Blame strict/domains/program/ypbind.te
|
Chris PeBenito |
0fbfa5 |
#DESC Ypbind - NIS/YP
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
0fbfa5 |
# Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: nis
|
|
Chris PeBenito |
0fbfa5 |
# Depends: portmap.te named.te
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the ypbind_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(ypbind)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(ypbind)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t self:capability { net_bind_service };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ypbind_t self:capability net_admin;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use the network.
|
|
Chris PeBenito |
0fbfa5 |
can_network(ypbind_t)
|
|
Chris PeBenito |
2705f9 |
allow ypbind_t port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(ypbind_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Send to portmap and initrc.
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(ypbind_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(ypbind_t, initrc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read and write /var/yp.
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t var_yp_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t var_yp_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow initrc_t var_yp_t:dir { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypbind_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ypbind_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(initrc_t, ypbind_t)
|
|
Chris PeBenito |
0fbfa5 |
|