#DESC Ypserv - NIS/YP
#
# Authors:  Dan Walsh <dwalsh@redhat.com>
# Depends: portmap.te
#

#################################
#
# Rules for the ypserv_t domain.
#
daemon_domain(ypserv)

tmp_domain(ypserv)

# Use capabilities.
allow ypserv_t self:capability { net_bind_service };

# Use the network.
can_network_server(ypserv_t)

allow ypserv_t self:fifo_file rw_file_perms;

read_sysctl(ypserv_t)

# Send to portmap and initrc.
can_udp_send(ypserv_t, portmap_t)
can_udp_send(ypserv_t, initrc_t)

type ypserv_conf_t, file_type, sysadmfile;

# Read and write /var/yp.
allow ypserv_t var_yp_t:dir rw_dir_perms;
allow ypserv_t var_yp_t:file create_file_perms;
allow ypserv_t ypserv_conf_t:file { getattr read };
allow ypserv_t self:unix_dgram_socket create_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`rpcd.te', `
allow rpcd_t ypserv_conf_t:file { getattr read };
')
allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
can_exec(ypserv_t, bin_t)

application_domain(ypxfr, `, nscd_client_domain')
can_network_client(ypxfr_t)
allow ypxfr_t etc_t:file { getattr read };
allow ypxfr_t portmap_port_t:tcp_socket name_connect;
allow ypxfr_t reserved_port_t:tcp_socket name_connect;
dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect;
allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;