]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/kernel/corenetwork.te.in
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
patch from dan Tue, 05 Sep 2006 17:06:06 -0400
[people/stevee/selinux-policy.git] / policy / modules / kernel / corenetwork.te.in
1
2 policy_module(corenetwork,1.1.15)
3
4 ########################################
5 #
6 # Declarations
7 #
8
9 attribute client_packet_type;
10 attribute netif_type;
11 attribute node_type;
12 attribute packet_type;
13 attribute port_type;
14 attribute reserved_port_type;
15 attribute rpc_port_type;
16 attribute server_packet_type;
17
18 attribute corenet_unconfined_type;
19
20 type ppp_device_t;
21 dev_node(ppp_device_t)
22
23 #
24 # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
25 #
26 type tun_tap_device_t;
27 dev_node(tun_tap_device_t)
28
29 ########################################
30 #
31 # Ports and packets
32 #
33
34 #
35 # client_packet_t is the default type of IPv4 and IPv6 client packets.
36 #
37 type client_packet_t, packet_type, client_packet_type;
38
39 #
40 # port_t is the default type of INET port numbers.
41 #
42 type port_t, port_type;
43 sid port gen_context(system_u:object_r:port_t,s0)
44
45 #
46 # reserved_port_t is the type of INET port numbers below 1024.
47 #
48 type reserved_port_t, port_type, reserved_port_type;
49
50 #
51 # server_packet_t is the default type of IPv4 and IPv6 server packets.
52 #
53 type server_packet_t, packet_type, server_packet_type;
54
55 network_port(afs_bos, udp,7007,s0)
56 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
57 network_port(afs_ka, udp,7004,s0)
58 network_port(afs_pt, udp,7002,s0)
59 network_port(afs_vl, udp,7003,s0)
60 network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
61 network_port(amavisd_recv, tcp,10024,s0)
62 network_port(amavisd_send, tcp,10025,s0)
63 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
64 network_port(auth, tcp,113,s0)
65 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
66 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
67 network_port(clamd, tcp,3310,s0)
68 network_port(clockspeed, udp,4041,s0)
69 network_port(comsat, udp,512,s0)
70 network_port(cvs, tcp,2401,s0, udp,2401,s0)
71 network_port(dcc, udp,6276,s0, udp,6277,s0)
72 network_port(dbskkd, tcp,1178,s0)
73 network_port(dhcpc, udp,68,s0)
74 network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
75 network_port(dict, tcp,2628,s0)
76 network_port(distccd, tcp,3632,s0)
77 network_port(dns, udp,53,s0, tcp,53,s0)
78 network_port(fingerd, tcp,79,s0)
79 network_port(ftp_data, tcp,20,s0)
80 network_port(ftp, tcp,21,s0)
81 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
82 network_port(giftd, tcp,1213,s0)
83 network_port(gopher, tcp,70,s0, udp,70,s0)
84 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
85 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0)
86 network_port(howl, tcp,5335,s0, udp,5353,s0)
87 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
88 network_port(i18n_input, tcp,9010,s0)
89 network_port(imaze, tcp,5323,s0, udp,5323,s0)
90 network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
91 network_port(innd, tcp,119,s0)
92 network_port(ipp, tcp,631,s0, udp,631,s0)
93 network_port(ircd, tcp,6667,s0)
94 network_port(isakmp, udp,500,s0)
95 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
96 network_port(jabber_interserver, tcp,5269,s0)
97 network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
98 network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
99 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
100 network_port(ktalkd, udp,517,s0, udp,518,s0)
101 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
102 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
103 network_port(lmtp, tcp,24,s0, udp,24,s0)
104 network_port(mail, tcp,2000,s0)
105 network_port(monopd, tcp,1234,s0)
106 network_port(mysqld, tcp,3306,s0)
107 network_port(nessus, tcp,1241,s0)
108 network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
109 network_port(ntp, udp,123,s0)
110 network_port(openvpn, udp,1194,s0)
111 network_port(pegasus_http, tcp,5988,s0)
112 network_port(pegasus_https, tcp,5989,s0)
113 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
114 network_port(portmap, udp,111,s0, tcp,111,s0)
115 network_port(postgresql, tcp,5432,s0)
116 network_port(postgrey, tcp,60000,s0)
117 network_port(printer, tcp,515,s0)
118 network_port(ptal, tcp,5703,s0)
119 network_port(pxe, udp,4011,s0)
120 network_port(pyzor, udp,24441,s0)
121 network_port(radacct, udp,1646,s0, udp,1813,s0)
122 network_port(radius, udp,1645,s0, udp,1812,s0)
123 network_port(razor, tcp,2703,s0)
124 network_port(rlogind, tcp,513,s0)
125 network_port(rndc, tcp,953,s0)
126 network_port(router, udp,520,s0)
127 network_port(rsh, tcp,514,s0)
128 network_port(rsync, tcp,873,s0, udp,873,s0)
129 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
130 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
131 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
132 network_port(spamd, tcp,783,s0)
133 network_port(ssh, tcp,22,s0)
134 network_port(soundd, tcp,8000,s0, tcp,9433,s0)
135 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
136 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
137 network_port(swat, tcp,901,s0)
138 network_port(syslogd, udp,514,s0)
139 network_port(telnetd, tcp,23,s0)
140 network_port(tftp, udp,69,s0)
141 network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
142 network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
143 network_port(transproxy, tcp,8081,s0)
144 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
145 network_port(uucpd, tcp,540,s0)
146 network_port(vnc, tcp,5900,s0)
147 network_port(xen, tcp,8002,s0)
148 network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
149 network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
150 network_port(zope, tcp,8021,s0)
151
152 # Defaults for reserved ports. Earlier portcon entries take precedence;
153 # these entries just cover any remaining reserved ports not otherwise declared.
154 portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
155 portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
156
157 ########################################
158 #
159 # Network nodes
160 #
161
162 #
163 # node_t is the default type of network nodes.
164 # The node_*_t types are used for specific network
165 # nodes in net_contexts or net_contexts.mls.
166 #
167 type node_t, node_type;
168 sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
169
170 network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
171 network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
172 type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
173 network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
174 network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
175 network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
176 network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
177 network_node(site_local, s0, fec0::, ffc0::)
178 network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
179
180 ########################################
181 #
182 # Network Interfaces
183 #
184
185 #
186 # netif_t is the default type of network interfaces.
187 #
188 type netif_t, netif_type;
189 sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
190
191 ifdef(`enable_mls',`
192 network_interface(lo, lo,s0 - s15:c0.c255)
193 ')
194
195 ########################################
196 #
197 # Unconfined access to this module
198 #
199
200 allow corenet_unconfined_type node_type:node *;
201 allow corenet_unconfined_type netif_type:netif *;
202 allow corenet_unconfined_type packet_type:packet *;
203 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
204 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
205
206 # Bind to any network address.
207 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
208 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
The IPFire selinux policy.