selinux-policy/targeted/macros/program/inetd_macros.te
2005-10-21 18:05:21 +00:00

98 lines
2.8 KiB
Plaintext

#################################
#
# Rules for the $1_t domain.
#
# $1_t is a general domain for daemons started
# by inetd that do not have their own individual domains yet.
# $1_exec_t is the type of the corresponding
# programs.
#
define(`inetd_child_domain', `
type $1_t, domain, privlog, nscd_client_domain;
role system_r types $1_t;
#
# Allows user to define a tunable to disable domain transition
#
bool $1_disable_trans false;
if ($1_disable_trans) {
can_exec(initrc_t, $1_exec_t)
can_exec(sysadm_t, $1_exec_t)
} else {
domain_auto_trans(inetd_t, $1_exec_t, $1_t)
allow inetd_t $1_t:process sigkill;
}
can_network_server($1_t)
can_ypbind($1_t)
uses_shlib($1_t)
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_socket_perms;
allow $1_t self:fifo_file rw_file_perms;
type $1_exec_t, file_type, sysadmfile, exec_type;
read_locale($1_t)
allow $1_t device_t:dir search;
allow $1_t proc_t:dir search;
allow $1_t proc_t:{ file lnk_file } { getattr read };
allow $1_t self:process { fork signal_perms };
allow $1_t fs_t:filesystem getattr;
read_sysctl($1_t)
allow $1_t etc_t:file { getattr read };
tmp_domain($1)
allow $1_t var_t:dir search;
var_run_domain($1)
# Inherit and use descriptors from inetd.
allow $1_t inetd_t:fd use;
# for identd
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow $1_t self:capability { setuid setgid };
allow $1_t home_root_t:dir search;
allow $1_t self:dir search;
allow $1_t self:{ lnk_file file } { getattr read };
can_kerberos($1_t)
allow $1_t urandom_device_t:chr_file r_file_perms;
# Use sockets inherited from inetd.
ifelse($2, `', `
allow inetd_t $1_port_t:udp_socket name_bind;
allow $1_t inetd_t:udp_socket rw_socket_perms;
allow inetd_t $1_port_t:tcp_socket name_bind;
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
')
ifelse($2, tcp, `
allow inetd_t $1_port_t:tcp_socket name_bind;
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
')
ifelse($2, udp, `
allow inetd_t $1_port_t:udp_socket name_bind;
allow $1_t inetd_t:udp_socket rw_socket_perms;
')
r_dir_file($1_t, proc_net_t)
')
define(`remote_login_daemon', `
inetd_child_domain($1)
# Execute /bin/login on a new PTY
allow $1_t { bin_t sbin_t }:dir search;
domain_auto_trans($1_t, login_exec_t, remote_login_t)
can_create_pty($1, `, server_pty, userpty_type')
allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
# Append to /var/log/wtmp.
allow $1_t var_log_t:dir search;
allow $1_t wtmp_t:file rw_file_perms;
allow $1_t initrc_var_run_t:file rw_file_perms;
# Allow reading of /etc/issue.net
allow $1_t etc_runtime_t:file r_file_perms;
# Allow krb5 $1 to use fork and open /dev/tty for use
allow $1_t userpty_type:chr_file setattr;
allow $1_t devtty_t:chr_file rw_file_perms;
dontaudit $1_t selinux_config_t:dir search;
')