Chris PeBenito 31b7c0
#DESC Tcpd - Access control facilities from internet services
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 31b7c0
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 31b7c0
# X-Debian-Packages: tcpd
Chris PeBenito 31b7c0
# Depends: inetd.te
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the tcpd_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
type tcpd_t, domain, privlog;
Chris PeBenito 31b7c0
role system_r types tcpd_t;
Chris PeBenito 31b7c0
uses_shlib(tcpd_t)
Chris PeBenito 31b7c0
type tcpd_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow tcpd_t fs_t:filesystem getattr;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# no good reason for this, probably nscd
Chris PeBenito 31b7c0
dontaudit tcpd_t var_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
can_network_server(tcpd_t)
Chris PeBenito 31b7c0
can_ypbind(tcpd_t)
Chris PeBenito 31b7c0
allow tcpd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow tcpd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
allow tcpd_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
read_locale(tcpd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
tmp_domain(tcpd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use sockets inherited from inetd.
Chris PeBenito 31b7c0
allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Run each daemon with a defined domain in its own domain.
Chris PeBenito 31b7c0
# These rules have been moved to each target domain .te file.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Run other daemons in the inetd_child_t domain.
Chris PeBenito 31b7c0
allow tcpd_t { bin_t sbin_t }:dir search;
Chris PeBenito 31b7c0
domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow tcpd_t device_t:dir search;