selinux-policy/policy/modules/services/portslave.te

policy_module(portslave,1.0.1)

########################################
#
# Declarations
#

type portslave_t;
type portslave_exec_t;
init_domain(portslave_t,portslave_exec_t)
init_daemon_domain(portslave_t,portslave_exec_t)

type portslave_etc_t;
files_type(portslave_etc_t)

type portslave_lock_t;
files_lock_file(portslave_lock_t)

########################################
#
# Local policy
#

# setuid setgid net_admin fsetid for pppd
# sys_admin for ctlportslave
# net_bind_service for rlogin
allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_file_perms;
allow portslave_t self:unix_dgram_socket create_socket_perms;
allow portslave_t self:unix_stream_socket create_stream_socket_perms;
allow portslave_t self:unix_dgram_socket sendto;
allow portslave_t self:unix_stream_socket connectto;
allow portslave_t self:shm create_shm_perms;
allow portslave_t self:sem create_sem_perms;
allow portslave_t self:msgq create_msgq_perms;
allow portslave_t self:msg { send receive };
allow portslave_t self:tcp_socket create_stream_socket_perms;
allow portslave_t self:udp_socket create_socket_perms;

allow portslave_t portslave_etc_t:dir r_dir_perms;
allow portslave_t portslave_etc_t:file r_file_perms;
allow portslave_t portslave_etc_t:lnk_file { getattr read };

allow portslave_t portslave_lock_t:file create_file_perms;
files_lock_filetrans(portslave_t,portslave_lock_t,file)

kernel_read_system_state(portslave_t)
kernel_read_kernel_sysctls(portslave_t)

corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)

corenet_non_ipsec_sendrecv(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
corenet_udp_sendrecv_all_nodes(portslave_t)
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
corenet_rw_ppp_dev(portslave_t)

dev_read_sysfs(portslave_t)
# for ssh
dev_read_urand(portslave_t)

domain_use_interactive_fds(portslave_t)

files_read_etc_files(portslave_t)
files_read_etc_runtime_files(portslave_t)
files_exec_etc_files(portslave_t)

fs_search_auto_mountpoints(portslave_t)
fs_getattr_xattr_fs(portslave_t)

term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
term_use_all_user_ttys(portslave_t)
term_dontaudit_use_console(portslave_t)
term_search_ptys(portslave_t)

auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
init_use_fds(portslave_t)
init_use_script_ptys(portslave_t)
init_rw_utmp(portslave_t)

libs_use_ld_so(portslave_t)
libs_use_shared_libs(portslave_t)

logging_send_syslog_msg(portslave_t)
logging_search_logs(portslave_t)

sysnet_read_config(portslave_t)

userdom_use_unpriv_users_fds(portslave_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
userdom_search_all_users_home_dirs(portslave_t)

mta_send_mail(portslave_t)

# this should probably be a domtrans to pppd
# instead of exec.
ppp_read_rw_config(portslave_t)
ppp_exec(portslave_t)
ppp_read_secrets(portslave_t)
ppp_manage_pid_files(portslave_t)
ppp_pid_filetrans(portslave_t)

ssh_exec(portslave_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(portslave_t)
	term_dontaudit_use_generic_ptys(portslave_t)
	files_dontaudit_read_root_files(portslave_t)
')

optional_policy(`
	inetd_tcp_service_domain(portslave_t,portslave_exec_t)
')

optional_policy(`
	nis_use_ypbind(portslave_t)
')

optional_policy(`
	radius_use(portslave_t)
')

optional_policy(`
	seutil_sigchld_newrole(portslave_t)
')

optional_policy(`
	udev_read_db(portslave_t)
')