Chris PeBenito 0fbfa5
#DESC Ypserv - NIS/YP
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Dan Walsh <dwalsh@redhat.com>
Chris PeBenito 0fbfa5
# Depends: portmap.te
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the ypserv_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_domain(ypserv)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(ypserv)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.
Chris PeBenito 0fbfa5
allow ypserv_t self:capability { net_bind_service };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use the network.
Chris PeBenito 0fbfa5
can_network_server(ypserv_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ypserv_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_sysctl(ypserv_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Send to portmap and initrc.
Chris PeBenito 0fbfa5
can_udp_send(ypserv_t, portmap_t)
Chris PeBenito 0fbfa5
can_udp_send(ypserv_t, initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type ypserv_conf_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and write /var/yp.
Chris PeBenito 0fbfa5
allow ypserv_t var_yp_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow ypserv_t var_yp_t:file create_file_perms;
Chris PeBenito 0fbfa5
allow ypserv_t ypserv_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
allow ypserv_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
ifdef(`rpcd.te', `
Chris PeBenito 0fbfa5
allow rpcd_t ypserv_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
Chris PeBenito 0fbfa5
dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
Chris PeBenito 77f6e2
can_exec(ypserv_t, bin_t)