Blob Blame History Raw
#DESC Nessus network scanning daemon
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: nessus
#

#################################
#
# Rules for the nessusd_t domain.
#
# nessusd_exec_t is the type of the nessusd executable.
#
daemon_domain(nessusd)

etc_domain(nessusd)
type nessusd_db_t, file_type, sysadmfile;

allow nessusd_t nessus_port_t:tcp_socket name_bind;

#tmp_domain(nessusd)

# Use the network.
can_network(nessusd_t)
allow nessusd_t port_type:tcp_socket name_connect;
can_ypbind(nessusd_t)
allow nessusd_t self:unix_stream_socket create_socket_perms;
#allow nessusd_t self:unix_dgram_socket create_socket_perms;

# why ioctl on /dev/urandom?
allow nessusd_t random_device_t:chr_file { getattr read ioctl };
allow nessusd_t self:{ rawip_socket packet_socket } create_socket_perms;
allow nessusd_t self:capability net_raw;

# for nmap etc
allow nessusd_t { bin_t sbin_t }:dir search;
allow nessusd_t bin_t:lnk_file read;
can_exec(nessusd_t, bin_t)
allow nessusd_t self:fifo_file { getattr read write };

# allow user domains to connect to nessusd
can_tcp_connect(userdomain, nessusd_t)

allow nessusd_t self:process setsched;

allow nessusd_t proc_t:file { getattr read };

# Allow access to the nessusd authentication database
create_dir_file(nessusd_t, nessusd_db_t)
allow nessusd_t var_lib_t:dir r_dir_perms;

# read config files
allow nessusd_t { etc_t etc_runtime_t }:file r_file_perms;

logdir_domain(nessusd)