|
Chris PeBenito |
0fbfa5 |
#DESC Tcpd - Access control facilities from internet services
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: tcpd
|
|
Chris PeBenito |
0fbfa5 |
# Depends: inetd.te
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the tcpd_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type tcpd_t, domain, privlog;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types tcpd_t;
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(tcpd_t)
|
|
Chris PeBenito |
0fbfa5 |
type tcpd_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(inetd_t, tcpd_exec_t, tcpd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# no good reason for this, probably nscd
|
|
Chris PeBenito |
0fbfa5 |
dontaudit tcpd_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(tcpd_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(tcpd_t)
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
read_locale(tcpd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(tcpd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use sockets inherited from inetd.
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run each daemon with a defined domain in its own domain.
|
|
Chris PeBenito |
0fbfa5 |
# These rules have been moved to each target domain .te file.
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run other daemons in the inetd_child_t domain.
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow tcpd_t device_t:dir search;
|