policy_module(radius,1.1.0) ######################################## # # Declarations # type radiusd_t; type radiusd_exec_t; init_daemon_domain(radiusd_t,radiusd_exec_t) type radiusd_etc_t; files_config_file(radiusd_etc_t) type radiusd_log_t; logging_log_file(radiusd_log_t) type radiusd_var_run_t; files_pid_file(radiusd_var_run_t) ######################################## # # Local policy # # fsetid is for gzip which needs it when run from scripts # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; allow radiusd_t self:process setsched; allow radiusd_t self:fifo_file rw_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; allow radiusd_t self:udp_socket create_socket_perms; allow radiusd_t radiusd_etc_t:file r_file_perms; allow radiusd_t radiusd_etc_t:dir r_dir_perms; allow radiusd_t radiusd_etc_t:lnk_file { getattr read }; files_search_etc(radiusd_t) allow radiusd_t radiusd_log_t:file create_file_perms; allow radiusd_t radiusd_log_t:dir create_dir_perms; logging_create_log(radiusd_t,radiusd_log_t,{ file dir }) allow radiusd_t radiusd_var_run_t:file create_file_perms; allow radiusd_t radiusd_var_run_t:dir rw_dir_perms; files_create_pid(radiusd_t,radiusd_var_run_t) kernel_read_kernel_sysctl(radiusd_t) kernel_read_system_state(radiusd_t) corenet_tcp_sendrecv_all_if(radiusd_t) corenet_udp_sendrecv_all_if(radiusd_t) corenet_raw_sendrecv_all_if(radiusd_t) corenet_tcp_sendrecv_all_nodes(radiusd_t) corenet_udp_sendrecv_all_nodes(radiusd_t) corenet_raw_sendrecv_all_nodes(radiusd_t) corenet_tcp_sendrecv_all_ports(radiusd_t) corenet_udp_sendrecv_all_ports(radiusd_t) corenet_non_ipsec_sendrecv(radiusd_t) corenet_tcp_bind_all_nodes(radiusd_t) corenet_udp_bind_all_nodes(radiusd_t) corenet_udp_bind_radacct_port(radiusd_t) corenet_udp_bind_radius_port(radiusd_t) # for RADIUS proxy port corenet_udp_bind_generic_port(radiusd_t) dev_read_sysfs(radiusd_t) fs_getattr_all_fs(radiusd_t) fs_search_auto_mountpoints(radiusd_t) term_dontaudit_use_console(radiusd_t) auth_read_shadow(radiusd_t) auth_domtrans_chk_passwd(radiusd_t) corecmd_exec_bin(radiusd_t) corecmd_exec_shell(radiusd_t) corecmd_search_sbin(radiusd_t) domain_use_wide_inherit_fd(radiusd_t) files_read_usr_files(radiusd_t) files_read_etc_files(radiusd_t) files_read_etc_runtime_files(radiusd_t) init_use_fd(radiusd_t) init_use_script_pty(radiusd_t) libs_use_ld_so(radiusd_t) libs_use_shared_libs(radiusd_t) libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) sysnet_read_config(radiusd_t) userdom_dontaudit_use_unpriv_user_fd(radiusd_t) userdom_dontaudit_search_sysadm_home_dir(radiusd_t) userdom_dontaudit_getattr_sysadm_home_dir(radiusd_t) ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_tty(radiusd_t) term_dontaudit_use_generic_pty(radiusd_t) files_dontaudit_read_root_file(radiusd_t) ') optional_policy(`cron',` cron_system_entry(radiusd_t,radiusd_exec_t) ') optional_policy(`logrotate',` logrotate_exec(radiusd_t) ') optional_policy(`nis',` nis_use_ypbind(radiusd_t) ') optional_policy(`selinuxutil',` seutil_sigchld_newrole(radiusd_t) ') optional_policy(`snmp',` snmp_use(radiusd_t) ') optional_policy(`udev',` udev_read_db(radiusd_t) ')