]>
Commit | Line | Data |
---|---|---|
12cd9a06 | 1 | |
5d4f4b53 | 2 | policy_module(portslave, 1.5.0) |
12cd9a06 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type portslave_t; | |
10 | type portslave_exec_t; | |
0bfccda4 CP |
11 | init_domain(portslave_t, portslave_exec_t) |
12 | init_daemon_domain(portslave_t, portslave_exec_t) | |
12cd9a06 CP |
13 | |
14 | type portslave_etc_t; | |
6224fc14 | 15 | files_config_file(portslave_etc_t) |
12cd9a06 CP |
16 | |
17 | type portslave_lock_t; | |
18 | files_lock_file(portslave_lock_t) | |
19 | ||
20 | ######################################## | |
21 | # | |
22 | # Local policy | |
23 | # | |
24 | ||
25 | # setuid setgid net_admin fsetid for pppd | |
26 | # sys_admin for ctlportslave | |
27 | # net_bind_service for rlogin | |
28 | allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config }; | |
29 | dontaudit portslave_t self:capability sys_admin; | |
30 | allow portslave_t self:process signal_perms; | |
31 | allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
32 | allow portslave_t self:fd use; | |
c0868a7a | 33 | allow portslave_t self:fifo_file rw_fifo_file_perms; |
12cd9a06 CP |
34 | allow portslave_t self:unix_dgram_socket create_socket_perms; |
35 | allow portslave_t self:unix_stream_socket create_stream_socket_perms; | |
36 | allow portslave_t self:unix_dgram_socket sendto; | |
37 | allow portslave_t self:unix_stream_socket connectto; | |
38 | allow portslave_t self:shm create_shm_perms; | |
39 | allow portslave_t self:sem create_sem_perms; | |
40 | allow portslave_t self:msgq create_msgq_perms; | |
41 | allow portslave_t self:msg { send receive }; | |
42 | allow portslave_t self:tcp_socket create_stream_socket_perms; | |
43 | allow portslave_t self:udp_socket create_socket_perms; | |
44 | ||
c0868a7a | 45 | allow portslave_t portslave_etc_t:dir list_dir_perms; |
0bfccda4 CP |
46 | read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) |
47 | read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t) | |
12cd9a06 | 48 | |
c0868a7a | 49 | allow portslave_t portslave_lock_t:file manage_file_perms; |
0bfccda4 | 50 | files_lock_filetrans(portslave_t, portslave_lock_t, file) |
12cd9a06 CP |
51 | |
52 | kernel_read_system_state(portslave_t) | |
53 | kernel_read_kernel_sysctls(portslave_t) | |
54 | ||
55 | corecmd_exec_bin(portslave_t) | |
56 | corecmd_exec_shell(portslave_t) | |
57 | ||
19006686 CP |
58 | corenet_all_recvfrom_unlabeled(portslave_t) |
59 | corenet_all_recvfrom_netlabel(portslave_t) | |
12cd9a06 CP |
60 | corenet_tcp_sendrecv_generic_if(portslave_t) |
61 | corenet_udp_sendrecv_generic_if(portslave_t) | |
62 | corenet_tcp_sendrecv_all_nodes(portslave_t) | |
63 | corenet_udp_sendrecv_all_nodes(portslave_t) | |
64 | corenet_tcp_sendrecv_all_ports(portslave_t) | |
65 | corenet_udp_sendrecv_all_ports(portslave_t) | |
12cd9a06 CP |
66 | corenet_rw_ppp_dev(portslave_t) |
67 | ||
68 | dev_read_sysfs(portslave_t) | |
69 | # for ssh | |
70 | dev_read_urand(portslave_t) | |
71 | ||
72 | domain_use_interactive_fds(portslave_t) | |
73 | ||
74 | files_read_etc_files(portslave_t) | |
75 | files_read_etc_runtime_files(portslave_t) | |
76 | files_exec_etc_files(portslave_t) | |
77 | ||
78 | fs_search_auto_mountpoints(portslave_t) | |
79 | fs_getattr_xattr_fs(portslave_t) | |
80 | ||
81 | term_use_unallocated_ttys(portslave_t) | |
82 | term_setattr_unallocated_ttys(portslave_t) | |
83 | term_use_all_user_ttys(portslave_t) | |
12cd9a06 CP |
84 | term_search_ptys(portslave_t) |
85 | ||
86 | auth_rw_login_records(portslave_t) | |
87 | auth_domtrans_chk_passwd(portslave_t) | |
a5f5eba4 | 88 | |
12cd9a06 CP |
89 | init_rw_utmp(portslave_t) |
90 | ||
91 | libs_use_ld_so(portslave_t) | |
92 | libs_use_shared_libs(portslave_t) | |
93 | ||
94 | logging_send_syslog_msg(portslave_t) | |
95 | logging_search_logs(portslave_t) | |
96 | ||
97 | sysnet_read_config(portslave_t) | |
98 | ||
99 | userdom_use_unpriv_users_fds(portslave_t) | |
100 | # for ~/.ppprc - if it actually exists then you need some policy to read it | |
101 | userdom_search_all_users_home_dirs(portslave_t) | |
102 | ||
103 | mta_send_mail(portslave_t) | |
104 | ||
105 | # this should probably be a domtrans to pppd | |
106 | # instead of exec. | |
107 | ppp_read_rw_config(portslave_t) | |
108 | ppp_exec(portslave_t) | |
109 | ppp_read_secrets(portslave_t) | |
110 | ppp_manage_pid_files(portslave_t) | |
111 | ppp_pid_filetrans(portslave_t) | |
112 | ||
113 | ssh_exec(portslave_t) | |
114 | ||
12cd9a06 | 115 | optional_policy(` |
0bfccda4 | 116 | inetd_tcp_service_domain(portslave_t, portslave_exec_t) |
12cd9a06 CP |
117 | ') |
118 | ||
119 | optional_policy(` | |
120 | nis_use_ypbind(portslave_t) | |
121 | ') | |
122 | ||
12cd9a06 CP |
123 | optional_policy(` |
124 | seutil_sigchld_newrole(portslave_t) | |
125 | ') | |
126 | ||
127 | optional_policy(` | |
128 | udev_read_db(portslave_t) | |
129 | ') |