#DESC Portmap - Maintain RPC program number map # # Authors: Stephen Smalley and Timothy Fraser # Russell Coker # X-Debian-Packages: portmap # ################################# # # Rules for the portmap_t domain. # daemon_domain(portmap, `, nscd_client_domain') can_network(portmap_t) allow portmap_t port_type:tcp_socket name_connect; can_ypbind(portmap_t) allow portmap_t self:unix_dgram_socket create_socket_perms; allow portmap_t self:unix_stream_socket create_stream_socket_perms; tmp_domain(portmap) allow portmap_t portmap_port_t:{ udp_socket tcp_socket } name_bind; dontaudit portmap_t reserved_port_type:{ udp_socket tcp_socket } name_bind; # portmap binds to arbitary ports allow portmap_t port_t:{ udp_socket tcp_socket } name_bind; allow portmap_t reserved_port_t:{ udp_socket tcp_socket } name_bind; allow portmap_t etc_t:file { getattr read }; # Send to ypbind, initrc, rpc.statd, xinetd. ifdef(`ypbind.te', `can_udp_send(portmap_t, ypbind_t)') can_udp_send(portmap_t, { initrc_t init_t }) can_udp_send(init_t, portmap_t) ifdef(`rpcd.te', `can_udp_send(portmap_t, rpcd_t)') ifdef(`inetd.te', `can_udp_send(portmap_t, inetd_t)') ifdef(`lpd.te', `can_udp_send(portmap_t, lpd_t)') ifdef(`tcpd.te', ` can_udp_send(tcpd_t, portmap_t) ') can_udp_send(portmap_t, kernel_t) can_udp_send(kernel_t, portmap_t) can_udp_send(sysadm_t, portmap_t) can_udp_send(portmap_t, sysadm_t) # Use capabilities allow portmap_t self:capability { net_bind_service setuid setgid }; allow portmap_t self:netlink_route_socket r_netlink_socket_perms; application_domain(portmap_helper) role system_r types portmap_helper_t; domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t) dontaudit portmap_helper_t self:capability { net_admin }; allow portmap_helper_t self:capability { net_bind_service }; allow portmap_helper_t initrc_var_run_t:file rw_file_perms; file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file) allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms; can_network(portmap_helper_t) allow portmap_helper_t port_type:tcp_socket name_connect; can_ypbind(portmap_helper_t) dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms; allow portmap_helper_t etc_t:file { getattr read }; dontaudit portmap_helper_t { userdomain privfd }:fd use; allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind; dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;