selinux-policy/policy/modules/services/tftp.te
Dominick Grift 568349bd70 The process and capability IPC goes on top of local policy.
The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.

The process and capability IPC goes on top of local policy.
2010-09-24 12:44:16 +02:00

111 lines
2.7 KiB
Plaintext

policy_module(tftp, 1.12.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow tftp to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(tftp_anon_write, false)
type tftpd_t;
type tftpd_exec_t;
init_daemon_domain(tftpd_t, tftpd_exec_t)
type tftpd_var_run_t;
files_pid_file(tftpd_var_run_t)
type tftpdir_t;
files_type(tftpdir_t)
type tftpdir_rw_t;
files_type(tftpdir_rw_t)
########################################
#
# Local policy
#
allow tftpd_t self:capability { setgid setuid sys_chroot };
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
allow tftpd_t tftpdir_t:dir list_dir_perms;
allow tftpd_t tftpdir_t:file read_file_perms;
allow tftpd_t tftpdir_t:lnk_file { getattr read };
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
kernel_read_system_state(tftpd_t)
kernel_read_kernel_sysctls(tftpd_t)
corenet_all_recvfrom_unlabeled(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_generic_if(tftpd_t)
corenet_udp_sendrecv_generic_if(tftpd_t)
corenet_tcp_sendrecv_generic_node(tftpd_t)
corenet_udp_sendrecv_generic_node(tftpd_t)
corenet_tcp_sendrecv_all_ports(tftpd_t)
corenet_udp_sendrecv_all_ports(tftpd_t)
corenet_tcp_bind_generic_node(tftpd_t)
corenet_udp_bind_generic_node(tftpd_t)
corenet_udp_bind_tftp_port(tftpd_t)
corenet_sendrecv_tftp_server_packets(tftpd_t)
dev_read_sysfs(tftpd_t)
fs_getattr_all_fs(tftpd_t)
fs_search_auto_mountpoints(tftpd_t)
domain_use_interactive_fds(tftpd_t)
files_read_etc_files(tftpd_t)
files_read_etc_runtime_files(tftpd_t)
files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
auth_use_nsswitch(tftpd_t)
logging_send_syslog_msg(tftpd_t)
miscfiles_read_localization(tftpd_t)
miscfiles_read_public_files(tftpd_t)
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
userdom_dontaudit_use_user_terminals(tftpd_t)
userdom_dontaudit_search_user_home_dirs(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
')
optional_policy(`
cobbler_read_lib_files(tftpd_t)
')
optional_policy(`
inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
')
optional_policy(`
seutil_sigchld_newrole(tftpd_t)
')
optional_policy(`
udev_read_db(tftpd_t)
')