[people/stevee/selinux-policy.git] / policy / modules / services / nessus.te

policy_module(nessus, 1.7.0)

########################################
#
# Local policy
#

type nessusd_t;
type nessusd_exec_t;
init_daemon_domain(nessusd_t, nessusd_exec_t)

type nessusd_db_t;
files_type(nessusd_db_t)

type nessusd_etc_t;
files_config_file(nessusd_etc_t)

type nessusd_log_t;
logging_log_file(nessusd_log_t)

type nessusd_var_run_t;
files_pid_file(nessusd_var_run_t)

########################################
#
# Declarations
#

allow nessusd_t self:capability net_raw;
dontaudit nessusd_t self:capability sys_tty_config;
allow nessusd_t self:process { setsched signal_perms };
allow nessusd_t self:fifo_file rw_fifo_file_perms;
allow nessusd_t self:tcp_socket create_stream_socket_perms;
allow nessusd_t self:udp_socket create_socket_perms;
allow nessusd_t self:rawip_socket create_socket_perms;
allow nessusd_t self:packet_socket create_socket_perms;

# Allow access to the nessusd authentication database
manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
files_list_var_lib(nessusd_t)

allow nessusd_t nessusd_etc_t:file read_file_perms;
files_search_etc(nessusd_t)

manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })

manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)

kernel_read_system_state(nessusd_t)
kernel_read_kernel_sysctls(nessusd_t)

# for nmap etc
corecmd_exec_bin(nessusd_t)

corenet_all_recvfrom_unlabeled(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
corenet_raw_sendrecv_generic_if(nessusd_t)
corenet_tcp_sendrecv_generic_node(nessusd_t)
corenet_udp_sendrecv_generic_node(nessusd_t)
corenet_raw_sendrecv_generic_node(nessusd_t)
corenet_tcp_sendrecv_all_ports(nessusd_t)
corenet_udp_sendrecv_all_ports(nessusd_t)
corenet_tcp_bind_generic_node(nessusd_t)
corenet_tcp_bind_nessus_port(nessusd_t)
corenet_tcp_connect_all_ports(nessusd_t)
corenet_sendrecv_all_client_packets(nessusd_t)
corenet_sendrecv_nessus_server_packets(nessusd_t)

dev_read_sysfs(nessusd_t)
dev_read_urand(nessusd_t)

domain_use_interactive_fds(nessusd_t)

files_read_etc_files(nessusd_t)
files_read_etc_runtime_files(nessusd_t)

fs_getattr_all_fs(nessusd_t)
fs_search_auto_mountpoints(nessusd_t)

logging_send_syslog_msg(nessusd_t)

miscfiles_read_localization(nessusd_t)

sysnet_read_config(nessusd_t)

userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
userdom_dontaudit_search_user_home_dirs(nessusd_t)

optional_policy(`
	nis_use_ypbind(nessusd_t)
')

optional_policy(`
	seutil_sigchld_newrole(nessusd_t)
')

optional_policy(`
	udev_read_db(nessusd_t)
')
Commit	Line	Data
9570b288	1	policy_module(nessus, 1.7.0)
a478b5ed CP	2
	3	########################################
	4	#
	5	# Local policy
	6	#
	7
	8	type nessusd_t;
	9	type nessusd_exec_t;
0bfccda4	10	init_daemon_domain(nessusd_t, nessusd_exec_t)
a478b5ed CP	11
	12	type nessusd_db_t;
	13	files_type(nessusd_db_t)
	14
	15	type nessusd_etc_t;
	16	files_config_file(nessusd_etc_t)
	17
	18	type nessusd_log_t;
	19	logging_log_file(nessusd_log_t)
	20
	21	type nessusd_var_run_t;
	22	files_pid_file(nessusd_var_run_t)
	23
	24	########################################
	25	#
	26	# Declarations
	27	#
	28
	29	allow nessusd_t self:capability net_raw;
	30	dontaudit nessusd_t self:capability sys_tty_config;
	31	allow nessusd_t self:process { setsched signal_perms };
0b36a214	32	allow nessusd_t self:fifo_file rw_fifo_file_perms;
a478b5ed CP	33	allow nessusd_t self:tcp_socket create_stream_socket_perms;
	34	allow nessusd_t self:udp_socket create_socket_perms;
	35	allow nessusd_t self:rawip_socket create_socket_perms;
	36	allow nessusd_t self:packet_socket create_socket_perms;
	37
	38	# Allow access to the nessusd authentication database
0bfccda4 CP	39	manage_dirs_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
	40	manage_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
	41	manage_lnk_files_pattern(nessusd_t, nessusd_db_t, nessusd_db_t)
a478b5ed CP	42	files_list_var_lib(nessusd_t)
a478b5ed CP	43
0b36a214	44	allow nessusd_t nessusd_etc_t:file read_file_perms;
a478b5ed CP	45	files_search_etc(nessusd_t)
a478b5ed CP	46
0bfccda4 CP	47	manage_files_pattern(nessusd_t, nessusd_log_t, nessusd_log_t)
0bfccda4 CP	48	logging_log_filetrans(nessusd_t, nessusd_log_t, { file dir })
a478b5ed	49
0bfccda4 CP	50	manage_files_pattern(nessusd_t, nessusd_var_run_t, nessusd_var_run_t)
0bfccda4 CP	51	files_pid_filetrans(nessusd_t, nessusd_var_run_t, file)
a478b5ed CP	52
	53	kernel_read_system_state(nessusd_t)
	54	kernel_read_kernel_sysctls(nessusd_t)
a478b5ed CP	55
	56	# for nmap etc
	57	corecmd_exec_bin(nessusd_t)
	58
19006686 CP	59	corenet_all_recvfrom_unlabeled(nessusd_t)
19006686 CP	60	corenet_all_recvfrom_netlabel(nessusd_t)
a478b5ed CP	61	corenet_tcp_sendrecv_generic_if(nessusd_t)
	62	corenet_udp_sendrecv_generic_if(nessusd_t)
	63	corenet_raw_sendrecv_generic_if(nessusd_t)
c1262146 CP	64	corenet_tcp_sendrecv_generic_node(nessusd_t)
	65	corenet_udp_sendrecv_generic_node(nessusd_t)
	66	corenet_raw_sendrecv_generic_node(nessusd_t)
a478b5ed CP	67	corenet_tcp_sendrecv_all_ports(nessusd_t)
a478b5ed CP	68	corenet_udp_sendrecv_all_ports(nessusd_t)
c1262146	69	corenet_tcp_bind_generic_node(nessusd_t)
a478b5ed CP	70	corenet_tcp_bind_nessus_port(nessusd_t)
a478b5ed CP	71	corenet_tcp_connect_all_ports(nessusd_t)
141cffdd CP	72	corenet_sendrecv_all_client_packets(nessusd_t)
141cffdd CP	73	corenet_sendrecv_nessus_server_packets(nessusd_t)
a478b5ed CP	74
	75	dev_read_sysfs(nessusd_t)
	76	dev_read_urand(nessusd_t)
	77
	78	domain_use_interactive_fds(nessusd_t)
	79
	80	files_read_etc_files(nessusd_t)
	81	files_read_etc_runtime_files(nessusd_t)
	82
	83	fs_getattr_all_fs(nessusd_t)
	84	fs_search_auto_mountpoints(nessusd_t)
	85
a478b5ed CP	86	logging_send_syslog_msg(nessusd_t)
	87
	88	miscfiles_read_localization(nessusd_t)
	89
	90	sysnet_read_config(nessusd_t)
	91
	92	userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
296273a7	93	userdom_dontaudit_search_user_home_dirs(nessusd_t)
a478b5ed	94
a478b5ed CP	95	optional_policy(`
	96	nis_use_ypbind(nessusd_t)
	97	')
	98
	99	optional_policy(`
	100	seutil_sigchld_newrole(nessusd_t)
	101	')
	102
	103	optional_policy(`
	104	udev_read_db(nessusd_t)
	105	')