rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/domains/program/inetd.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   daff1dc5af34acb1c60e7e433e349509acd25943
  2.   strict
  3.   domains
  4.   program
  5.   inetd.te
Blob History Raw
Chris PeBenito 0fbfa5 
#DESC Inetd - Internet services daemon
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 0fbfa5 
# re-written with daemon_domain by Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5 
# X-Debian-Packages: netkit-inetd openbsd-inetd xinetd
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Rules for the inetd_t domain and
Chris PeBenito 0fbfa5 
# the inetd_child_t domain.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network(inetd_t)
Chris PeBenito 2705f9 
allow inetd_t port_type:tcp_socket name_connect;
Chris PeBenito 0fbfa5 
allow inetd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow inetd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5 
allow inetd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5 
allow inetd_t etc_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5 
allow inetd_t self:process setsched;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
log_domain(inetd)
Chris PeBenito 0fbfa5 
tmp_domain(inetd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Use capabilities.
Chris PeBenito 0fbfa5 
allow inetd_t self:capability { setuid setgid net_bind_service };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# allow any domain to connect to inetd
Chris PeBenito 0fbfa5 
can_tcp_connect(userdomain, inetd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Run each daemon with a defined domain in its own domain.
Chris PeBenito 0fbfa5 
# These rules have been moved to the individual target domain .te files.
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Run other daemons in the inetd_child_t domain.
Chris PeBenito 0fbfa5 
allow inetd_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5 
allow inetd_t sbin_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# Bind to the telnet, ftp, rlogin and rsh ports.
Chris PeBenito 0fbfa5 
ifdef(`ftpd.te', `allow inetd_t ftp_port_t:tcp_socket name_bind;')
Chris PeBenito 0fbfa5 
ifdef(`rshd.te', `allow inetd_t rsh_port_t:tcp_socket name_bind;')
Chris PeBenito 0fbfa5 
ifdef(`talk.te', `
Chris PeBenito 0fbfa5 
allow inetd_t talk_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5 
allow inetd_t ntalk_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 2705f9 
allow inetd_t auth_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5 
# Communicate with the portmapper.
Chris PeBenito 0fbfa5 
ifdef(`portmap.te', `can_udp_send(inetd_t, portmap_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
inetd_child_domain(inetd_child)
Chris PeBenito 0fbfa5 
allow inetd_child_t proc_net_t:dir search;
Chris PeBenito 0fbfa5 
allow inetd_child_t proc_net_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`unconfined.te', `
Chris PeBenito 0fbfa5 
domain_auto_trans(inetd_t, unconfined_exec_t, unconfined_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`unlimitedInetd', `
Chris PeBenito 0fbfa5 
unconfined_domain(inetd_t)
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation