135 lines
3.4 KiB
Plaintext
135 lines
3.4 KiB
Plaintext
|
|
policy_module(radius,1.1.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type radiusd_t;
|
|
type radiusd_exec_t;
|
|
init_daemon_domain(radiusd_t,radiusd_exec_t)
|
|
|
|
type radiusd_etc_t;
|
|
files_config_file(radiusd_etc_t)
|
|
|
|
type radiusd_log_t;
|
|
logging_log_file(radiusd_log_t)
|
|
|
|
type radiusd_var_run_t;
|
|
files_pid_file(radiusd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# fsetid is for gzip which needs it when run from scripts
|
|
# gzip also needs chown access to preserve GID for radwtmp files
|
|
allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
|
|
dontaudit radiusd_t self:capability sys_tty_config;
|
|
allow radiusd_t self:process setsched;
|
|
allow radiusd_t self:fifo_file rw_file_perms;
|
|
allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow radiusd_t self:tcp_socket create_stream_socket_perms;
|
|
allow radiusd_t self:udp_socket create_socket_perms;
|
|
|
|
allow radiusd_t radiusd_etc_t:file r_file_perms;
|
|
allow radiusd_t radiusd_etc_t:dir r_dir_perms;
|
|
allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
|
|
files_search_etc(radiusd_t)
|
|
|
|
allow radiusd_t radiusd_log_t:file create_file_perms;
|
|
allow radiusd_t radiusd_log_t:dir create_dir_perms;
|
|
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
|
|
|
|
allow radiusd_t radiusd_var_run_t:file create_file_perms;
|
|
allow radiusd_t radiusd_var_run_t:dir rw_dir_perms;
|
|
files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(radiusd_t)
|
|
kernel_read_system_state(radiusd_t)
|
|
|
|
corenet_non_ipsec_sendrecv(radiusd_t)
|
|
corenet_tcp_sendrecv_all_if(radiusd_t)
|
|
corenet_udp_sendrecv_all_if(radiusd_t)
|
|
corenet_tcp_sendrecv_all_nodes(radiusd_t)
|
|
corenet_udp_sendrecv_all_nodes(radiusd_t)
|
|
corenet_tcp_sendrecv_all_ports(radiusd_t)
|
|
corenet_udp_sendrecv_all_ports(radiusd_t)
|
|
corenet_udp_bind_all_nodes(radiusd_t)
|
|
corenet_udp_bind_radacct_port(radiusd_t)
|
|
corenet_udp_bind_radius_port(radiusd_t)
|
|
corenet_sendrecv_radius_server_packets(radiusd_t)
|
|
corenet_sendrecv_radacct_server_packets(radiusd_t)
|
|
# for RADIUS proxy port
|
|
corenet_udp_bind_generic_port(radiusd_t)
|
|
corenet_sendrecv_generic_server_packets(radiusd_t)
|
|
|
|
dev_read_sysfs(radiusd_t)
|
|
|
|
fs_getattr_all_fs(radiusd_t)
|
|
fs_search_auto_mountpoints(radiusd_t)
|
|
|
|
term_dontaudit_use_console(radiusd_t)
|
|
|
|
auth_read_shadow(radiusd_t)
|
|
auth_domtrans_chk_passwd(radiusd_t)
|
|
|
|
corecmd_exec_bin(radiusd_t)
|
|
corecmd_exec_shell(radiusd_t)
|
|
corecmd_search_sbin(radiusd_t)
|
|
|
|
domain_use_interactive_fds(radiusd_t)
|
|
|
|
files_read_usr_files(radiusd_t)
|
|
files_read_etc_files(radiusd_t)
|
|
files_read_etc_runtime_files(radiusd_t)
|
|
|
|
init_use_fds(radiusd_t)
|
|
init_use_script_ptys(radiusd_t)
|
|
|
|
libs_use_ld_so(radiusd_t)
|
|
libs_use_shared_libs(radiusd_t)
|
|
libs_exec_lib_files(radiusd_t)
|
|
|
|
logging_send_syslog_msg(radiusd_t)
|
|
|
|
miscfiles_read_localization(radiusd_t)
|
|
|
|
sysnet_read_config(radiusd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(radiusd_t)
|
|
userdom_dontaudit_getattr_sysadm_home_dirs(radiusd_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_ttys(radiusd_t)
|
|
term_dontaudit_use_generic_ptys(radiusd_t)
|
|
files_dontaudit_read_root_files(radiusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(radiusd_t,radiusd_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
logrotate_exec(radiusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(radiusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(radiusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_tcp_connect(radiusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(radiusd_t)
|
|
')
|