Chris PeBenito 0fbfa5
#DESC INN - InterNetNews server
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Faye Coker <faye@lurking-grue.org>
Chris PeBenito 0fbfa5
# X-Debian-Packages: inn
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
################################
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Types for the server port and news spool.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type news_spool_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# need privmail attribute so innd can access system_mail_t
Chris PeBenito 0fbfa5
daemon_domain(innd, `, privmail')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow innd to create files and directories of type news_spool_t
Chris PeBenito 0fbfa5
create_dir_file(innd_t, news_spool_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow user domains to read files and directories these types
Chris PeBenito 0fbfa5
r_dir_file(userdomain, { news_spool_t innd_var_lib_t innd_etc_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(initrc_t, innd_etc_t)
Chris PeBenito 0fbfa5
can_exec(innd_t, { innd_exec_t bin_t shell_exec_t })
Chris PeBenito 0fbfa5
ifdef(`hostname.te', `
Chris PeBenito 0fbfa5
can_exec(innd_t, hostname_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t var_spool_t:dir { getattr search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network(innd_t)
Chris PeBenito 2705f9
allow innd_t port_type:tcp_socket name_connect;
Chris PeBenito 0fbfa5
can_ypbind(innd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
Chris PeBenito 0fbfa5
allow innd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow innd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
can_unix_connect(innd_t, self)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow innd_t innd_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t self:capability { dac_override kill setgid setuid net_bind_service };
Chris PeBenito 0fbfa5
allow innd_t self:process setsched;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow innd_t usr_t:lnk_file read;
Chris PeBenito 0fbfa5
allow innd_t usr_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow innd_t lib_t:file ioctl;
Chris PeBenito 0fbfa5
allow innd_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow innd_t { proc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 0fbfa5
allow innd_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t innd_var_run_t:sock_file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow innd to read directories of type innd_etc_t (/etc/news/(/.*)? and symbolic links with that type
Chris PeBenito 0fbfa5
etcdir_domain(innd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow innd to create files under /var/log of type innd_log_t and have a directory for its own files that
Chris PeBenito 0fbfa5
# it can write to
Chris PeBenito 0fbfa5
logdir_domain(innd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow innd read-write directory permissions to /var/lib/news.
Chris PeBenito 0fbfa5
var_lib_domain(innd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
system_crond_entry(innd_exec_t, innd_t)
Chris PeBenito 0fbfa5
allow system_crond_t innd_etc_t:file { getattr read };
Chris PeBenito 0fbfa5
rw_dir_create_file(system_crond_t, innd_log_t)
Chris PeBenito 0fbfa5
rw_dir_create_file(system_crond_t, innd_var_run_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`syslogd.te', `
Chris PeBenito 0fbfa5
allow syslogd_t innd_log_t:dir search;
Chris PeBenito 0fbfa5
allow syslogd_t innd_log_t:file create_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow innd_t self:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit innd_t selinux_config_t:dir { search };
Chris PeBenito 0fbfa5
allow system_crond_t innd_etc_t:file { getattr read };
Chris PeBenito 0fbfa5
allow innd_t bin_t:lnk_file { read };
Chris PeBenito 0fbfa5
allow innd_t sbin_t:lnk_file { read };