#################################

#

# Rules for the $1_t domain.

#

# $1_t is a general domain for daemons started

# by inetd that do not have their own individual domains yet.

# $1_exec_t is the type of the corresponding

# programs.

#

define(`inetd_child_domain', `

type $1_t, domain, privlog, nscd_client_domain;

role system_r types $1_t;

#

# Allows user to define a tunable to disable domain transition

#

bool $1_disable_trans false;

if ($1_disable_trans) {

can_exec(initrc_t, $1_exec_t)

can_exec(sysadm_t, $1_exec_t)

} else {

domain_auto_trans(inetd_t, $1_exec_t, $1_t)

allow inetd_t $1_t:process sigkill;

}

can_network_server($1_t)

can_ypbind($1_t)

uses_shlib($1_t)

allow $1_t self:unix_dgram_socket create_socket_perms;

allow $1_t self:unix_stream_socket create_socket_perms;

allow $1_t self:fifo_file rw_file_perms;

type $1_exec_t, file_type, sysadmfile, exec_type;

read_locale($1_t)

allow $1_t device_t:dir search;

allow $1_t proc_t:dir search;

allow $1_t proc_t:{ file lnk_file } { getattr read };

allow $1_t self:process { fork signal_perms };

allow $1_t fs_t:filesystem getattr;

read_sysctl($1_t)

allow $1_t etc_t:file { getattr read };

tmp_domain($1)

allow $1_t var_t:dir search;

var_run_domain($1)

# Inherit and use descriptors from inetd.

allow $1_t inetd_t:fd use;

# for identd

allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;

allow $1_t self:capability { setuid setgid };

allow $1_t home_root_t:dir search;

allow $1_t self:dir search;

allow $1_t self:{ lnk_file file } { getattr read };

can_kerberos($1_t)

allow $1_t urandom_device_t:chr_file r_file_perms;

type $1_port_t, port_type, reserved_port_type;

# Use sockets inherited from inetd.

ifelse($2, `', `

allow inetd_t $1_port_t:udp_socket name_bind;

allow $1_t inetd_t:udp_socket rw_socket_perms;

allow inetd_t $1_port_t:tcp_socket name_bind;

allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;

')

ifelse($2, tcp, `

allow inetd_t $1_port_t:tcp_socket name_bind;

allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;

')

ifelse($2, udp, `

allow inetd_t $1_port_t:udp_socket name_bind;

allow $1_t inetd_t:udp_socket rw_socket_perms;

')

r_dir_file($1_t, proc_net_t)

')

define(`remote_login_daemon', `

inetd_child_domain($1)

# Execute /bin/login on a new PTY

allow $1_t { bin_t sbin_t }:dir search;

domain_auto_trans($1_t, login_exec_t, remote_login_t)

can_create_pty($1, `, server_pty, userpty_type')

allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;

# Append to /var/log/wtmp.

allow $1_t var_log_t:dir search;

allow $1_t wtmp_t:file rw_file_perms;

allow $1_t initrc_var_run_t:file rw_file_perms;

# Allow reading of /etc/issue.net

allow $1_t etc_runtime_t:file r_file_perms;

# Allow krb5 $1 to use fork and open /dev/tty for use

allow $1_t userpty_type:chr_file setattr;

allow $1_t devtty_t:chr_file rw_file_perms;

dontaudit $1_t selinux_config_t:dir search;

')