|
Chris PeBenito |
0fbfa5 |
#DESC Portmap - Maintain RPC program number map
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: portmap
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the portmap_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(portmap, `, nscd_client_domain')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network(portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type portmap_port_t, port_type, reserved_port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(portmap)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# portmap binds to arbitary ports
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Send to ypbind, initrc, rpc.statd, xinetd.
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ypbind.te',
|
|
Chris PeBenito |
0fbfa5 |
`can_udp_send(portmap_t, ypbind_t)')
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(portmap_t, { initrc_t init_t })
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(init_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`rpcd.te',
|
|
Chris PeBenito |
0fbfa5 |
`can_udp_send(portmap_t, rpcd_t)')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`inetd.te',
|
|
Chris PeBenito |
0fbfa5 |
`can_udp_send(portmap_t, inetd_t)')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`lpd.te',
|
|
Chris PeBenito |
0fbfa5 |
`can_udp_send(portmap_t, lpd_t)')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`tcpd.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(tcpd_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(portmap_t, kernel_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(kernel_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(sysadm_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(portmap_t, sysadm_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t self:capability { net_bind_service setuid setgid };
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
application_domain(portmap_helper)
|
|
Chris PeBenito |
0fbfa5 |
role system_r types portmap_helper_t;
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portmap_helper_t self:capability { net_admin };
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_helper_t self:capability { net_bind_service };
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
can_network(portmap_helper_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(portmap_helper_t)
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_helper_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portmap_helper_t userdomain:fd use;
|
|
Chris PeBenito |
0fbfa5 |
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|