[people/stevee/selinux-policy.git] / refpolicy / policy / modules / kernel / corenetwork.te.in


policy_module(corenetwork,1.0)

########################################
#
# Declarations
#

attribute netif_type;
attribute node_type;
attribute port_type;
attribute reserved_port_type;

type ppp_device_t;
dev_node(ppp_device_t)

#
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)

########################################
#
# Ports
#

#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
sid port gen_context(system_u:object_r:port_t,s0)

#
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;

network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dhcpc, udp,68,s0)
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
network_port(dict, tcp,2628,s0)
network_port(distcc, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,50000,s0, tcp,50002,s0)
dnl network_port(i18n_input) # no defined portcon in current strict
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
network_port(isakmp, udp,500,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
network_port(mail, tcp,2000,s0)
network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)
network_port(nessus, tcp,1241,s0)
network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
network_port(ntp, udp,123,s0)
network_port(openvpn, udp,5000,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,60000,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
network_port(rndc, tcp,953,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
dnl network_port(stunnel) # no defined portcon in current strict
network_port(swat, tcp,901,s0)
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
network_port(transproxy, tcp,8081,s0)
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
network_port(zebra, tcp,2601,s0)
network_port(zope, tcp,8021,s0)

# Defaults for reserved ports.  Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)

########################################
#
# Network nodes
#

#
# node_t is the default type of network nodes.
# The node_*_t types are used for specific network
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0)

network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
network_node(lo, s0, 127.0.0.1, 255.255.255.255)
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
network_node(multicast, s0, ff00::, ff00::)
network_node(site_local, s0, fec0::, ffc0::)
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)

########################################
#
# Network Interfaces:
#

#
# netif_t is the default type of network interfaces.
#
type netif_t, netif_type;
sid netif gen_context(system_u:object_r:netif_t,s0)

#network_interface(lo, lo,s0)
#network_interface(eth0, eth0,s0)
Commit	Line	Data
e181fe05	1
960373dd CP	2	policy_module(corenetwork,1.0)
960373dd CP	3
fd89e19f CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533 CP	9	attribute netif_type;
	10	attribute node_type;
	11	attribute port_type;
	12	attribute reserved_port_type;
	13
05a5cdcc	14	type ppp_device_t;
c9428d33	15	dev_node(ppp_device_t)
05a5cdcc	16
b4cd1533 CP	17	#
	18	# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
	19	#
	20	type tun_tap_device_t;
c9428d33	21	dev_node(tun_tap_device_t)
b4cd1533 CP	22
	23	########################################
	24	#
	25	# Ports
	26	#
	27
	28	#
	29	# port_t is the default type of INET port numbers.
	30	#
	31	type port_t, port_type;
e02c61cf	32	sid port gen_context(system_u:object_r:port_t,s0)
b4cd1533 CP	33
	34	#
	35	# reserved_port_t is the type of INET port numbers below 1024.
	36	#
	37	type reserved_port_t, port_type, reserved_port_type;
	38
0907bda1 CP	39	network_port(afs_bos, udp,7007,s0)
	40	network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
	41	network_port(afs_ka, udp,7004,s0)
	42	network_port(afs_pt, udp,7002,s0)
	43	network_port(afs_vl, udp,7003,s0)
0d0d2baf	44	network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
0907bda1 CP	45	network_port(amavisd_recv, tcp,10024,s0)
	46	network_port(amavisd_send, tcp,10025,s0)
	47	network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
2705f9a0	48	network_port(auth, tcp,113,s0)
b4cd1533	49	dnl network_port(biff) # no defined portcon in current strict
0907bda1 CP	50	network_port(clamd, tcp,3310,s0)
	51	network_port(clockspeed, udp,4041,s0)
	52	network_port(cvs, tcp,2401,s0, udp,2401,s0)
	53	network_port(dcc, udp,6276,s0, udp,6277,s0)
0d0d2baf CP	54	network_port(dbskkd, tcp,1178,s0)
0d0d2baf CP	55	network_port(dhcpc, udp,68,s0)
77f6e2cd	56	network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
0d0d2baf	57	network_port(dict, tcp,2628,s0)
cf6141a7	58	network_port(distcc, tcp,3632,s0)
0d0d2baf CP	59	network_port(dns, udp,53,s0, tcp,53,s0)
	60	network_port(fingerd, tcp,79,s0)
	61	network_port(ftp_data, tcp,20,s0)
	62	network_port(ftp, tcp,21,s0)
0907bda1 CP	63	network_port(giftd, tcp,1213,s0)
	64	network_port(gopher, tcp,70,s0, udp,70,s0)
	65	network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
	66	network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
0d0d2baf	67	network_port(howl, tcp,5335,s0, udp,5353,s0)
0907bda1	68	network_port(hplip, tcp,50000,s0, tcp,50002,s0)
05a5cdcc	69	dnl network_port(i18n_input) # no defined portcon in current strict
0907bda1 CP	70	network_port(imaze, tcp,5323,s0, udp,5323,s0)
0907bda1 CP	71	network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
0d0d2baf CP	72	network_port(innd, tcp,119,s0)
0d0d2baf CP	73	network_port(ipp, tcp,631,s0, udp,631,s0)
0907bda1 CP	74	network_port(ircd, tcp,6667,s0)
	75	network_port(isakmp, udp,500,s0)
	76	network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
	77	network_port(jabber_interserver, tcp,5269,s0)
0d0d2baf CP	78	network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
	79	network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
	80	network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
	81	network_port(ktalkd, udp,517,s0, udp,518,s0)
	82	network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
	83	network_port(mail, tcp,2000,s0)
0907bda1	84	network_port(monopd, tcp,1234,s0)
0d0d2baf	85	network_port(mysqld, tcp,3306,s0)
0907bda1	86	network_port(nessus, tcp,1241,s0)
0d0d2baf	87	network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
b11a75a5	88	network_port(ntp, udp,123,s0)
0907bda1	89	network_port(openvpn, udp,5000,s0)
77f6e2cd CP	90	network_port(pegasus_http, tcp,5988,s0)
77f6e2cd CP	91	network_port(pegasus_https, tcp,5989,s0)
0907bda1	92	network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
0d0d2baf CP	93	network_port(portmap, udp,111,s0, tcp,111,s0)
0d0d2baf CP	94	network_port(postgresql, tcp,5432,s0)
0907bda1	95	network_port(postgrey, tcp,60000,s0)
0d0d2baf	96	network_port(printer, tcp,515,s0)
0907bda1	97	network_port(ptal, tcp,5703,s0)
0d0d2baf	98	network_port(pxe, udp,4011,s0)
0907bda1	99	network_port(pyzor, udp,24441,s0)
0d0d2baf CP	100	network_port(radacct, udp,1646,s0, udp,1813,s0)
0d0d2baf CP	101	network_port(radius, udp,1645,s0, udp,1812,s0)
0907bda1 CP	102	network_port(razor, tcp,2703,s0)
0907bda1 CP	103	network_port(rndc, tcp,953,s0)
0d0d2baf CP	104	network_port(rsh, tcp,514,s0)
	105	network_port(rsync, tcp,873,s0, udp,873,s0)
	106	network_port(smbd, tcp,137-139,s0, tcp,445,s0)
	107	network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
	108	network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
0907bda1	109	network_port(spamd, tcp,783,s0)
0d0d2baf	110	network_port(ssh, tcp,22,s0)
0907bda1	111	network_port(soundd, tcp,8000,s0, tcp,9433,s0)
b4cd1533	112	dnl network_port(stunnel) # no defined portcon in current strict
0d0d2baf CP	113	network_port(swat, tcp,901,s0)
	114	network_port(syslogd, udp,514,s0)
	115	network_port(telnetd, tcp,23,s0)
	116	network_port(tftp, udp,69,s0)
0907bda1 CP	117	network_port(transproxy, tcp,8081,s0)
0907bda1 CP	118	network_port(uucpd, tcp,540,s0)
0d0d2baf CP	119	network_port(vnc, tcp,5900,s0)
	120	network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
	121	network_port(zebra, tcp,2601,s0)
0907bda1	122	network_port(zope, tcp,8021,s0)
b4cd1533 CP	123
b4cd1533 CP	124	# Defaults for reserved ports. Earlier portcon entries take precedence;
6d788d87	125	# these entries just cover any remaining reserved ports not otherwise declared.
e02c61cf CP	126	portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
e02c61cf CP	127	portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
b4cd1533 CP	128
	129	########################################
	130	#
	131	# Network nodes
	132	#
	133
	134	#
	135	# node_t is the default type of network nodes.
	136	# The node_*_t types are used for specific network
	137	# nodes in net_contexts or net_contexts.mls.
	138	#
	139	type node_t, node_type;
e02c61cf	140	sid node gen_context(system_u:object_r:node_t,s0)
b4cd1533	141
085faa06 CP	142	network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
	143	network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
	144	dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
	145	network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
	146	network_node(lo, s0, 127.0.0.1, 255.255.255.255)
	147	network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
	148	network_node(multicast, s0, ff00::, ff00::)
	149	network_node(site_local, s0, fec0::, ffc0::)
	150	network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
b4cd1533	151
b4cd1533 CP	152	########################################
	153	#
	154	# Network Interfaces:
	155	#
	156
	157	#
	158	# netif_t is the default type of network interfaces.
	159	#
	160	type netif_t, netif_type;
e02c61cf	161	sid netif gen_context(system_u:object_r:netif_t,s0)
b4cd1533	162
a0824843 CP	163	#network_interface(lo, lo,s0)
a0824843 CP	164	#network_interface(eth0, eth0,s0)