2528a2d701
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible.
149 lines
3.2 KiB
Plaintext
149 lines
3.2 KiB
Plaintext
## <summary>Simple network management protocol services</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to snmpd using a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_stream_connect',`
|
|
gen_require(`
|
|
type snmpd_t, snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use snmp over a TCP connection. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_tcp_connect',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP traffic to SNMP (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_udp_chat',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read snmpd libraries.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_read_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## dontaudit Read snmpd libraries.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_dontaudit_read_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
|
|
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## dontaudit write snmpd libraries files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_dontaudit_write_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
dontaudit $1 snmpd_var_lib_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an snmp environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the snmp domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`snmp_admin',`
|
|
gen_require(`
|
|
type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
|
|
type snmpd_var_lib_t, snmpd_var_run_t;
|
|
')
|
|
|
|
allow $1 snmpd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, snmpd_t)
|
|
|
|
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 snmpd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, snmpd_log_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, snmpd_var_lib_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, snmpd_var_run_t)
|
|
')
|