policy/modules/services/tftp.te

   1
   2 policy_module(tftp, 1.9.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 ## <desc>
  10 ## <p>
  11 ## Allow tftp to modify public files
  12 ## used for public file transfer services.
  13 ## </p>
  14 ## </desc>
  15 gen_tunable(tftp_anon_write, false)
  16
  17 type tftpd_t;
  18 type tftpd_exec_t;
  19 init_daemon_domain(tftpd_t, tftpd_exec_t)
  20
  21 type tftpd_var_run_t;
  22 files_pid_file(tftpd_var_run_t)
  23
  24 type tftpdir_t;
  25 files_type(tftpdir_t)
  26
  27 type tftpdir_rw_t;
  28 files_type(tftpdir_rw_t)
  29
  30 ########################################
  31 #
  32 # Local policy
  33 #
  34
  35 allow tftpd_t self:capability { setgid setuid sys_chroot };
  36 allow tftpd_t self:tcp_socket create_stream_socket_perms;
  37 allow tftpd_t self:udp_socket create_socket_perms;
  38 allow tftpd_t self:unix_dgram_socket create_socket_perms;
  39 allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
  40 dontaudit tftpd_t self:capability sys_tty_config;
  41
  42 allow tftpd_t tftpdir_t:dir list_dir_perms;
  43 allow tftpd_t tftpdir_t:file read_file_perms;
  44 allow tftpd_t tftpdir_t:lnk_file { getattr read };
  45
  46 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
  47 manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
  48 manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
  49
  50 manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
  51 files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
  52
  53 kernel_read_kernel_sysctls(tftpd_t)
  54 kernel_list_proc(tftpd_t)
  55 kernel_read_proc_symlinks(tftpd_t)
  56
  57 corenet_all_recvfrom_unlabeled(tftpd_t)
  58 corenet_all_recvfrom_netlabel(tftpd_t)
  59 corenet_tcp_sendrecv_all_if(tftpd_t)
  60 corenet_udp_sendrecv_all_if(tftpd_t)
  61 corenet_tcp_sendrecv_all_nodes(tftpd_t)
  62 corenet_udp_sendrecv_all_nodes(tftpd_t)
  63 corenet_tcp_sendrecv_all_ports(tftpd_t)
  64 corenet_udp_sendrecv_all_ports(tftpd_t)
  65 corenet_tcp_bind_all_nodes(tftpd_t)
  66 corenet_udp_bind_all_nodes(tftpd_t)
  67 corenet_udp_bind_tftp_port(tftpd_t)
  68 corenet_sendrecv_tftp_server_packets(tftpd_t)
  69
  70 dev_read_sysfs(tftpd_t)
  71
  72 fs_getattr_all_fs(tftpd_t)
  73 fs_search_auto_mountpoints(tftpd_t)
  74
  75 domain_use_interactive_fds(tftpd_t)
  76
  77 files_read_etc_files(tftpd_t);
  78 files_read_var_files(tftpd_t)
  79 files_read_var_symlinks(tftpd_t)
  80 files_search_var(tftpd_t)
  81
  82 auth_use_nsswitch(tftpd_t)
  83
  84 libs_use_ld_so(tftpd_t)
  85 libs_use_shared_libs(tftpd_t)
  86
  87 logging_send_syslog_msg(tftpd_t)
  88
  89 miscfiles_read_localization(tftpd_t)
  90 miscfiles_read_public_files(tftpd_t)
  91
  92 userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
  93 sysadm_dontaudit_use_ttys(tftpd_t)
  94 sysadm_dontaudit_search_home_dirs(tftpd_t)
  95
  96 tunable_policy(`tftp_anon_write',`
  97         miscfiles_manage_public_files(tftpd_t)
  98 ')
  99
 100 optional_policy(`
 101         inetd_udp_service_domain(tftpd_t, tftpd_exec_t)
 102 ')
 103
 104 optional_policy(`
 105         seutil_sigchld_newrole(tftpd_t)
 106 ')
 107
 108 optional_policy(`
 109         udev_read_db(tftpd_t)
 110 ')