Blame strict/domains/program/ypserv.te
|
Chris PeBenito |
0fbfa5 |
#DESC Ypserv - NIS/YP
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Authors: Dan Walsh <dwalsh@redhat.com>
|
|
Chris PeBenito |
0fbfa5 |
# Depends: portmap.te
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the ypserv_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(ypserv)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(ypserv)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t self:capability { net_bind_service };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use the network.
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(ypserv_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(ypserv_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Send to portmap and initrc.
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(ypserv_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(ypserv_t, initrc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type ypserv_conf_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read and write /var/yp.
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t var_yp_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t var_yp_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t ypserv_conf_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`rpcd.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow rpcd_t ypserv_conf_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
77f6e2 |
can_exec(ypserv_t, bin_t)
|