific network # nodes in net_contexts or net_contexts.mls. # type node_t, node_type; sid node context_template(system_u:object_r:node_t,s0) network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, ) network_node(lo, s0, 127.0.0.1, 255.255.255.255) network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) network_node(multicast, s0, ff00::, ff00::) network_node(site_local, s0, fec0::, ffc0::) network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) ######################################## # # Network Interfaces: # # # netif_t is the default type of network interfaces. # type netif_t, netif_type; sid netif context_template(system_u:object_r:netif_t,s0) network_interface(lo, lo,s0) network_interface(eth0, eth0,s0) network_interface(eth1, eth1,s0) network_interface(eth2, eth2,s0) network_interface(ippp0, ippp0,s0) network_interface(ipsec0, ipsec0,s0) network_interface(ipsec1, ipsec1,s0) network_interface(ipsec2, ipsec2,s0)