# # Authors: Stephen Smalley and Timothy Fraser # # Modified by Reino Wallin # Multi NIC, and IPSEC features # Modified by Russell Coker # Move port types to their respective domains, add ifdefs, other cleanups. # generally we do not want to define port types in this file, but some things # are insanely difficult to do elsewhere, xserver_port_t is a good example # getting the type defined is the easy part for X, conditional code for many # other domains (including one that starts with a) is the hard part. ifdef(`xdm.te', `define(`use_x_ports')') ifdef(`startx.te', `define(`use_x_ports')') ifdef(`xauth.te', `define(`use_x_ports')') ifdef(`xserver.te', `define(`use_x_ports')') ifdef(`use_x_ports', ` type xserver_port_t, port_type; ') # # Defines used by the te files need to be defined outside of net_constraints # ifdef(`named.te', `define(`use_dns')') ifdef(`nsd.te', `define(`use_dns')') ifdef(`tinydns.te', `define(`use_dns')') ifdef(`dnsmasq.te', `define(`use_dns')') ifdef(`use_dns', ` type dns_port_t, port_type; ') ifdef(`dhcpd.te', `define(`use_dhcpd')') ifdef(`dnsmasq.te', `define(`use_dhcpd')') ifdef(`use_dhcpd', ` type dhcpd_port_t, port_type; ') ifdef(`cyrus.te', `define(`use_pop')') ifdef(`courier.te', `define(`use_pop')') ifdef(`perdition.te', `define(`use_pop')') ifdef(`dovecot.te', `define(`use_pop')') ifdef(`uwimapd.te', `define(`use_pop')') ifdef(`use_pop', ` type pop_port_t, port_type, reserved_port_type; ') ifdef(`apache.te', `define(`use_http_cache')') ifdef(`squid.te', `define(`use_http_cache')') ifdef(`use_http_cache', ` type http_cache_port_t, port_type; ') ifdef(`dhcpd.te', `define(`use_pxe')') ifdef(`pxe.te', `define(`use_pxe')') ############################################ # # Network types # # # mail_port_t is for generic mail ports shared by different mail servers # type mail_port_t, port_type; # # Ports used to communicate with kerberos server # type kerberos_port_t, port_type, reserved_port_type; type kerberos_admin_port_t, port_type, reserved_port_type; type kerberos_master_port_t, port_type; # # port_t is the default type of INET port numbers. # The *_port_t types are used for specific port # numbers in net_contexts or net_contexts.mls. # type port_t, port_type; # reserved_port_t is the default type for INET reserved ports # that are not otherwise mapped to a specific port type. type reserved_port_t, port_type; # # netif_t is the default type of network interfaces. # The netif_*_t types are used for specific network # interfaces in net_contexts or net_contexts.mls. # type netif_t, netif_type; type netif_eth0_t, netif_type; type netif_eth1_t, netif_type; type netif_eth2_t, netif_type; type netif_lo_t, netif_type; type netif_ippp0_t, netif_type; type netif_ipsec0_t, netif_type; type netif_ipsec1_t, netif_type; type netif_ipsec2_t, netif_type; # # node_t is the default type of network nodes. # The node_*_t types are used for specific network # nodes in net_contexts or net_contexts.mls. # type node_t, node_type; type node_lo_t, node_type; type node_internal_t, node_type; type node_inaddr_any_t, node_type; type node_unspec_t, node_type; type node_link_local_t, node_type; type node_site_local_t, node_type; type node_multicast_t, node_type; type node_mapped_ipv4_t, node_type; type node_compat_ipv4_t, node_type; # Kernel-generated traffic, e.g. ICMP replies. allow kernel_t netif_type:netif { rawip_send rawip_recv }; allow kernel_t node_type:node { rawip_send rawip_recv }; # Kernel-generated traffic, e.g. TCP resets. allow kernel_t netif_type:netif { tcp_send tcp_recv }; allow kernel_t node_type:node { tcp_send tcp_recv };