[people/stevee/selinux-policy.git] / policy / modules / services / snmp.te

policy_module(snmp, 1.11.0)

########################################
#
# Declarations
#

type snmpd_t;
type snmpd_exec_t;
init_daemon_domain(snmpd_t, snmpd_exec_t)

type snmpd_initrc_exec_t;
init_script_file(snmpd_initrc_exec_t)

type snmpd_log_t;
logging_log_file(snmpd_log_t)

type snmpd_var_run_t;
files_pid_file(snmpd_var_run_t)

type snmpd_var_lib_t;
files_type(snmpd_var_lib_t)

########################################
#
# Local policy
#

allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };

dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
allow snmpd_t self:fifo_file rw_fifo_file_perms;
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow snmpd_t self:tcp_socket create_stream_socket_perms;
allow snmpd_t self:udp_socket connected_stream_socket_perms;

allow snmpd_t snmpd_log_t:file manage_file_perms;
logging_log_filetrans(snmpd_t, snmpd_log_t, file)

manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })

manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })

kernel_read_device_sysctls(snmpd_t)
kernel_read_kernel_sysctls(snmpd_t)
kernel_read_fs_sysctls(snmpd_t)
kernel_read_net_sysctls(snmpd_t)
kernel_read_proc_symlinks(snmpd_t)
kernel_read_system_state(snmpd_t)
kernel_read_network_state(snmpd_t)

corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)

corenet_all_recvfrom_unlabeled(snmpd_t)
corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_generic_if(snmpd_t)
corenet_udp_sendrecv_generic_if(snmpd_t)
corenet_tcp_sendrecv_generic_node(snmpd_t)
corenet_udp_sendrecv_generic_node(snmpd_t)
corenet_tcp_sendrecv_all_ports(snmpd_t)
corenet_udp_sendrecv_all_ports(snmpd_t)
corenet_tcp_bind_generic_node(snmpd_t)
corenet_udp_bind_generic_node(snmpd_t)
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
corenet_tcp_connect_agentx_port(snmpd_t)
corenet_tcp_bind_agentx_port(snmpd_t)
corenet_udp_bind_agentx_port(snmpd_t)

dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
dev_read_urand(snmpd_t)
dev_read_rand(snmpd_t)
dev_getattr_usbfs_dirs(snmpd_t)

domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
domain_dontaudit_ptrace_all_domains(snmpd_t)
domain_exec_all_entry_files(snmpd_t)

files_read_etc_files(snmpd_t)
files_read_usr_files(snmpd_t)
files_read_etc_runtime_files(snmpd_t)
files_search_home(snmpd_t)

fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
files_search_all_mountpoints(snmpd_t)

storage_dontaudit_read_fixed_disk(snmpd_t)
storage_dontaudit_read_removable_device(snmpd_t)
storage_dontaudit_write_removable_device(snmpd_t)

auth_use_nsswitch(snmpd_t)
files_list_all(snmpd_t)

init_read_utmp(snmpd_t)
init_dontaudit_write_utmp(snmpd_t)
# need write to /var/run/systemd/notify
init_write_pid_socket(snmpd_t)

logging_send_syslog_msg(snmpd_t)

miscfiles_read_localization(snmpd_t)

seutil_dontaudit_search_config(snmpd_t)

sysnet_read_config(snmpd_t)

userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)

ifdef(`distro_redhat',`
	optional_policy(`
		rpm_read_db(snmpd_t)
		rpm_dontaudit_manage_db(snmpd_t)
	')
')

optional_policy(`
	amanda_dontaudit_read_dumpdates(snmpd_t)
')

optional_policy(`
	consoletype_exec(snmpd_t)
')

optional_policy(`
	cups_read_rw_config(snmpd_t)
')

optional_policy(`
	mta_read_config(snmpd_t)
	mta_search_queue(snmpd_t)
')

optional_policy(`
	rpc_search_nfs_state_data(snmpd_t)
')

optional_policy(`
	sendmail_read_log(snmpd_t)
')

optional_policy(`
	seutil_sigchld_newrole(snmpd_t)
')

optional_policy(`
	squid_read_config(snmpd_t)
')

optional_policy(`
	udev_read_db(snmpd_t)
')

optional_policy(`
	virt_stream_connect(snmpd_t)
')

optional_policy(`
	kernel_read_xen_state(snmpd_t)
	kernel_write_xen_state(snmpd_t)

	xen_stream_connect(snmpd_t)
	xen_stream_connect_xenstore(snmpd_t)
')
Commit	Line	Data
29af4c13	1	policy_module(snmp, 1.11.0)
ccc59782 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
1e2abee1	7
ccc59782 CP	8	type snmpd_t;
ccc59782 CP	9	type snmpd_exec_t;
0bfccda4	10	init_daemon_domain(snmpd_t, snmpd_exec_t)
ccc59782	11
fb4826f4 CP	12	type snmpd_initrc_exec_t;
	13	init_script_file(snmpd_initrc_exec_t)
	14
ccc59782 CP	15	type snmpd_log_t;
	16	logging_log_file(snmpd_log_t)
	17
	18	type snmpd_var_run_t;
	19	files_pid_file(snmpd_var_run_t)
	20
	21	type snmpd_var_lib_t;
	22	files_type(snmpd_var_lib_t)
	23
	24	########################################
	25	#
	26	# Local policy
	27	#
1e2abee1	28
995bdbb1	29	allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config };
995bdbb1	30
a39a9313	31	dontaudit snmpd_t self:capability { sys_module sys_tty_config };
207c4d1e	32	allow snmpd_t self:process { signal_perms getsched setsched };
c0868a7a	33	allow snmpd_t self:fifo_file rw_fifo_file_perms;
ccc59782	34	allow snmpd_t self:unix_dgram_socket create_socket_perms;
4d1378a4	35	allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
77f6e2cd	36	allow snmpd_t self:tcp_socket create_stream_socket_perms;
162dfc33	37	allow snmpd_t self:udp_socket connected_stream_socket_perms;
ccc59782	38
c0868a7a	39	allow snmpd_t snmpd_log_t:file manage_file_perms;
3f67f722	40	logging_log_filetrans(snmpd_t, snmpd_log_t, file)
ccc59782	41
0bfccda4 CP	42	manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
	43	manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
	44	manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
	45	files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file)
	46	files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file })
263b3246	47	files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file })
ccc59782	48
3eaa9939	49	manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
0bfccda4	50	manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t)
3eaa9939	51	files_pid_filetrans(snmpd_t, snmpd_var_run_t, { file dir })
ccc59782	52
8cfa5a00	53	kernel_read_device_sysctls(snmpd_t)
445522dc	54	kernel_read_kernel_sysctls(snmpd_t)
fb4826f4	55	kernel_read_fs_sysctls(snmpd_t)
445522dc	56	kernel_read_net_sysctls(snmpd_t)
ccc59782 CP	57	kernel_read_proc_symlinks(snmpd_t)
	58	kernel_read_system_state(snmpd_t)
	59	kernel_read_network_state(snmpd_t)
	60
6f81e1d3	61	corecmd_exec_bin(snmpd_t)
6f81e1d3 CP	62	corecmd_exec_shell(snmpd_t)
6f81e1d3 CP	63
19006686 CP	64	corenet_all_recvfrom_unlabeled(snmpd_t)
19006686 CP	65	corenet_all_recvfrom_netlabel(snmpd_t)
668b3093 CP	66	corenet_tcp_sendrecv_generic_if(snmpd_t)
668b3093 CP	67	corenet_udp_sendrecv_generic_if(snmpd_t)
c1262146 CP	68	corenet_tcp_sendrecv_generic_node(snmpd_t)
c1262146 CP	69	corenet_udp_sendrecv_generic_node(snmpd_t)
ccc59782	70	corenet_tcp_sendrecv_all_ports(snmpd_t)
162dfc33	71	corenet_udp_sendrecv_all_ports(snmpd_t)
c1262146 CP	72	corenet_tcp_bind_generic_node(snmpd_t)
c1262146 CP	73	corenet_udp_bind_generic_node(snmpd_t)
ccc59782 CP	74	corenet_tcp_bind_snmp_port(snmpd_t)
ccc59782 CP	75	corenet_udp_bind_snmp_port(snmpd_t)
141cffdd	76	corenet_sendrecv_snmp_server_packets(snmpd_t)
80348b73	77	corenet_tcp_connect_agentx_port(snmpd_t)
207c4d1e CP	78	corenet_tcp_bind_agentx_port(snmpd_t)
207c4d1e CP	79	corenet_udp_bind_agentx_port(snmpd_t)
ccc59782 CP	80
	81	dev_list_sysfs(snmpd_t)
	82	dev_read_sysfs(snmpd_t)
	83	dev_read_urand(snmpd_t)
	84	dev_read_rand(snmpd_t)
d6d16b97	85	dev_getattr_usbfs_dirs(snmpd_t)
ccc59782	86
15722ec9	87	domain_use_interactive_fds(snmpd_t)
77f6e2cd	88	domain_signull_all_domains(snmpd_t)
ccc59782	89	domain_read_all_domains_state(snmpd_t)
fb4826f4 CP	90	domain_dontaudit_ptrace_all_domains(snmpd_t)
fb4826f4 CP	91	domain_exec_all_entry_files(snmpd_t)
ccc59782 CP	92
	93	files_read_etc_files(snmpd_t)
	94	files_read_usr_files(snmpd_t)
	95	files_read_etc_runtime_files(snmpd_t)
	96	files_search_home(snmpd_t)
	97
d6d16b97	98	fs_getattr_all_dirs(snmpd_t)
6f81e1d3	99	fs_getattr_all_fs(snmpd_t)
6f81e1d3	100	fs_search_auto_mountpoints(snmpd_t)
7d5125a5	101	files_search_all_mountpoints(snmpd_t)
6f81e1d3 CP	102
	103	storage_dontaudit_read_fixed_disk(snmpd_t)
	104	storage_dontaudit_read_removable_device(snmpd_t)
3eaa9939	105	storage_dontaudit_write_removable_device(snmpd_t)
6f81e1d3	106
fb4826f4	107	auth_use_nsswitch(snmpd_t)
d7556995	108	files_list_all(snmpd_t)
fb4826f4	109
68228b33	110	init_read_utmp(snmpd_t)
68228b33	111	init_dontaudit_write_utmp(snmpd_t)
670aa3a3 MG	112	# need write to /var/run/systemd/notify
670aa3a3 MG	113	init_write_pid_socket(snmpd_t)
ccc59782	114
ccc59782 CP	115	logging_send_syslog_msg(snmpd_t)
	116
	117	miscfiles_read_localization(snmpd_t)
	118
	119	seutil_dontaudit_search_config(snmpd_t)
	120
	121	sysnet_read_config(snmpd_t)
	122
15722ec9	123	userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
296273a7	124	userdom_dontaudit_search_user_home_dirs(snmpd_t)
ccc59782	125
1e2abee1	126	ifdef(`distro_redhat',`
bb7170f6	127	optional_policy(`
ccc59782	128	rpm_read_db(snmpd_t)
75720701	129	rpm_dontaudit_manage_db(snmpd_t)
ccc59782 CP	130	')
	131	')
	132
bb7170f6	133	optional_policy(`
75720701 CP	134	amanda_dontaudit_read_dumpdates(snmpd_t)
	135	')
	136
bb7170f6	137	optional_policy(`
fb4826f4	138	consoletype_exec(snmpd_t)
6f81e1d3 CP	139	')
6f81e1d3 CP	140
b129e200	141	optional_policy(`
a39a9313	142	cups_read_rw_config(snmpd_t)
b129e200 CP	143	')
b129e200 CP	144
bb7170f6	145	optional_policy(`
a39a9313 CP	146	mta_read_config(snmpd_t)
a39a9313 CP	147	mta_search_queue(snmpd_t)
fa67570d CP	148	')
fa67570d CP	149
bb7170f6	150	optional_policy(`
a39a9313	151	rpc_search_nfs_state_data(snmpd_t)
ccc59782 CP	152	')
ccc59782 CP	153
bb7170f6	154	optional_policy(`
a39a9313	155	sendmail_read_log(snmpd_t)
6f81e1d3 CP	156	')
6f81e1d3 CP	157
bb7170f6	158	optional_policy(`
ccc59782 CP	159	seutil_sigchld_newrole(snmpd_t)
	160	')
	161
b129e200 CP	162	optional_policy(`
	163	squid_read_config(snmpd_t)
	164	')
	165
bb7170f6	166	optional_policy(`
ccc59782 CP	167	udev_read_db(snmpd_t)
ccc59782 CP	168	')
fb4826f4 CP	169
	170	optional_policy(`
	171	virt_stream_connect(snmpd_t)
	172	')
	173
	174	optional_policy(`
	175	kernel_read_xen_state(snmpd_t)
	176	kernel_write_xen_state(snmpd_t)
	177
	178	xen_stream_connect(snmpd_t)
	179	xen_stream_connect_xenstore(snmpd_t)
	180	')