Chris PeBenito 0fbfa5
#DESC Portmap - Maintain RPC program number map
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 0fbfa5
#           Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: portmap
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the portmap_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_domain(portmap, `, nscd_client_domain')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network(portmap_t)
Chris PeBenito 0fbfa5
can_ypbind(portmap_t)
Chris PeBenito 0fbfa5
allow portmap_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type portmap_port_t, port_type, reserved_port_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(portmap)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# portmap binds to arbitary ports
Chris PeBenito 0fbfa5
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portmap_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Send to ypbind, initrc, rpc.statd, xinetd.
Chris PeBenito 0fbfa5
ifdef(`ypbind.te',
Chris PeBenito 0fbfa5
`can_udp_send(portmap_t, ypbind_t)')
Chris PeBenito 0fbfa5
can_udp_send(portmap_t, { initrc_t init_t })
Chris PeBenito 0fbfa5
can_udp_send(init_t, portmap_t)
Chris PeBenito 0fbfa5
ifdef(`rpcd.te',
Chris PeBenito 0fbfa5
`can_udp_send(portmap_t, rpcd_t)')
Chris PeBenito 0fbfa5
ifdef(`inetd.te',
Chris PeBenito 0fbfa5
`can_udp_send(portmap_t, inetd_t)')
Chris PeBenito 0fbfa5
ifdef(`lpd.te',
Chris PeBenito 0fbfa5
`can_udp_send(portmap_t, lpd_t)')
Chris PeBenito 0fbfa5
ifdef(`tcpd.te', `
Chris PeBenito 0fbfa5
can_udp_send(tcpd_t, portmap_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
can_udp_send(portmap_t, kernel_t)
Chris PeBenito 0fbfa5
can_udp_send(kernel_t, portmap_t)
Chris PeBenito 0fbfa5
can_udp_send(sysadm_t, portmap_t)
Chris PeBenito 0fbfa5
can_udp_send(portmap_t, sysadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities
Chris PeBenito 0fbfa5
allow portmap_t self:capability { net_bind_service setuid setgid };
Chris PeBenito 0fbfa5
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
application_domain(portmap_helper)
Chris PeBenito 0fbfa5
role system_r types portmap_helper_t;
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
Chris PeBenito 0fbfa5
dontaudit portmap_helper_t self:capability { net_admin };
Chris PeBenito 0fbfa5
allow portmap_helper_t self:capability { net_bind_service };
Chris PeBenito 0fbfa5
allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
Chris PeBenito 0fbfa5
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
can_network(portmap_helper_t)
Chris PeBenito 0fbfa5
can_ypbind(portmap_helper_t)
Chris PeBenito 0fbfa5
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow portmap_helper_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
dontaudit portmap_helper_t userdomain:fd use;
Chris PeBenito 0fbfa5
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
Chris PeBenito 0fbfa5
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;