|
Chris PeBenito |
31b7c0 |
#DESC SNMPD - Simple Network Management Protocol daemon
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: snmpd
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#################################
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the snmpd_t domain.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
daemon_domain(snmpd, `, nscd_client_domain')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#temp
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t var_t:dir getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_network_server(snmpd_t)
|
|
Chris PeBenito |
31b7c0 |
can_ypbind(snmpd_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
etc_domain(snmpd)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for the .index file
|
|
Chris PeBenito |
31b7c0 |
var_lib_domain(snmpd)
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
|
|
Chris PeBenito |
31b7c0 |
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
log_domain(snmpd)
|
|
Chris PeBenito |
31b7c0 |
# for /usr/share/snmp/mibs
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t usr_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(sysadm_t, snmpd_t)
|
|
Chris PeBenito |
31b7c0 |
can_udp_send(snmpd_t, sysadm_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t etc_t:lnk_file read;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t proc_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t proc_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t self:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
31b7c0 |
can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
ifdef(`distro_redhat', `
|
|
Chris PeBenito |
31b7c0 |
ifdef(`rpm.te', `
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(snmpd_t, rpm_var_lib_t)
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t rpm_var_lib_t:dir write;
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t rpm_var_lib_t:file write;
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t home_root_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t initrc_var_run_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t initrc_var_run_t:file write;
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t rpc_pipefs_t:dir getattr;
|
|
Chris PeBenito |
31b7c0 |
read_sysctl(snmpd_t)
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t sysctl_net_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t sysctl_net_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t sysfs_t:dir { getattr read search };
|
|
Chris PeBenito |
31b7c0 |
ifdef(`amanda.te', `
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t amanda_dumpdates_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
ifdef(`cupsd.te', `
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t cupsd_rw_etc_t:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t var_lib_nfs_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# needed in order to retrieve net traffic data
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t proc_net_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t proc_net_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t domain:dir { getattr search };
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t domain:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
allow snmpd_t domain:process signull;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
dontaudit snmpd_t selinux_config_t:dir search;
|