rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   5e98eaa9889e0b8a8af5736d00b2b1a9f57a00e0
  2.   strict
  3.   domains
  4.   program
  5.   portmap.te
Blob Blame History Raw 
#DESC Portmap - Maintain RPC program number map
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
#           Russell Coker <russell@coker.com.au>
# X-Debian-Packages: portmap
#



#################################
#
# Rules for the portmap_t domain.
#
daemon_domain(portmap, `, nscd_client_domain')

can_network(portmap_t)
allow portmap_t port_type:tcp_socket name_connect;
can_ypbind(portmap_t)
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;

tmp_domain(portmap)

allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind;

# portmap binds to arbitary ports
allow portmap_t port_t:{ udp_socket tcp_socket } name_bind;
allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind;

allow portmap_t etc_t:file { getattr read };

# Send to ypbind, initrc, rpc.statd, xinetd.
ifdef(`ypbind.te',
`can_udp_send(portmap_t, ypbind_t)')
can_udp_send(portmap_t, { initrc_t init_t })
can_udp_send(init_t, portmap_t)
ifdef(`rpcd.te',
`can_udp_send(portmap_t, rpcd_t)')
ifdef(`inetd.te',
`can_udp_send(portmap_t, inetd_t)')
ifdef(`lpd.te',
`can_udp_send(portmap_t, lpd_t)')
ifdef(`tcpd.te', `
can_udp_send(tcpd_t, portmap_t)
')
can_udp_send(portmap_t, kernel_t)
can_udp_send(kernel_t, portmap_t)
can_udp_send(sysadm_t, portmap_t)
can_udp_send(portmap_t, sysadm_t)

# Use capabilities
allow portmap_t self:capability { net_bind_service setuid setgid };
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;

application_domain(portmap_helper)
role system_r types portmap_helper_t;
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
allow portmap_helper_t port_type:tcp_socket name_connect;
can_ypbind(portmap_helper_t)
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
allow portmap_helper_t etc_t:file { getattr read };
dontaudit portmap_helper_t { userdomain privfd }:fd use;
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation