[people/stevee/selinux-policy.git] / policy / modules / services / portmap.te

policy_module(portmap, 1.9.0)

########################################
#
# Declarations
#

type portmap_t;
type portmap_exec_t;
init_daemon_domain(portmap_t, portmap_exec_t)

type portmap_helper_t;
type portmap_helper_exec_t;
init_system_domain(portmap_helper_t, portmap_helper_exec_t)

type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)

type portmap_var_run_t;
files_pid_file(portmap_var_run_t)

########################################
#
# Portmap local policy
#

allow portmap_t self:capability { setuid setgid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
allow portmap_t self:tcp_socket create_stream_socket_perms;
allow portmap_t self:udp_socket create_socket_perms;

manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })

manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
files_pid_filetrans(portmap_t, portmap_var_run_t, file)

kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)

corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
corenet_tcp_sendrecv_generic_node(portmap_t)
corenet_udp_sendrecv_generic_node(portmap_t)
corenet_tcp_sendrecv_all_ports(portmap_t)
corenet_udp_sendrecv_all_ports(portmap_t)
corenet_tcp_bind_generic_node(portmap_t)
corenet_udp_bind_generic_node(portmap_t)
corenet_tcp_bind_portmap_port(portmap_t)
corenet_udp_bind_portmap_port(portmap_t)
corenet_tcp_connect_all_ports(portmap_t)
corenet_sendrecv_portmap_client_packets(portmap_t)
corenet_sendrecv_portmap_server_packets(portmap_t)
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_ports(portmap_t)

dev_read_sysfs(portmap_t)

fs_getattr_all_fs(portmap_t)
fs_search_auto_mountpoints(portmap_t)

domain_use_interactive_fds(portmap_t)

files_read_etc_files(portmap_t)

auth_use_nsswitch(portmap_t)

logging_send_syslog_msg(portmap_t)

miscfiles_read_localization(portmap_t)

sysnet_read_config(portmap_t)

userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)

optional_policy(`
	seutil_sigchld_newrole(portmap_t)
')

optional_policy(`
	udev_read_db(portmap_t)
')

########################################
#
# Portmap helper local policy
#

dontaudit portmap_helper_t self:capability net_admin;
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
allow portmap_helper_t self:udp_socket create_socket_perms;

allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)

corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
corenet_raw_sendrecv_generic_if(portmap_helper_t)
corenet_tcp_sendrecv_generic_node(portmap_helper_t)
corenet_udp_sendrecv_generic_node(portmap_helper_t)
corenet_raw_sendrecv_generic_node(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
corenet_tcp_bind_generic_node(portmap_helper_t)
corenet_udp_bind_generic_node(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
corenet_udp_bind_reserved_port(portmap_helper_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
corenet_tcp_connect_all_ports(portmap_helper_t)

domain_dontaudit_use_interactive_fds(portmap_helper_t)

files_read_etc_files(portmap_helper_t)
files_rw_generic_pids(portmap_helper_t)

init_rw_utmp(portmap_helper_t)

logging_send_syslog_msg(portmap_helper_t)

sysnet_read_config(portmap_helper_t)

userdom_use_inherited_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)

optional_policy(`
	nis_use_ypbind(portmap_helper_t)
')
Commit	Line	Data
9570b288	1	policy_module(portmap, 1.9.0)
eb3cb682 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type portmap_t;
	9	type portmap_exec_t;
0bfccda4	10	init_daemon_domain(portmap_t, portmap_exec_t)
eb3cb682 CP	11
	12	type portmap_helper_t;
	13	type portmap_helper_exec_t;
0bfccda4	14	init_system_domain(portmap_helper_t, portmap_helper_exec_t)
eb3cb682 CP	15
	16	type portmap_tmp_t;
	17	files_tmp_file(portmap_tmp_t)
	18
	19	type portmap_var_run_t;
	20	files_pid_file(portmap_var_run_t)
	21
	22	########################################
	23	#
	24	# Portmap local policy
	25	#
	26
	27	allow portmap_t self:capability { setuid setgid };
	28	dontaudit portmap_t self:capability sys_tty_config;
	29	allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
	30	allow portmap_t self:unix_dgram_socket create_socket_perms;
	31	allow portmap_t self:unix_stream_socket create_stream_socket_perms;
	32	allow portmap_t self:tcp_socket create_stream_socket_perms;
	33	allow portmap_t self:udp_socket create_socket_perms;
	34
0bfccda4 CP	35	manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
0bfccda4 CP	36	manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
103fe280	37	files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
eb3cb682	38
0bfccda4 CP	39	manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
0bfccda4 CP	40	files_pid_filetrans(portmap_t, portmap_var_run_t, file)
eb3cb682	41
657c226c	42	kernel_read_system_state(portmap_t)
445522dc	43	kernel_read_kernel_sysctls(portmap_t)
eb3cb682	44
19006686 CP	45	corenet_all_recvfrom_unlabeled(portmap_t)
19006686 CP	46	corenet_all_recvfrom_netlabel(portmap_t)
668b3093 CP	47	corenet_tcp_sendrecv_generic_if(portmap_t)
668b3093 CP	48	corenet_udp_sendrecv_generic_if(portmap_t)
c1262146 CP	49	corenet_tcp_sendrecv_generic_node(portmap_t)
c1262146 CP	50	corenet_udp_sendrecv_generic_node(portmap_t)
eb3cb682 CP	51	corenet_tcp_sendrecv_all_ports(portmap_t)
eb3cb682 CP	52	corenet_udp_sendrecv_all_ports(portmap_t)
c1262146 CP	53	corenet_tcp_bind_generic_node(portmap_t)
c1262146 CP	54	corenet_udp_bind_generic_node(portmap_t)
eb3cb682 CP	55	corenet_tcp_bind_portmap_port(portmap_t)
eb3cb682 CP	56	corenet_udp_bind_portmap_port(portmap_t)
0907bda1	57	corenet_tcp_connect_all_ports(portmap_t)
378d5cda	58	corenet_sendrecv_portmap_client_packets(portmap_t)
b8373ee1	59	corenet_sendrecv_portmap_server_packets(portmap_t)
eb3cb682 CP	60	# portmap binds to arbitary ports
	61	corenet_tcp_bind_generic_port(portmap_t)
	62	corenet_udp_bind_generic_port(portmap_t)
	63	corenet_tcp_bind_reserved_port(portmap_t)
	64	corenet_udp_bind_reserved_port(portmap_t)
	65	corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
6c911897	66	corenet_dontaudit_udp_bind_all_ports(portmap_t)
eb3cb682 CP	67
	68	dev_read_sysfs(portmap_t)
	69
	70	fs_getattr_all_fs(portmap_t)
	71	fs_search_auto_mountpoints(portmap_t)
	72
15722ec9	73	domain_use_interactive_fds(portmap_t)
eb3cb682 CP	74
	75	files_read_etc_files(portmap_t)
	76
9f8f5cb1 DW	77	auth_use_nsswitch(portmap_t)
9f8f5cb1 DW	78
eb3cb682 CP	79	logging_send_syslog_msg(portmap_t)
	80
	81	miscfiles_read_localization(portmap_t)
	82
	83	sysnet_read_config(portmap_t)
	84
15722ec9	85	userdom_dontaudit_use_unpriv_user_fds(portmap_t)
296273a7	86	userdom_dontaudit_search_user_home_dirs(portmap_t)
eb3cb682	87
bb7170f6	88	optional_policy(`
eb3cb682 CP	89	seutil_sigchld_newrole(portmap_t)
	90	')
	91
bb7170f6	92	optional_policy(`
eb3cb682 CP	93	udev_read_db(portmap_t)
	94	')
	95
eb3cb682 CP	96	########################################
	97	#
	98	# Portmap helper local policy
	99	#
	100
	101	dontaudit portmap_helper_t self:capability net_admin;
	102	allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
	103	allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
	104	allow portmap_helper_t self:udp_socket create_socket_perms;
	105
c0868a7a	106	allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
0bfccda4	107	files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
0907bda1	108
19006686 CP	109	corenet_all_recvfrom_unlabeled(portmap_helper_t)
19006686 CP	110	corenet_all_recvfrom_netlabel(portmap_helper_t)
668b3093 CP	111	corenet_tcp_sendrecv_generic_if(portmap_helper_t)
	112	corenet_udp_sendrecv_generic_if(portmap_helper_t)
	113	corenet_raw_sendrecv_generic_if(portmap_helper_t)
c1262146 CP	114	corenet_tcp_sendrecv_generic_node(portmap_helper_t)
	115	corenet_udp_sendrecv_generic_node(portmap_helper_t)
	116	corenet_raw_sendrecv_generic_node(portmap_helper_t)
eb3cb682 CP	117	corenet_tcp_sendrecv_all_ports(portmap_helper_t)
eb3cb682 CP	118	corenet_udp_sendrecv_all_ports(portmap_helper_t)
c1262146 CP	119	corenet_tcp_bind_generic_node(portmap_helper_t)
c1262146 CP	120	corenet_udp_bind_generic_node(portmap_helper_t)
eb3cb682 CP	121	corenet_tcp_bind_reserved_port(portmap_helper_t)
	122	corenet_udp_bind_reserved_port(portmap_helper_t)
	123	corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
	124	corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
0907bda1	125	corenet_tcp_connect_all_ports(portmap_helper_t)
eb3cb682	126
15722ec9	127	domain_dontaudit_use_interactive_fds(portmap_helper_t)
b7e1825b	128
eb3cb682 CP	129	files_read_etc_files(portmap_helper_t)
	130	files_rw_generic_pids(portmap_helper_t)
	131
68228b33	132	init_rw_utmp(portmap_helper_t)
eb3cb682	133
2526a44d CP	134	logging_send_syslog_msg(portmap_helper_t)
2526a44d CP	135
eb3cb682 CP	136	sysnet_read_config(portmap_helper_t)
eb3cb682 CP	137
af2d8802	138	userdom_use_inherited_user_terminals(portmap_helper_t)
15722ec9	139	userdom_dontaudit_use_all_users_fds(portmap_helper_t)
eb3cb682	140
bb7170f6	141	optional_policy(`
eb3cb682 CP	142	nis_use_ypbind(portmap_helper_t)
eb3cb682 CP	143	')