rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/macros/network_macros.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   5e98eaa9889e0b8a8af5736d00b2b1a9f57a00e0
  2.   strict
  3.   macros
  4.   network_macros.te
Blob History Raw
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`base_can_network',`
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow the domain to create and use $2 sockets.
Chris PeBenito 0fbfa5 
# Other kinds of sockets must be separately authorized for use.
Chris PeBenito 0fbfa5 
allow $1 self:$2_socket connected_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow the domain to send or receive using any network interface.
Chris PeBenito 0fbfa5 
# netif_type is a type attribute for all network interface types.
Chris PeBenito 0fbfa5 
#
Chris PeBenito cf6a7d 
allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow the domain to send to or receive from any node.
Chris PeBenito 0fbfa5 
# node_type is a type attribute for all node types.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
allow $1 node_type:node { $2_send rawip_send };
Chris PeBenito 0fbfa5 
allow $1 node_type:node { $2_recv rawip_recv };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow the domain to send to or receive from any port.
Chris PeBenito 0fbfa5 
# port_type is a type attribute for all port types.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
ifelse($3, `', `
Chris PeBenito 0fbfa5 
allow $1 port_type:$2_socket { send_msg recv_msg };
Chris PeBenito 0fbfa5 
', `
Chris PeBenito 0fbfa5 
allow $1 $3:$2_socket { send_msg recv_msg };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
# XXX Allow binding to any node type.  Remove once
Chris PeBenito 0fbfa5 
# individual rules have been added to all domains that
Chris PeBenito 0fbfa5 
# bind sockets.
Chris PeBenito 0fbfa5 
allow $1 node_type:$2_socket node_bind;
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow access to network files including /etc/resolv.conf
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
allow $1 net_conf_t:file r_file_perms;
Chris PeBenito 0fbfa5 
')dnl end can_network definition
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_server_tcp(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing a tcp network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_server_tcp',`
Chris PeBenito 0fbfa5 
base_can_network($1, tcp, `$2')
Chris PeBenito 0fbfa5 
allow $1 self:tcp_socket { listen accept };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_client_tcp(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing a tcp network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_client_tcp',`
Chris PeBenito 0fbfa5 
base_can_network($1, tcp, `$2')
Chris PeBenito 0fbfa5 
allow $1 self:tcp_socket { connect };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_tcp(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_tcp',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_server_tcp($1, `$2')
Chris PeBenito 0fbfa5 
can_network_client_tcp($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_udp(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_udp',`
Chris PeBenito 0fbfa5 
base_can_network($1, udp, `$2')
Chris PeBenito 0fbfa5 
allow $1 self:udp_socket { connect };
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_server(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_server',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_server_tcp($1, `$2')
Chris PeBenito 0fbfa5 
can_network_udp($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end can_network_server definition
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network_client(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network_client',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_client_tcp($1, `$2')
Chris PeBenito 0fbfa5 
can_network_udp($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end can_network_client definition
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
#################################
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# can_network(domain)
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Permissions for accessing the network.
Chris PeBenito 0fbfa5 
# See types/network.te for the network types.
Chris PeBenito 0fbfa5 
# See net_contexts for security contexts for network entities.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
define(`can_network',`
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
can_network_tcp($1, `$2')
Chris PeBenito 0fbfa5 
can_network_udp($1, `$2')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
ifdef(`mount.te', `
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
# Allow the domain to send NFS client requests via the socket
Chris PeBenito 0fbfa5 
# created by mount.
Chris PeBenito 0fbfa5 
#
Chris PeBenito 0fbfa5 
allow $1 mount_t:udp_socket rw_socket_perms;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
')dnl end can_network definition
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`can_resolve',`
Chris PeBenito 77f6e2 
can_network_client($1, `dns_port_t')
Chris PeBenito 77f6e2 
allow $1 dns_port_t:tcp_socket name_connect;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 5493c2
Chris PeBenito 5493c2 
define(`can_portmap',`
Chris PeBenito 5493c2 
can_network_client($1, `portmap_port_t')
Chris PeBenito 5493c2 
allow $1 portmap_port_t:tcp_socket name_connect;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5 
define(`can_ldap',`
Chris PeBenito 0fbfa5 
can_network_client_tcp($1, `ldap_port_t')
Chris PeBenito 5493c2 
allow $1 ldap_port_t:tcp_socket name_connect;
Chris PeBenito 0fbfa5 
')
Chris PeBenito 0fbfa5
Chris PeBenito 5493c2 
define(`can_winbind',`
Chris PeBenito 5493c2 
ifdef(`winbind.te', `
Chris PeBenito 5493c2 
allow $1 winbind_var_run_t:dir { getattr search };
Chris PeBenito 5493c2 
allow $1 winbind_t:unix_stream_socket connectto;
Chris PeBenito 5493c2 
allow $1 winbind_var_run_t:sock_file { getattr read write };
Chris PeBenito 5493c2 
')
Chris PeBenito 5493c2 
')
Chris PeBenito 77f6e2
Chris PeBenito 77f6e2
Chris PeBenito 77f6e2 
#################################
Chris PeBenito 77f6e2 
#
Chris PeBenito 77f6e2 
# nsswitch_domain(domain)
Chris PeBenito 77f6e2 
#
Chris PeBenito 77f6e2 
# Permissions for looking up uid/username mapping via nsswitch
Chris PeBenito 77f6e2 
#
Chris PeBenito 77f6e2 
define(`nsswitch_domain', `
Chris PeBenito 77f6e2 
can_resolve($1)
Chris PeBenito 77f6e2 
can_ypbind($1)
Chris PeBenito 77f6e2 
can_ldap($1)
Chris PeBenito 77f6e2 
can_winbind($1)
Chris PeBenito 77f6e2 
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation