[people/stevee/selinux-policy.git] / policy / modules / services / portslave.te


policy_module(portslave, 1.5.0)

########################################
#
# Declarations
#

type portslave_t;
type portslave_exec_t;
init_domain(portslave_t, portslave_exec_t)
init_daemon_domain(portslave_t, portslave_exec_t)

type portslave_etc_t;
files_config_file(portslave_etc_t)

type portslave_lock_t;
files_lock_file(portslave_lock_t)

########################################
#
# Local policy
#

# setuid setgid net_admin fsetid for pppd
# sys_admin for ctlportslave
# net_bind_service for rlogin
allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_fifo_file_perms;
allow portslave_t self:unix_dgram_socket create_socket_perms;
allow portslave_t self:unix_stream_socket create_stream_socket_perms;
allow portslave_t self:unix_dgram_socket sendto;
allow portslave_t self:unix_stream_socket connectto;
allow portslave_t self:shm create_shm_perms;
allow portslave_t self:sem create_sem_perms;
allow portslave_t self:msgq create_msgq_perms;
allow portslave_t self:msg { send receive };
allow portslave_t self:tcp_socket create_stream_socket_perms;
allow portslave_t self:udp_socket create_socket_perms;

allow portslave_t portslave_etc_t:dir list_dir_perms;
read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)

allow portslave_t portslave_lock_t:file manage_file_perms;
files_lock_filetrans(portslave_t, portslave_lock_t, file)

kernel_read_system_state(portslave_t)
kernel_read_kernel_sysctls(portslave_t)

corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)

corenet_all_recvfrom_unlabeled(portslave_t)
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
corenet_udp_sendrecv_all_nodes(portslave_t)
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
corenet_rw_ppp_dev(portslave_t)

dev_read_sysfs(portslave_t)
# for ssh
dev_read_urand(portslave_t)

domain_use_interactive_fds(portslave_t)

files_read_etc_files(portslave_t)
files_read_etc_runtime_files(portslave_t)
files_exec_etc_files(portslave_t)

fs_search_auto_mountpoints(portslave_t)
fs_getattr_xattr_fs(portslave_t)

term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
term_use_all_user_ttys(portslave_t)
term_search_ptys(portslave_t)

auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)

init_rw_utmp(portslave_t)

libs_use_ld_so(portslave_t)
libs_use_shared_libs(portslave_t)

logging_send_syslog_msg(portslave_t)
logging_search_logs(portslave_t)

sysnet_read_config(portslave_t)

userdom_use_unpriv_users_fds(portslave_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
userdom_search_all_users_home_dirs(portslave_t)

mta_send_mail(portslave_t)

# this should probably be a domtrans to pppd
# instead of exec.
ppp_read_rw_config(portslave_t)
ppp_exec(portslave_t)
ppp_read_secrets(portslave_t)
ppp_manage_pid_files(portslave_t)
ppp_pid_filetrans(portslave_t)

ssh_exec(portslave_t)

optional_policy(`
	inetd_tcp_service_domain(portslave_t, portslave_exec_t)
')

optional_policy(`
	nis_use_ypbind(portslave_t)
')

optional_policy(`
	seutil_sigchld_newrole(portslave_t)
')

optional_policy(`
	udev_read_db(portslave_t)
')
Commit	Line	Data
12cd9a06	1
5d4f4b53	2	policy_module(portslave, 1.5.0)
12cd9a06 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type portslave_t;
	10	type portslave_exec_t;
0bfccda4 CP	11	init_domain(portslave_t, portslave_exec_t)
0bfccda4 CP	12	init_daemon_domain(portslave_t, portslave_exec_t)
12cd9a06 CP	13
12cd9a06 CP	14	type portslave_etc_t;
6224fc14	15	files_config_file(portslave_etc_t)
12cd9a06 CP	16
	17	type portslave_lock_t;
	18	files_lock_file(portslave_lock_t)
	19
	20	########################################
	21	#
	22	# Local policy
	23	#
	24
	25	# setuid setgid net_admin fsetid for pppd
	26	# sys_admin for ctlportslave
	27	# net_bind_service for rlogin
	28	allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
	29	dontaudit portslave_t self:capability sys_admin;
	30	allow portslave_t self:process signal_perms;
	31	allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	32	allow portslave_t self:fd use;
c0868a7a	33	allow portslave_t self:fifo_file rw_fifo_file_perms;
12cd9a06 CP	34	allow portslave_t self:unix_dgram_socket create_socket_perms;
	35	allow portslave_t self:unix_stream_socket create_stream_socket_perms;
	36	allow portslave_t self:unix_dgram_socket sendto;
	37	allow portslave_t self:unix_stream_socket connectto;
	38	allow portslave_t self:shm create_shm_perms;
	39	allow portslave_t self:sem create_sem_perms;
	40	allow portslave_t self:msgq create_msgq_perms;
	41	allow portslave_t self:msg { send receive };
	42	allow portslave_t self:tcp_socket create_stream_socket_perms;
	43	allow portslave_t self:udp_socket create_socket_perms;
	44
c0868a7a	45	allow portslave_t portslave_etc_t:dir list_dir_perms;
0bfccda4 CP	46	read_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
0bfccda4 CP	47	read_lnk_files_pattern(portslave_t, portslave_etc_t, portslave_etc_t)
12cd9a06	48
c0868a7a	49	allow portslave_t portslave_lock_t:file manage_file_perms;
0bfccda4	50	files_lock_filetrans(portslave_t, portslave_lock_t, file)
12cd9a06 CP	51
	52	kernel_read_system_state(portslave_t)
	53	kernel_read_kernel_sysctls(portslave_t)
	54
	55	corecmd_exec_bin(portslave_t)
	56	corecmd_exec_shell(portslave_t)
	57
19006686 CP	58	corenet_all_recvfrom_unlabeled(portslave_t)
19006686 CP	59	corenet_all_recvfrom_netlabel(portslave_t)
12cd9a06 CP	60	corenet_tcp_sendrecv_generic_if(portslave_t)
	61	corenet_udp_sendrecv_generic_if(portslave_t)
	62	corenet_tcp_sendrecv_all_nodes(portslave_t)
	63	corenet_udp_sendrecv_all_nodes(portslave_t)
	64	corenet_tcp_sendrecv_all_ports(portslave_t)
	65	corenet_udp_sendrecv_all_ports(portslave_t)
12cd9a06 CP	66	corenet_rw_ppp_dev(portslave_t)
	67
	68	dev_read_sysfs(portslave_t)
	69	# for ssh
	70	dev_read_urand(portslave_t)
	71
	72	domain_use_interactive_fds(portslave_t)
	73
	74	files_read_etc_files(portslave_t)
	75	files_read_etc_runtime_files(portslave_t)
	76	files_exec_etc_files(portslave_t)
	77
	78	fs_search_auto_mountpoints(portslave_t)
	79	fs_getattr_xattr_fs(portslave_t)
	80
	81	term_use_unallocated_ttys(portslave_t)
	82	term_setattr_unallocated_ttys(portslave_t)
	83	term_use_all_user_ttys(portslave_t)
12cd9a06 CP	84	term_search_ptys(portslave_t)
	85
	86	auth_rw_login_records(portslave_t)
	87	auth_domtrans_chk_passwd(portslave_t)
a5f5eba4	88
12cd9a06 CP	89	init_rw_utmp(portslave_t)
	90
	91	libs_use_ld_so(portslave_t)
	92	libs_use_shared_libs(portslave_t)
	93
	94	logging_send_syslog_msg(portslave_t)
	95	logging_search_logs(portslave_t)
	96
	97	sysnet_read_config(portslave_t)
	98
	99	userdom_use_unpriv_users_fds(portslave_t)
	100	# for ~/.ppprc - if it actually exists then you need some policy to read it
	101	userdom_search_all_users_home_dirs(portslave_t)
	102
	103	mta_send_mail(portslave_t)
	104
	105	# this should probably be a domtrans to pppd
	106	# instead of exec.
	107	ppp_read_rw_config(portslave_t)
	108	ppp_exec(portslave_t)
	109	ppp_read_secrets(portslave_t)
	110	ppp_manage_pid_files(portslave_t)
	111	ppp_pid_filetrans(portslave_t)
	112
	113	ssh_exec(portslave_t)
	114
12cd9a06	115	optional_policy(`
0bfccda4	116	inetd_tcp_service_domain(portslave_t, portslave_exec_t)
12cd9a06 CP	117	')
	118
	119	optional_policy(`
	120	nis_use_ypbind(portslave_t)
	121	')
	122
12cd9a06 CP	123	optional_policy(`
	124	seutil_sigchld_newrole(portslave_t)
	125	')
	126
	127	optional_policy(`
	128	udev_read_db(portslave_t)
	129	')