[people/stevee/selinux-policy.git] / policy / modules / services / nessus.te


policy_module(nessus, 1.5.0)

########################################
#
# Local policy
#

type nessusd_t;
type nessusd_exec_t;
init_daemon_domain(nessusd_t, nessusd_exec_t)

type nessusd_db_t;
files_type(nessusd_db_t)

type nessusd_etc_t;
files_config_file(nessusd_etc_t)

type nessusd_log_t;
logging_log_file(nessusd_log_t)

type nessusd_var_run_t;
files_pid_file(nessusd_var_run_t)

########################################
#
# Declarations
#

allow nessusd_t self:capability net_raw;
dontaudit nessusd_t self:capability sys_tty_config;
allow nessusd_t self:process { setsched signal_perms };
allow nessusd_t self:fifo_file rw_fifo_file_perms;
allow nessusd_t self:tcp_socket create_stream_socket_perms;
allow nessusd_t self:udp_socket create_socket_perms;
allow nessusd_t self:rawip_socket create_socket_perms;
allow nessusd_t self:packet_socket create_socket_perms;

# Allow access to the nessusd authentication database
manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
files_list_var_lib(nessusd_t)

allow nessusd_t nessusd_etc_t:file read_file_perms;
files_search_etc(nessusd_t)

manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })

manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)

kernel_read_system_state(nessusd_t)
kernel_read_kernel_sysctls(nessusd_t)

# for nmap etc
corecmd_exec_bin(nessusd_t)

corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
corenet_raw_sendrecv_generic_if(nessusd_t)
corenet_tcp_sendrecv_all_nodes(nessusd_t)
corenet_udp_sendrecv_all_nodes(nessusd_t)
corenet_raw_sendrecv_all_nodes(nessusd_t)
corenet_tcp_sendrecv_all_ports(nessusd_t)
corenet_udp_sendrecv_all_ports(nessusd_t)
corenet_tcp_bind_all_nodes(nessusd_t)
corenet_tcp_bind_nessus_port(nessusd_t)
corenet_tcp_connect_all_ports(nessusd_t)
corenet_sendrecv_all_client_packets(nessusd_t)
corenet_sendrecv_nessus_server_packets(nessusd_t)

dev_read_sysfs(nessusd_t)
dev_read_urand(nessusd_t)

domain_use_interactive_fds(nessusd_t)

files_read_etc_files(nessusd_t)
files_read_etc_runtime_files(nessusd_t)

fs_getattr_all_fs(nessusd_t)
fs_search_auto_mountpoints(nessusd_t)

libs_use_ld_so(nessusd_t)
libs_use_shared_libs(nessusd_t)

logging_send_syslog_msg(nessusd_t)

miscfiles_read_localization(nessusd_t)

sysnet_read_config(nessusd_t)

userdom_dontaudit_use_unpriv_user_fds(nessusd_t)

sysadm_dontaudit_search_home_dirs(nessusd_t)

optional_policy(`
	nis_use_ypbind(nessusd_t)
')

optional_policy(`
	seutil_sigchld_newrole(nessusd_t)
')

optional_policy(`
	udev_read_db(nessusd_t)
')
Commit	Line	Data
a478b5ed	1
cfcf5004	2	policy_module(nessus, 1.5.0)
a478b5ed CP	3
	4	########################################
	5	#
	6	# Local policy
	7	#
	8
	9	type nessusd_t;
	10	type nessusd_exec_t;
0bfccda4	11	init_daemon_domain(nessusd_t, nessusd_exec_t)
a478b5ed CP	12
	13	type nessusd_db_t;
	14	files_type(nessusd_db_t)
	15
	16	type nessusd_etc_t;
	17	files_config_file(nessusd_etc_t)
	18
	19	type nessusd_log_t;
	20	logging_log_file(nessusd_log_t)
	21
	22	type nessusd_var_run_t;
	23	files_pid_file(nessusd_var_run_t)
	24
	25	########################################
	26	#
	27	# Declarations
	28	#
	29
	30	allow nessusd_t self:capability net_raw;
	31	dontaudit nessusd_t self:capability sys_tty_config;
	32	allow nessusd_t self:process { setsched signal_perms };
0b36a214	33	allow nessusd_t self:fifo_file rw_fifo_file_perms;
a478b5ed CP	34	allow nessusd_t self:tcp_socket create_stream_socket_perms;
	35	allow nessusd_t self:udp_socket create_socket_perms;
	36	allow nessusd_t self:rawip_socket create_socket_perms;
	37	allow nessusd_t self:packet_socket create_socket_perms;
	38
	39	# Allow access to the nessusd authentication database
0bfccda4 CP	40	manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
	41	manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
	42	manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
a478b5ed CP	43	files_list_var_lib(nessusd_t)
a478b5ed CP	44
0b36a214	45	allow nessusd_t nessusd_etc_t:file read_file_perms;
a478b5ed CP	46	files_search_etc(nessusd_t)
a478b5ed CP	47
0bfccda4 CP	48	manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
0bfccda4 CP	49	logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })
a478b5ed	50
0bfccda4 CP	51	manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
0bfccda4 CP	52	files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)
a478b5ed CP	53
	54	kernel_read_system_state(nessusd_t)
	55	kernel_read_kernel_sysctls(nessusd_t)
a478b5ed CP	56
	57	# for nmap etc
	58	corecmd_exec_bin(nessusd_t)
	59
19006686 CP	60	corenet_all_recvfrom_unlabeled(nessusd_t)
19006686 CP	61	corenet_all_recvfrom_netlabel(nessusd_t)
a478b5ed CP	62	corenet_tcp_sendrecv_generic_if(nessusd_t)
	63	corenet_udp_sendrecv_generic_if(nessusd_t)
	64	corenet_raw_sendrecv_generic_if(nessusd_t)
	65	corenet_tcp_sendrecv_all_nodes(nessusd_t)
	66	corenet_udp_sendrecv_all_nodes(nessusd_t)
	67	corenet_raw_sendrecv_all_nodes(nessusd_t)
	68	corenet_tcp_sendrecv_all_ports(nessusd_t)
	69	corenet_udp_sendrecv_all_ports(nessusd_t)
a478b5ed	70	corenet_tcp_bind_all_nodes(nessusd_t)
a478b5ed CP	71	corenet_tcp_bind_nessus_port(nessusd_t)
a478b5ed CP	72	corenet_tcp_connect_all_ports(nessusd_t)
141cffdd CP	73	corenet_sendrecv_all_client_packets(nessusd_t)
141cffdd CP	74	corenet_sendrecv_nessus_server_packets(nessusd_t)
a478b5ed CP	75
	76	dev_read_sysfs(nessusd_t)
	77	dev_read_urand(nessusd_t)
	78
	79	domain_use_interactive_fds(nessusd_t)
	80
	81	files_read_etc_files(nessusd_t)
	82	files_read_etc_runtime_files(nessusd_t)
	83
	84	fs_getattr_all_fs(nessusd_t)
	85	fs_search_auto_mountpoints(nessusd_t)
	86
a478b5ed CP	87	libs_use_ld_so(nessusd_t)
	88	libs_use_shared_libs(nessusd_t)
	89
	90	logging_send_syslog_msg(nessusd_t)
	91
	92	miscfiles_read_localization(nessusd_t)
	93
	94	sysnet_read_config(nessusd_t)
	95
	96	userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
e9c6cda7 CP	97
e9c6cda7 CP	98	sysadm_dontaudit_search_home_dirs(nessusd_t)
a478b5ed	99
a478b5ed CP	100	optional_policy(`
	101	nis_use_ypbind(nessusd_t)
	102	')
	103
	104	optional_policy(`
	105	seutil_sigchld_newrole(nessusd_t)
	106	')
	107
	108	optional_policy(`
	109	udev_read_db(nessusd_t)
	110	')