[people/stevee/selinux-policy.git] / policy / modules / services / ucspitcp.te


policy_module(ucspitcp, 1.2.0)

########################################
#
# Declarations
#

type rblsmtpd_t;
type rblsmtpd_exec_t;
init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
role system_r types rblsmtpd_t;

type ucspitcp_t;
type ucspitcp_exec_t;
init_system_domain(ucspitcp_t, ucspitcp_exec_t)
role system_r types ucspitcp_t;

########################################
#
# Local policy for rblsmtpd
#

ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)

corecmd_search_bin(rblsmtpd_t)

corenet_all_recvfrom_unlabeled(rblsmtpd_t)
corenet_all_recvfrom_netlabel(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)

files_read_etc_files(rblsmtpd_t)
files_search_var(rblsmtpd_t)

libs_use_ld_so(rblsmtpd_t)
libs_use_shared_libs(rblsmtpd_t)

optional_policy(`
	daemontools_ipc_domain(rblsmtpd_t)
')

########################################
#
# Local policy for tcpserver
#

allow ucspitcp_t self:capability { setgid setuid };
allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
allow ucspitcp_t self:udp_socket create_socket_perms;

corecmd_search_bin(ucspitcp_t)

# base networking:
corenet_all_recvfrom_unlabeled(ucspitcp_t)
corenet_all_recvfrom_netlabel(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
corenet_udp_sendrecv_all_nodes(ucspitcp_t)
corenet_tcp_sendrecv_all_ports(ucspitcp_t)
corenet_udp_sendrecv_all_ports(ucspitcp_t)
corenet_tcp_bind_all_nodes(ucspitcp_t)
corenet_udp_bind_all_nodes(ucspitcp_t)

# server ports:
corenet_tcp_bind_ftp_port(ucspitcp_t)
corenet_tcp_bind_ftp_data_port(ucspitcp_t)
corenet_tcp_bind_http_port(ucspitcp_t)
corenet_tcp_bind_smtp_port(ucspitcp_t)
corenet_tcp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_dns_port(ucspitcp_t)
corenet_udp_bind_generic_port(ucspitcp_t)

# server packets:
corenet_sendrecv_ftp_server_packets(ucspitcp_t)
corenet_sendrecv_http_server_packets(ucspitcp_t)
corenet_sendrecv_smtp_server_packets(ucspitcp_t)
corenet_sendrecv_dns_server_packets(ucspitcp_t)
corenet_sendrecv_generic_server_packets(ucspitcp_t)

files_search_var(ucspitcp_t)
files_read_etc_files(ucspitcp_t)

libs_use_ld_so(ucspitcp_t)
libs_use_shared_libs(ucspitcp_t)

sysnet_read_config(ucspitcp_t)

optional_policy(`
	daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
	daemontools_read_svc(ucspitcp_t)
')
Commit	Line	Data
44d5d93f	1
0bfccda4	2	policy_module(ucspitcp, 1.2.0)
44d5d93f CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type rblsmtpd_t;
	10	type rblsmtpd_exec_t;
0bfccda4	11	init_system_domain(rblsmtpd_t, rblsmtpd_exec_t)
44d5d93f CP	12	role system_r types rblsmtpd_t;
	13
	14	type ucspitcp_t;
	15	type ucspitcp_exec_t;
0bfccda4	16	init_system_domain(ucspitcp_t, ucspitcp_exec_t)
44d5d93f CP	17	role system_r types ucspitcp_t;
	18
	19	########################################
	20	#
	21	# Local policy for rblsmtpd
	22	#
	23
	24	ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
	25
44d5d93f CP	26	corecmd_search_bin(rblsmtpd_t)
44d5d93f CP	27
19006686 CP	28	corenet_all_recvfrom_unlabeled(rblsmtpd_t)
19006686 CP	29	corenet_all_recvfrom_netlabel(rblsmtpd_t)
44d5d93f CP	30	corenet_tcp_sendrecv_all_if(rblsmtpd_t)
	31	corenet_udp_sendrecv_all_if(rblsmtpd_t)
	32	corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
	33	corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
	34	corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
	35	corenet_udp_sendrecv_all_ports(rblsmtpd_t)
44d5d93f CP	36	corenet_tcp_bind_all_nodes(rblsmtpd_t)
	37	corenet_udp_bind_generic_port(rblsmtpd_t)
	38
	39	files_read_etc_files(rblsmtpd_t)
	40	files_search_var(rblsmtpd_t)
	41
	42	libs_use_ld_so(rblsmtpd_t)
	43	libs_use_shared_libs(rblsmtpd_t)
	44
bb7170f6	45	optional_policy(`
44d5d93f CP	46	daemontools_ipc_domain(rblsmtpd_t)
	47	')
	48
	49	########################################
	50	#
	51	# Local policy for tcpserver
	52	#
	53
141cffdd	54	allow ucspitcp_t self:capability { setgid setuid };
0b36a214	55	allow ucspitcp_t self:fifo_file rw_fifo_file_perms;
44d5d93f	56	allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
65e131f0	57	allow ucspitcp_t self:udp_socket create_socket_perms;
44d5d93f CP	58
44d5d93f CP	59	corecmd_search_bin(ucspitcp_t)
44d5d93f	60
3d03a4f4	61	# base networking:
19006686 CP	62	corenet_all_recvfrom_unlabeled(ucspitcp_t)
19006686 CP	63	corenet_all_recvfrom_netlabel(ucspitcp_t)
44d5d93f CP	64	corenet_tcp_sendrecv_all_if(ucspitcp_t)
	65	corenet_udp_sendrecv_all_if(ucspitcp_t)
	66	corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
	67	corenet_udp_sendrecv_all_nodes(ucspitcp_t)
	68	corenet_tcp_sendrecv_all_ports(ucspitcp_t)
	69	corenet_udp_sendrecv_all_ports(ucspitcp_t)
44d5d93f	70	corenet_tcp_bind_all_nodes(ucspitcp_t)
65e131f0	71	corenet_udp_bind_all_nodes(ucspitcp_t)
3d03a4f4 CP	72
3d03a4f4 CP	73	# server ports:
44d5d93f CP	74	corenet_tcp_bind_ftp_port(ucspitcp_t)
	75	corenet_tcp_bind_ftp_data_port(ucspitcp_t)
	76	corenet_tcp_bind_http_port(ucspitcp_t)
	77	corenet_tcp_bind_smtp_port(ucspitcp_t)
	78	corenet_tcp_bind_dns_port(ucspitcp_t)
	79	corenet_udp_bind_dns_port(ucspitcp_t)
	80	corenet_udp_bind_generic_port(ucspitcp_t)
	81
3d03a4f4 CP	82	# server packets:
	83	corenet_sendrecv_ftp_server_packets(ucspitcp_t)
	84	corenet_sendrecv_http_server_packets(ucspitcp_t)
	85	corenet_sendrecv_smtp_server_packets(ucspitcp_t)
	86	corenet_sendrecv_dns_server_packets(ucspitcp_t)
	87	corenet_sendrecv_generic_server_packets(ucspitcp_t)
	88
44d5d93f CP	89	files_search_var(ucspitcp_t)
	90	files_read_etc_files(ucspitcp_t)
	91
	92	libs_use_ld_so(ucspitcp_t)
	93	libs_use_shared_libs(ucspitcp_t)
	94
	95	sysnet_read_config(ucspitcp_t)
	96
bb7170f6	97	optional_policy(`
44d5d93f CP	98	daemontools_service_domain(ucspitcp_t,ucspitcp_exec_t)
	99	daemontools_read_svc(ucspitcp_t)
	100	')