selinux-policy/strict/domains/program/portmap.te
2005-09-13 13:06:07 +00:00

72 lines
2.5 KiB
Plaintext

#DESC Portmap - Maintain RPC program number map
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# Russell Coker <russell@coker.com.au>
# X-Debian-Packages: portmap
#
#################################
#
# Rules for the portmap_t domain.
#
daemon_domain(portmap, `, nscd_client_domain')
can_network(portmap_t)
allow portmap_t port_type:tcp_socket name_connect;
can_ypbind(portmap_t)
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
tmp_domain(portmap)
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
# portmap binds to arbitary ports
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
allow portmap_t etc_t:file { getattr read };
# Send to ypbind, initrc, rpc.statd, xinetd.
ifdef(`ypbind.te',
`can_udp_send(portmap_t, ypbind_t)')
can_udp_send(portmap_t, { initrc_t init_t })
can_udp_send(init_t, portmap_t)
ifdef(`rpcd.te',
`can_udp_send(portmap_t, rpcd_t)')
ifdef(`inetd.te',
`can_udp_send(portmap_t, inetd_t)')
ifdef(`lpd.te',
`can_udp_send(portmap_t, lpd_t)')
ifdef(`tcpd.te', `
can_udp_send(tcpd_t, portmap_t)
')
can_udp_send(portmap_t, kernel_t)
can_udp_send(kernel_t, portmap_t)
can_udp_send(sysadm_t, portmap_t)
can_udp_send(portmap_t, sysadm_t)
# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
application_domain(portmap_helper)
role system_r types portmap_helper_t;
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
allow portmap_helper_t port_type:tcp_socket name_connect;
can_ypbind(portmap_helper_t)
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
allow portmap_helper_t etc_t:file { getattr read };
dontaudit portmap_helper_t { userdomain privfd }:fd use;
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;