Blob Blame History Raw
## <summary>Internet services daemon.</summary>

########################################
## <summary>
##	Define the specified domain as a inetd service.
## </summary>
## <desc>
##	Define the specified domain as a inetd service.  The
##	inetd_service_domain(), inetd_tcp_service_domain(),
##	or inetd_udp_service_domain() interfaces should be used
##	instead of this interface, as this interface only provides
##	the common rules to these three interfaces.
## </desc>
## <param name="domain">
##	The type associated with the inetd service process.
## </param>
## <param name="entrypoint">
##	The type associated with the process program.
## </param>
#
interface(`inetd_core_service_domain',`
	gen_require(`
		type inetd_t;
		role system_r;
		class fd use;
		class fifo_file rw_file_perms;
		class process { sigchld sigkill };
	')

	domain_type($1)
	domain_entry_file($1,$2)

	role system_r types $1;

	ifdef(`targeted_policy',`
		# this regex is a hack, since it assumes there is a
		# _t at the end of the domain type.  If there is no _t
		# at the end of the type, it returns empty!
		ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
			bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
			define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
		')
		if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
#			can_exec(inetd_t,$2)
			# cjp: this must be wrong
			gen_require(`
				type initrc_t, unconfined_t;
			')
			can_exec({ unconfined_t initrc_t },$2)
		} else {
			domain_auto_trans(inetd_t,$2,$1)
			allow inetd_t $1:fd use;
			allow $1 inetd_t:fd use;
			allow $1 inetd_t:fifo_file rw_file_perms;
			allow $1 inetd_t:process sigchld;
			dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };

			allow inetd_t $1:process sigkill;

			# make sediff happy
			allow $1 $2:file { rx_file_perms entrypoint };
		}
	',`
		domain_auto_trans(inetd_t,$2,$1)
		allow inetd_t $1:fd use;
		allow $1 inetd_t:fd use;
		allow $1 inetd_t:fifo_file rw_file_perms;
		allow $1 inetd_t:process sigchld;
		dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };

		allow inetd_t $1:process sigkill;

		# make sediff happy
		allow $1 $2:file { rx_file_perms entrypoint };
	')
')

########################################
## <summary>
##	Define the specified domain as a TCP inetd service.
## </summary>
## <param name="domain">
##	The type associated with the inetd service process.
## </param>
## <param name="entrypoint">
##	The type associated with the process program.
## </param>
#
interface(`inetd_tcp_service_domain',`

	gen_require(`
		type inetd_t;
		class tcp_socket rw_stream_socket_perms;
	')

	inetd_core_service_domain($1,$2)

	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
')

########################################
## <summary>
##	Define the specified domain as a UDP inetd service.
## </summary>
## <param name="domain">
##	The type associated with the inetd service process.
## </param>
## <param name="entrypoint">
##	The type associated with the process program.
## </param>
#
interface(`inetd_udp_service_domain',`
	gen_require(`
		type inetd_t;
		class udp_socket rw_socket_perms;
	')

	inetd_core_service_domain($1,$2)

	allow $1 inetd_t:udp_socket rw_socket_perms;
')

########################################
## <summary>
##	Define the specified domain as a TCP and UDP inetd service.
## </summary>
## <param name="domain">
##	The type associated with the inetd service process.
## </param>
## <param name="entrypoint">
##	The type associated with the process program.
## </param>
#
interface(`inetd_service_domain',`
	gen_require(`
		type inetd_t;
		class tcp_socket rw_stream_socket_perms;
		class udp_socket rw_socket_perms;
	')

	inetd_core_service_domain($1,$2)

	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
	allow $1 inetd_t:udp_socket rw_socket_perms;
')

########################################
## <summary>
##	Inherit and use file descriptors from inetd.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`inetd_use_fd',`
	gen_require(`
		type inetd_t;
		class fd use;
	')

	allow $1 inetd_t:fd use;
')

########################################
## <summary>
##	Connect to the inetd service using a TCP connection.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`inetd_tcp_connect',`
	gen_require(`
		type inetd_t;
		class tcp_socket { connectto acceptfrom recvfrom };
	')

	allow $1 inetd_t:tcp_socket { connectto recvfrom };
	allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
	kernel_tcp_recvfrom($1)
')

########################################
## <summary>
##	Run inetd child process in the inet child domain
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`inetd_domtrans_child',`
	gen_require(`
		type inetd_child_t, inetd_child_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)

	allow $1 inetd_child_t:fd use;
	allow inetd_child_t $1:fd use;
	allow inetd_child_t $1:fifo_file rw_file_perms;
	allow inetd_child_t $1:process sigchld;
')

########################################
## <summary>
##	Send UDP network traffic to inetd.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`inetd_udp_sendto',`
	gen_require(`
		type inetd_t;
		class udp_socket { sendto recvfrom };
	')

	allow $1 inetd_t:udp_socket sendto;
	allow inetd_t $1:udp_socket recvfrom;
')