263 lines
11 KiB
Plaintext
263 lines
11 KiB
Plaintext
# FLASK
|
|
|
|
#
|
|
# Security contexts for network entities
|
|
# If no context is specified, then a default initial SID is used.
|
|
#
|
|
|
|
# Modified by Reino Wallin <reino@oribium.com>
|
|
# Multi NIC, and IPSEC features
|
|
|
|
# Modified by Russell Coker
|
|
# ifdefs to encapsulate domains, and many additional port contexts
|
|
|
|
#
|
|
# Port numbers (default = initial SID "port")
|
|
#
|
|
# protocol number context
|
|
# protocol low-high context
|
|
#
|
|
ifdef(`inetd.te', `
|
|
portcon tcp 7 system_u:object_r:inetd_child_port_t
|
|
portcon udp 7 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 9 system_u:object_r:inetd_child_port_t
|
|
portcon udp 9 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 13 system_u:object_r:inetd_child_port_t
|
|
portcon udp 13 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 19 system_u:object_r:inetd_child_port_t
|
|
portcon udp 19 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 37 system_u:object_r:inetd_child_port_t
|
|
portcon udp 37 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 113 system_u:object_r:auth_port_t
|
|
portcon tcp 512 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 543 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 544 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 891 system_u:object_r:inetd_child_port_t
|
|
portcon udp 891 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 892 system_u:object_r:inetd_child_port_t
|
|
portcon udp 892 system_u:object_r:inetd_child_port_t
|
|
portcon tcp 2105 system_u:object_r:inetd_child_port_t
|
|
')
|
|
ifdef(`ftpd.te', `
|
|
portcon tcp 20 system_u:object_r:ftp_data_port_t
|
|
portcon tcp 21 system_u:object_r:ftp_port_t
|
|
')
|
|
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
|
|
ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
|
|
ifdef(`mta.te', `
|
|
portcon tcp 25 system_u:object_r:smtp_port_t
|
|
portcon tcp 465 system_u:object_r:smtp_port_t
|
|
portcon tcp 587 system_u:object_r:smtp_port_t
|
|
')
|
|
ifdef(`use_dns', `
|
|
portcon udp 53 system_u:object_r:dns_port_t
|
|
portcon tcp 53 system_u:object_r:dns_port_t
|
|
')
|
|
ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
|
|
ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
|
|
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
|
|
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
|
|
ifdef(`apache.te', `
|
|
portcon tcp 80 system_u:object_r:http_port_t
|
|
portcon tcp 443 system_u:object_r:http_port_t
|
|
')
|
|
ifdef(`use_pop', `
|
|
portcon tcp 106 system_u:object_r:pop_port_t
|
|
portcon tcp 109 system_u:object_r:pop_port_t
|
|
portcon tcp 110 system_u:object_r:pop_port_t
|
|
')
|
|
ifdef(`portmap.te', `
|
|
portcon udp 111 system_u:object_r:portmap_port_t
|
|
portcon tcp 111 system_u:object_r:portmap_port_t
|
|
')
|
|
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
|
|
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
|
|
ifdef(`samba.te', `
|
|
portcon tcp 137 system_u:object_r:smbd_port_t
|
|
portcon udp 137 system_u:object_r:nmbd_port_t
|
|
portcon tcp 138 system_u:object_r:smbd_port_t
|
|
portcon udp 138 system_u:object_r:nmbd_port_t
|
|
portcon tcp 139 system_u:object_r:smbd_port_t
|
|
portcon udp 139 system_u:object_r:nmbd_port_t
|
|
portcon tcp 445 system_u:object_r:smbd_port_t
|
|
')
|
|
ifdef(`use_pop', `
|
|
portcon tcp 143 system_u:object_r:pop_port_t
|
|
portcon tcp 220 system_u:object_r:pop_port_t
|
|
')
|
|
ifdef(`snmpd.te', `
|
|
portcon udp 161 system_u:object_r:snmp_port_t
|
|
portcon udp 162 system_u:object_r:snmp_port_t
|
|
portcon tcp 199 system_u:object_r:snmp_port_t
|
|
')
|
|
ifdef(`comsat.te', `
|
|
portcon udp 512 system_u:object_r:comsat_port_t
|
|
')
|
|
ifdef(`slapd.te', `
|
|
portcon tcp 389 system_u:object_r:ldap_port_t
|
|
portcon udp 389 system_u:object_r:ldap_port_t
|
|
portcon tcp 636 system_u:object_r:ldap_port_t
|
|
portcon udp 636 system_u:object_r:ldap_port_t
|
|
')
|
|
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
|
|
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
|
|
ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
|
|
ifdef(`syslogd.te', `
|
|
portcon udp 514 system_u:object_r:syslogd_port_t
|
|
')
|
|
ifdef(`ktalkd.te', `
|
|
portcon udp 517 system_u:object_r:ktalkd_port_t
|
|
portcon udp 518 system_u:object_r:ktalkd_port_t
|
|
')
|
|
ifdef(`cups.te', `
|
|
portcon tcp 631 system_u:object_r:ipp_port_t
|
|
portcon udp 631 system_u:object_r:ipp_port_t
|
|
')
|
|
portcon tcp 88 system_u:object_r:kerberos_port_t
|
|
portcon udp 88 system_u:object_r:kerberos_port_t
|
|
portcon tcp 464 system_u:object_r:kerberos_admin_port_t
|
|
portcon udp 464 system_u:object_r:kerberos_admin_port_t
|
|
portcon tcp 749 system_u:object_r:kerberos_admin_port_t
|
|
portcon tcp 750 system_u:object_r:kerberos_port_t
|
|
portcon udp 750 system_u:object_r:kerberos_port_t
|
|
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
|
|
portcon udp 4444 system_u:object_r:kerberos_master_port_t
|
|
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
|
|
ifdef(`rsync.te', `
|
|
portcon tcp 873 system_u:object_r:rsync_port_t
|
|
portcon udp 873 system_u:object_r:rsync_port_t
|
|
')
|
|
ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
|
|
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
|
|
ifdef(`use_pop', `
|
|
portcon tcp 993 system_u:object_r:pop_port_t
|
|
portcon tcp 995 system_u:object_r:pop_port_t
|
|
portcon tcp 1109 system_u:object_r:pop_port_t
|
|
')
|
|
ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
|
|
ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
|
|
ifdef(`radius.te', `
|
|
portcon udp 1645 system_u:object_r:radius_port_t
|
|
portcon udp 1646 system_u:object_r:radacct_port_t
|
|
portcon udp 1812 system_u:object_r:radius_port_t
|
|
portcon udp 1813 system_u:object_r:radacct_port_t
|
|
')
|
|
ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t')
|
|
ifdef(`gatekeeper.te', `
|
|
portcon udp 1718 system_u:object_r:gatekeeper_port_t
|
|
portcon udp 1719 system_u:object_r:gatekeeper_port_t
|
|
portcon tcp 1721 system_u:object_r:gatekeeper_port_t
|
|
portcon tcp 7000 system_u:object_r:gatekeeper_port_t
|
|
')
|
|
ifdef(`asterisk.te', `
|
|
portcon tcp 1720 system_u:object_r:asterisk_port_t
|
|
portcon udp 2427 system_u:object_r:asterisk_port_t
|
|
portcon udp 2727 system_u:object_r:asterisk_port_t
|
|
portcon udp 4569 system_u:object_r:asterisk_port_t
|
|
portcon udp 5060 system_u:object_r:asterisk_port_t
|
|
')
|
|
portcon tcp 2000 system_u:object_r:mail_port_t
|
|
ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t')
|
|
ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t')
|
|
ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t')
|
|
ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t')
|
|
ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t')
|
|
ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t')
|
|
ifdef(`imazesrv.te',`
|
|
portcon tcp 5323 system_u:object_r:imaze_port_t
|
|
portcon udp 5323 system_u:object_r:imaze_port_t
|
|
')
|
|
ifdef(`howl.te', `
|
|
portcon tcp 5335 system_u:object_r:howl_port_t
|
|
portcon udp 5353 system_u:object_r:howl_port_t
|
|
')
|
|
ifdef(`jabberd.te', `
|
|
portcon tcp 5222 system_u:object_r:jabber_client_port_t
|
|
portcon tcp 5223 system_u:object_r:jabber_client_port_t
|
|
portcon tcp 5269 system_u:object_r:jabber_interserver_port_t
|
|
')
|
|
ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
|
|
ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
|
|
ifdef(`xdm.te', `
|
|
portcon tcp 5900 system_u:object_r:vnc_port_t
|
|
')
|
|
ifdef(`use_x_ports', `
|
|
portcon tcp 6000 system_u:object_r:xserver_port_t
|
|
portcon tcp 6001 system_u:object_r:xserver_port_t
|
|
portcon tcp 6002 system_u:object_r:xserver_port_t
|
|
portcon tcp 6003 system_u:object_r:xserver_port_t
|
|
portcon tcp 6004 system_u:object_r:xserver_port_t
|
|
portcon tcp 6005 system_u:object_r:xserver_port_t
|
|
portcon tcp 6006 system_u:object_r:xserver_port_t
|
|
portcon tcp 6007 system_u:object_r:xserver_port_t
|
|
portcon tcp 6008 system_u:object_r:xserver_port_t
|
|
portcon tcp 6009 system_u:object_r:xserver_port_t
|
|
portcon tcp 6010 system_u:object_r:xserver_port_t
|
|
portcon tcp 6011 system_u:object_r:xserver_port_t
|
|
portcon tcp 6012 system_u:object_r:xserver_port_t
|
|
portcon tcp 6013 system_u:object_r:xserver_port_t
|
|
portcon tcp 6014 system_u:object_r:xserver_port_t
|
|
portcon tcp 6015 system_u:object_r:xserver_port_t
|
|
portcon tcp 6016 system_u:object_r:xserver_port_t
|
|
portcon tcp 6017 system_u:object_r:xserver_port_t
|
|
portcon tcp 6018 system_u:object_r:xserver_port_t
|
|
portcon tcp 6019 system_u:object_r:xserver_port_t
|
|
')
|
|
ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t')
|
|
ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t')
|
|
ifdef(`sound-server.te', `
|
|
portcon tcp 8000 system_u:object_r:soundd_port_t
|
|
# 9433 is for YIFF
|
|
portcon tcp 9433 system_u:object_r:soundd_port_t
|
|
')
|
|
ifdef(`use_http_cache', `
|
|
portcon tcp 3128 system_u:object_r:http_cache_port_t
|
|
portcon tcp 8080 system_u:object_r:http_cache_port_t
|
|
portcon udp 3130 system_u:object_r:http_cache_port_t
|
|
')
|
|
ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
|
|
ifdef(`amanda.te', `
|
|
portcon udp 10080 system_u:object_r:amanda_port_t
|
|
portcon tcp 10080 system_u:object_r:amanda_port_t
|
|
portcon udp 10081 system_u:object_r:amanda_port_t
|
|
portcon tcp 10081 system_u:object_r:amanda_port_t
|
|
portcon tcp 10082 system_u:object_r:amanda_port_t
|
|
portcon tcp 10083 system_u:object_r:amanda_port_t
|
|
')
|
|
ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t')
|
|
|
|
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
|
# these entries just cover any remaining reserved ports not otherwise
|
|
# declared or omitted due to removal of a domain.
|
|
portcon tcp 1-1023 system_u:object_r:reserved_port_t
|
|
portcon udp 1-1023 system_u:object_r:reserved_port_t
|
|
|
|
# Network interfaces (default = initial SID "netif" and "netmsg")
|
|
#
|
|
# interface netif_context default_msg_context
|
|
#
|
|
netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
|
|
netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
|
|
netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
|
|
netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
|
|
netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
|
|
netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
|
|
netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
|
|
netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
|
|
|
|
# Nodes (default = initial SID "node")
|
|
#
|
|
# address mask context
|
|
#
|
|
nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t
|
|
nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t
|
|
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t
|
|
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t
|
|
nodecon ff00:: ff00:: system_u:object_r:node_multicast_t
|
|
nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t
|
|
nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t
|
|
nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t
|
|
nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t
|
|
|
|
# FLASK
|