98 lines
2.8 KiB
Plaintext
98 lines
2.8 KiB
Plaintext
#################################
|
|
#
|
|
# Rules for the $1_t domain.
|
|
#
|
|
# $1_t is a general domain for daemons started
|
|
# by inetd that do not have their own individual domains yet.
|
|
# $1_exec_t is the type of the corresponding
|
|
# programs.
|
|
#
|
|
define(`inetd_child_domain', `
|
|
type $1_t, domain, privlog, nscd_client_domain;
|
|
role system_r types $1_t;
|
|
|
|
#
|
|
# Allows user to define a tunable to disable domain transition
|
|
#
|
|
bool $1_disable_trans false;
|
|
if ($1_disable_trans) {
|
|
can_exec(initrc_t, $1_exec_t)
|
|
can_exec(sysadm_t, $1_exec_t)
|
|
} else {
|
|
domain_auto_trans(inetd_t, $1_exec_t, $1_t)
|
|
allow inetd_t $1_t:process sigkill;
|
|
}
|
|
|
|
can_network_server($1_t)
|
|
can_ypbind($1_t)
|
|
uses_shlib($1_t)
|
|
allow $1_t self:unix_dgram_socket create_socket_perms;
|
|
allow $1_t self:unix_stream_socket create_socket_perms;
|
|
allow $1_t self:fifo_file rw_file_perms;
|
|
type $1_exec_t, file_type, sysadmfile, exec_type;
|
|
read_locale($1_t)
|
|
allow $1_t device_t:dir search;
|
|
allow $1_t proc_t:dir search;
|
|
allow $1_t proc_t:{ file lnk_file } { getattr read };
|
|
allow $1_t self:process { fork signal_perms };
|
|
allow $1_t fs_t:filesystem getattr;
|
|
|
|
read_sysctl($1_t)
|
|
|
|
allow $1_t etc_t:file { getattr read };
|
|
|
|
tmp_domain($1)
|
|
allow $1_t var_t:dir search;
|
|
var_run_domain($1)
|
|
|
|
# Inherit and use descriptors from inetd.
|
|
allow $1_t inetd_t:fd use;
|
|
|
|
# for identd
|
|
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow $1_t self:capability { setuid setgid };
|
|
allow $1_t home_root_t:dir search;
|
|
allow $1_t self:dir search;
|
|
allow $1_t self:{ lnk_file file } { getattr read };
|
|
can_kerberos($1_t)
|
|
allow $1_t urandom_device_t:chr_file r_file_perms;
|
|
# Use sockets inherited from inetd.
|
|
ifelse($2, `', `
|
|
allow inetd_t $1_port_t:udp_socket name_bind;
|
|
allow $1_t inetd_t:udp_socket rw_socket_perms;
|
|
allow inetd_t $1_port_t:tcp_socket name_bind;
|
|
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
|
')
|
|
ifelse($2, tcp, `
|
|
allow inetd_t $1_port_t:tcp_socket name_bind;
|
|
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
|
|
')
|
|
ifelse($2, udp, `
|
|
allow inetd_t $1_port_t:udp_socket name_bind;
|
|
allow $1_t inetd_t:udp_socket rw_socket_perms;
|
|
')
|
|
r_dir_file($1_t, proc_net_t)
|
|
')
|
|
define(`remote_login_daemon', `
|
|
inetd_child_domain($1)
|
|
|
|
# Execute /bin/login on a new PTY
|
|
allow $1_t { bin_t sbin_t }:dir search;
|
|
domain_auto_trans($1_t, login_exec_t, remote_login_t)
|
|
can_create_pty($1, `, server_pty, userpty_type')
|
|
allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
|
|
|
|
# Append to /var/log/wtmp.
|
|
allow $1_t var_log_t:dir search;
|
|
allow $1_t wtmp_t:file rw_file_perms;
|
|
allow $1_t initrc_var_run_t:file rw_file_perms;
|
|
|
|
# Allow reading of /etc/issue.net
|
|
allow $1_t etc_runtime_t:file r_file_perms;
|
|
|
|
# Allow krb5 $1 to use fork and open /dev/tty for use
|
|
allow $1_t userpty_type:chr_file setattr;
|
|
allow $1_t devtty_t:chr_file rw_file_perms;
|
|
dontaudit $1_t selinux_config_t:dir search;
|
|
')
|