123 lines
3.6 KiB
Plaintext
123 lines
3.6 KiB
Plaintext
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
#
|
|
|
|
# Modified by Reino Wallin <reino@oribium.com>
|
|
# Multi NIC, and IPSEC features
|
|
|
|
# Modified by Russell Coker
|
|
# Move port types to their respective domains, add ifdefs, other cleanups.
|
|
|
|
# generally we do not want to define port types in this file, but some things
|
|
# are insanely difficult to do elsewhere, xserver_port_t is a good example
|
|
# getting the type defined is the easy part for X, conditional code for many
|
|
# other domains (including one that starts with a) is the hard part.
|
|
ifdef(`xdm.te', `define(`use_x_ports')')
|
|
ifdef(`startx.te', `define(`use_x_ports')')
|
|
ifdef(`xauth.te', `define(`use_x_ports')')
|
|
ifdef(`xserver.te', `define(`use_x_ports')')
|
|
ifdef(`use_x_ports', `
|
|
type xserver_port_t, port_type;
|
|
')
|
|
#
|
|
# Defines used by the te files need to be defined outside of net_constraints
|
|
#
|
|
ifdef(`named.te', `define(`use_dns')')
|
|
ifdef(`nsd.te', `define(`use_dns')')
|
|
ifdef(`tinydns.te', `define(`use_dns')')
|
|
ifdef(`dnsmasq.te', `define(`use_dns')')
|
|
ifdef(`use_dns', `
|
|
type dns_port_t, port_type;
|
|
')
|
|
|
|
ifdef(`dhcpd.te', `define(`use_dhcpd')')
|
|
ifdef(`dnsmasq.te', `define(`use_dhcpd')')
|
|
ifdef(`use_dhcpd', `
|
|
type dhcpd_port_t, port_type;
|
|
')
|
|
|
|
ifdef(`cyrus.te', `define(`use_pop')')
|
|
ifdef(`courier.te', `define(`use_pop')')
|
|
ifdef(`perdition.te', `define(`use_pop')')
|
|
ifdef(`dovecot.te', `define(`use_pop')')
|
|
ifdef(`uwimapd.te', `define(`use_pop')')
|
|
ifdef(`use_pop', `
|
|
type pop_port_t, port_type, reserved_port_type;
|
|
')
|
|
ifdef(`apache.te', `define(`use_http_cache')')
|
|
ifdef(`squid.te', `define(`use_http_cache')')
|
|
ifdef(`use_http_cache', `
|
|
type http_cache_port_t, port_type;
|
|
')
|
|
|
|
ifdef(`dhcpd.te', `define(`use_pxe')')
|
|
ifdef(`pxe.te', `define(`use_pxe')')
|
|
|
|
############################################
|
|
#
|
|
# Network types
|
|
#
|
|
|
|
#
|
|
# mail_port_t is for generic mail ports shared by different mail servers
|
|
#
|
|
type mail_port_t, port_type;
|
|
|
|
#
|
|
# Ports used to communicate with kerberos server
|
|
#
|
|
type kerberos_port_t, port_type, reserved_port_type;
|
|
type kerberos_admin_port_t, port_type, reserved_port_type;
|
|
type kerberos_master_port_t, port_type;
|
|
|
|
#
|
|
# port_t is the default type of INET port numbers.
|
|
# The *_port_t types are used for specific port
|
|
# numbers in net_contexts or net_contexts.mls.
|
|
#
|
|
type port_t, port_type;
|
|
|
|
# reserved_port_t is the default type for INET reserved ports
|
|
# that are not otherwise mapped to a specific port type.
|
|
type reserved_port_t, port_type;
|
|
|
|
#
|
|
# netif_t is the default type of network interfaces.
|
|
# The netif_*_t types are used for specific network
|
|
# interfaces in net_contexts or net_contexts.mls.
|
|
#
|
|
type netif_t, netif_type;
|
|
type netif_eth0_t, netif_type;
|
|
type netif_eth1_t, netif_type;
|
|
type netif_eth2_t, netif_type;
|
|
type netif_lo_t, netif_type;
|
|
type netif_ippp0_t, netif_type;
|
|
|
|
type netif_ipsec0_t, netif_type;
|
|
type netif_ipsec1_t, netif_type;
|
|
type netif_ipsec2_t, netif_type;
|
|
|
|
#
|
|
# node_t is the default type of network nodes.
|
|
# The node_*_t types are used for specific network
|
|
# nodes in net_contexts or net_contexts.mls.
|
|
#
|
|
type node_t, node_type;
|
|
type node_lo_t, node_type;
|
|
type node_internal_t, node_type;
|
|
type node_inaddr_any_t, node_type;
|
|
type node_unspec_t, node_type;
|
|
type node_link_local_t, node_type;
|
|
type node_site_local_t, node_type;
|
|
type node_multicast_t, node_type;
|
|
type node_mapped_ipv4_t, node_type;
|
|
type node_compat_ipv4_t, node_type;
|
|
|
|
# Kernel-generated traffic, e.g. ICMP replies.
|
|
allow kernel_t netif_type:netif { rawip_send rawip_recv };
|
|
allow kernel_t node_type:node { rawip_send rawip_recv };
|
|
|
|
# Kernel-generated traffic, e.g. TCP resets.
|
|
allow kernel_t netif_type:netif { tcp_send tcp_recv };
|
|
allow kernel_t node_type:node { tcp_send tcp_recv };
|