Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the $1_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# $1_t is a general domain for daemons started
Chris PeBenito 0fbfa5
# by inetd that do not have their own individual domains yet.
Chris PeBenito 0fbfa5
# $1_exec_t is the type of the corresponding
Chris PeBenito 0fbfa5
# programs.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
define(`inetd_child_domain', `
Chris PeBenito 0fbfa5
type $1_t, domain, privlog, nscd_client_domain;
Chris PeBenito 0fbfa5
role system_r types $1_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Allows user to define a tunable to disable domain transition
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
bool $1_disable_trans false;
Chris PeBenito 0fbfa5
if ($1_disable_trans) {
Chris PeBenito 0fbfa5
can_exec(initrc_t, $1_exec_t)
Chris PeBenito 0fbfa5
can_exec(sysadm_t, $1_exec_t)
Chris PeBenito 0fbfa5
} else {
Chris PeBenito 0fbfa5
domain_auto_trans(inetd_t, $1_exec_t, $1_t)
Chris PeBenito 0fbfa5
allow inetd_t $1_t:process sigkill;
Chris PeBenito 0fbfa5
}
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_server($1_t)
Chris PeBenito 0fbfa5
can_ypbind($1_t)
Chris PeBenito 0fbfa5
uses_shlib($1_t)
Chris PeBenito 0fbfa5
allow $1_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow $1_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
read_locale($1_t)
Chris PeBenito 0fbfa5
allow $1_t device_t:dir search;
Chris PeBenito 0fbfa5
allow $1_t proc_t:dir search;
Chris PeBenito 0fbfa5
allow $1_t proc_t:{ file lnk_file } { getattr read };
Chris PeBenito 0fbfa5
allow $1_t self:process { fork signal_perms };
Chris PeBenito 0fbfa5
allow $1_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_sysctl($1_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow $1_t etc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain($1)
Chris PeBenito 0fbfa5
allow $1_t var_t:dir search;
Chris PeBenito 0fbfa5
var_run_domain($1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from inetd.
Chris PeBenito 0fbfa5
allow $1_t inetd_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for identd
Chris PeBenito 0fbfa5
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
Chris PeBenito 0fbfa5
allow $1_t self:capability { setuid setgid };
Chris PeBenito 0fbfa5
allow $1_t home_root_t:dir search;
Chris PeBenito 0fbfa5
allow $1_t self:dir search;
Chris PeBenito 0fbfa5
allow $1_t self:{ lnk_file file } { getattr read };
Chris PeBenito 0fbfa5
can_kerberos($1_t)
Chris PeBenito 0fbfa5
allow $1_t urandom_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
# Use sockets inherited from inetd.
Chris PeBenito 0fbfa5
ifelse($2, `', `
Chris PeBenito 0fbfa5
allow inetd_t $1_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
allow $1_t inetd_t:udp_socket rw_socket_perms;
Chris PeBenito 0fbfa5
allow inetd_t $1_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifelse($2, tcp, `
Chris PeBenito 0fbfa5
allow inetd_t $1_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
allow $1_t inetd_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifelse($2, udp, `
Chris PeBenito 0fbfa5
allow inetd_t $1_port_t:udp_socket name_bind;
Chris PeBenito 0fbfa5
allow $1_t inetd_t:udp_socket rw_socket_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
r_dir_file($1_t, proc_net_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
define(`remote_login_daemon', `
Chris PeBenito 0fbfa5
inetd_child_domain($1)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Execute /bin/login on a new PTY
Chris PeBenito 0fbfa5
allow $1_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
domain_auto_trans($1_t, login_exec_t, remote_login_t)
Chris PeBenito 0fbfa5
can_create_pty($1, `, server_pty, userpty_type')
Chris PeBenito 0fbfa5
allow $1_t self:capability { fsetid chown fowner sys_tty_config dac_override } ;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Append to /var/log/wtmp.
Chris PeBenito 0fbfa5
allow $1_t var_log_t:dir search;
Chris PeBenito 0fbfa5
allow $1_t wtmp_t:file rw_file_perms;
Chris PeBenito 0fbfa5
allow $1_t initrc_var_run_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow reading of /etc/issue.net
Chris PeBenito 0fbfa5
allow $1_t etc_runtime_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow krb5 $1 to use fork and open /dev/tty for use
Chris PeBenito 0fbfa5
allow $1_t userpty_type:chr_file setattr;
Chris PeBenito 0fbfa5
allow $1_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
dontaudit $1_t selinux_config_t:dir search;
Chris PeBenito 0fbfa5
')