]>
Commit | Line | Data |
---|---|---|
9570b288 | 1 | policy_module(nessus, 1.7.0) |
a478b5ed CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Local policy | |
6 | # | |
7 | ||
8 | type nessusd_t; | |
9 | type nessusd_exec_t; | |
0bfccda4 | 10 | init_daemon_domain(nessusd_t, nessusd_exec_t) |
a478b5ed CP |
11 | |
12 | type nessusd_db_t; | |
13 | files_type(nessusd_db_t) | |
14 | ||
15 | type nessusd_etc_t; | |
16 | files_config_file(nessusd_etc_t) | |
17 | ||
18 | type nessusd_log_t; | |
19 | logging_log_file(nessusd_log_t) | |
20 | ||
21 | type nessusd_var_run_t; | |
22 | files_pid_file(nessusd_var_run_t) | |
23 | ||
24 | ######################################## | |
25 | # | |
26 | # Declarations | |
27 | # | |
28 | ||
29 | allow nessusd_t self:capability net_raw; | |
30 | dontaudit nessusd_t self:capability sys_tty_config; | |
31 | allow nessusd_t self:process { setsched signal_perms }; | |
0b36a214 | 32 | allow nessusd_t self:fifo_file rw_fifo_file_perms; |
a478b5ed CP |
33 | allow nessusd_t self:tcp_socket create_stream_socket_perms; |
34 | allow nessusd_t self:udp_socket create_socket_perms; | |
35 | allow nessusd_t self:rawip_socket create_socket_perms; | |
36 | allow nessusd_t self:packet_socket create_socket_perms; | |
37 | ||
38 | # Allow access to the nessusd authentication database | |
0bfccda4 CP |
39 | manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) |
40 | manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) | |
41 | manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t) | |
a478b5ed CP |
42 | files_list_var_lib(nessusd_t) |
43 | ||
0b36a214 | 44 | allow nessusd_t nessusd_etc_t:file read_file_perms; |
a478b5ed CP |
45 | files_search_etc(nessusd_t) |
46 | ||
0bfccda4 CP |
47 | manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t) |
48 | logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir }) | |
a478b5ed | 49 | |
0bfccda4 CP |
50 | manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t) |
51 | files_pid_filetrans(nessusd_t, nessusd_var_run_t, file) | |
a478b5ed CP |
52 | |
53 | kernel_read_system_state(nessusd_t) | |
54 | kernel_read_kernel_sysctls(nessusd_t) | |
a478b5ed CP |
55 | |
56 | # for nmap etc | |
57 | corecmd_exec_bin(nessusd_t) | |
58 | ||
19006686 CP |
59 | corenet_all_recvfrom_unlabeled(nessusd_t) |
60 | corenet_all_recvfrom_netlabel(nessusd_t) | |
a478b5ed CP |
61 | corenet_tcp_sendrecv_generic_if(nessusd_t) |
62 | corenet_udp_sendrecv_generic_if(nessusd_t) | |
63 | corenet_raw_sendrecv_generic_if(nessusd_t) | |
c1262146 CP |
64 | corenet_tcp_sendrecv_generic_node(nessusd_t) |
65 | corenet_udp_sendrecv_generic_node(nessusd_t) | |
66 | corenet_raw_sendrecv_generic_node(nessusd_t) | |
a478b5ed CP |
67 | corenet_tcp_sendrecv_all_ports(nessusd_t) |
68 | corenet_udp_sendrecv_all_ports(nessusd_t) | |
c1262146 | 69 | corenet_tcp_bind_generic_node(nessusd_t) |
a478b5ed CP |
70 | corenet_tcp_bind_nessus_port(nessusd_t) |
71 | corenet_tcp_connect_all_ports(nessusd_t) | |
141cffdd CP |
72 | corenet_sendrecv_all_client_packets(nessusd_t) |
73 | corenet_sendrecv_nessus_server_packets(nessusd_t) | |
a478b5ed CP |
74 | |
75 | dev_read_sysfs(nessusd_t) | |
76 | dev_read_urand(nessusd_t) | |
77 | ||
78 | domain_use_interactive_fds(nessusd_t) | |
79 | ||
80 | files_read_etc_files(nessusd_t) | |
81 | files_read_etc_runtime_files(nessusd_t) | |
82 | ||
83 | fs_getattr_all_fs(nessusd_t) | |
84 | fs_search_auto_mountpoints(nessusd_t) | |
85 | ||
a478b5ed CP |
86 | logging_send_syslog_msg(nessusd_t) |
87 | ||
88 | miscfiles_read_localization(nessusd_t) | |
89 | ||
90 | sysnet_read_config(nessusd_t) | |
91 | ||
92 | userdom_dontaudit_use_unpriv_user_fds(nessusd_t) | |
296273a7 | 93 | userdom_dontaudit_search_user_home_dirs(nessusd_t) |
a478b5ed | 94 | |
a478b5ed CP |
95 | optional_policy(` |
96 | nis_use_ypbind(nessusd_t) | |
97 | ') | |
98 | ||
99 | optional_policy(` | |
100 | seutil_sigchld_newrole(nessusd_t) | |
101 | ') | |
102 | ||
103 | optional_policy(` | |
104 | udev_read_db(nessusd_t) | |
105 | ') |