policy/modules/services/nis.te

   1
   2 policy_module(nis, 1.8.3)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type var_yp_t;
  10 files_type(var_yp_t)
  11
  12 type ypbind_t;
  13 type ypbind_exec_t;
  14 init_daemon_domain(ypbind_t, ypbind_exec_t)
  15
  16 type ypbind_tmp_t;
  17 files_tmp_file(ypbind_tmp_t)
  18
  19 type ypbind_var_run_t;
  20 files_pid_file(ypbind_var_run_t)
  21
  22 type yppasswdd_t;
  23 type yppasswdd_exec_t;
  24 init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
  25 domain_obj_id_change_exemption(yppasswdd_t)
  26
  27 type yppasswdd_var_run_t;
  28 files_pid_file(yppasswdd_var_run_t)
  29
  30 type ypserv_t;
  31 type ypserv_exec_t;
  32 init_daemon_domain(ypserv_t, ypserv_exec_t)
  33
  34 type ypserv_conf_t;
  35 files_type(ypserv_conf_t)
  36
  37 type ypserv_tmp_t;
  38 files_tmp_file(ypserv_tmp_t)
  39
  40 type ypserv_var_run_t;
  41 files_pid_file(ypserv_var_run_t)
  42
  43 type ypxfr_t;
  44 type ypxfr_exec_t;
  45 init_daemon_domain(ypxfr_t, ypxfr_exec_t)
  46
  47 ########################################
  48 #
  49 # ypbind local policy
  50
  51 dontaudit ypbind_t self:capability { net_admin sys_tty_config };
  52 allow ypbind_t self:fifo_file rw_fifo_file_perms;
  53 allow ypbind_t self:process signal_perms;
  54 allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
  55 allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
  56 allow ypbind_t self:tcp_socket create_stream_socket_perms;
  57 allow ypbind_t self:udp_socket create_socket_perms;
  58
  59 manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
  60 manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
  61 files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
  62
  63 manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
  64 files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
  65
  66 manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
  67
  68 kernel_read_kernel_sysctls(ypbind_t)
  69 kernel_list_proc(ypbind_t)
  70 kernel_read_proc_symlinks(ypbind_t)
  71
  72 corenet_all_recvfrom_unlabeled(ypbind_t)
  73 corenet_all_recvfrom_netlabel(ypbind_t)
  74 corenet_tcp_sendrecv_generic_if(ypbind_t)
  75 corenet_udp_sendrecv_generic_if(ypbind_t)
  76 corenet_tcp_sendrecv_generic_node(ypbind_t)
  77 corenet_udp_sendrecv_generic_node(ypbind_t)
  78 corenet_tcp_sendrecv_all_ports(ypbind_t)
  79 corenet_udp_sendrecv_all_ports(ypbind_t)
  80 corenet_tcp_bind_generic_node(ypbind_t)
  81 corenet_udp_bind_generic_node(ypbind_t)
  82 corenet_tcp_bind_generic_port(ypbind_t)
  83 corenet_udp_bind_generic_port(ypbind_t)
  84 corenet_tcp_bind_reserved_port(ypbind_t)
  85 corenet_udp_bind_reserved_port(ypbind_t)
  86 corenet_tcp_bind_all_rpc_ports(ypbind_t)
  87 corenet_udp_bind_all_rpc_ports(ypbind_t)
  88 corenet_tcp_connect_all_ports(ypbind_t)
  89 corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
  90 corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
  91 corenet_sendrecv_all_client_packets(ypbind_t)
  92 corenet_sendrecv_generic_server_packets(ypbind_t)
  93
  94 dev_read_sysfs(ypbind_t)
  95
  96 fs_getattr_all_fs(ypbind_t)
  97 fs_search_auto_mountpoints(ypbind_t)
  98
  99 domain_use_interactive_fds(ypbind_t)
 100
 101 files_read_etc_files(ypbind_t)
 102 files_list_var(ypbind_t)
 103
 104 logging_send_syslog_msg(ypbind_t)
 105
 106 miscfiles_read_localization(ypbind_t)
 107
 108 sysnet_read_config(ypbind_t)
 109
 110 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
 111 userdom_dontaudit_search_user_home_dirs(ypbind_t)
 112
 113 optional_policy(`
 114         dbus_system_bus_client(ypbind_t)
 115         dbus_connect_system_bus(ypbind_t)
 116         init_dbus_chat_script(ypbind_t)
 117
 118         optional_policy(`
 119                 networkmanager_dbus_chat(ypbind_t)
 120         ')
 121 ')
 122
 123 optional_policy(`
 124         seutil_sigchld_newrole(ypbind_t)
 125 ')
 126
 127 optional_policy(`
 128         udev_read_db(ypbind_t)
 129 ')
 130
 131 ########################################
 132 #
 133 # yppasswdd local policy
 134 #
 135
 136 allow yppasswdd_t self:capability dac_override;
 137 dontaudit yppasswdd_t self:capability sys_tty_config;
 138 allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 139 allow yppasswdd_t self:process { setfscreate signal_perms };
 140 allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
 141 allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
 142 allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
 143 allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
 144 allow yppasswdd_t self:udp_socket create_socket_perms;
 145
 146 manage_files_pattern(yppasswdd_t, yppasswdd_var_run_t, yppasswdd_var_run_t)
 147 files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
 148
 149 manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
 150 manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
 151
 152 kernel_list_proc(yppasswdd_t)
 153 kernel_read_proc_symlinks(yppasswdd_t)
 154 kernel_getattr_proc_files(yppasswdd_t)
 155 kernel_read_kernel_sysctls(yppasswdd_t)
 156
 157 corenet_all_recvfrom_unlabeled(yppasswdd_t)
 158 corenet_all_recvfrom_netlabel(yppasswdd_t)
 159 corenet_tcp_sendrecv_generic_if(yppasswdd_t)
 160 corenet_udp_sendrecv_generic_if(yppasswdd_t)
 161 corenet_tcp_sendrecv_generic_node(yppasswdd_t)
 162 corenet_udp_sendrecv_generic_node(yppasswdd_t)
 163 corenet_tcp_sendrecv_all_ports(yppasswdd_t)
 164 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 165 corenet_tcp_bind_generic_node(yppasswdd_t)
 166 corenet_udp_bind_generic_node(yppasswdd_t)
 167 corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
 168 corenet_udp_bind_all_rpc_ports(yppasswdd_t)
 169 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 170 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
 171 corenet_sendrecv_generic_server_packets(yppasswdd_t)
 172
 173 dev_read_sysfs(yppasswdd_t)
 174
 175 fs_getattr_all_fs(yppasswdd_t)
 176 fs_search_auto_mountpoints(yppasswdd_t)
 177
 178 selinux_get_fs_mount(yppasswdd_t)
 179
 180 auth_manage_shadow(yppasswdd_t)
 181 auth_relabel_shadow(yppasswdd_t)
 182 auth_etc_filetrans_shadow(yppasswdd_t)
 183
 184 corecmd_exec_bin(yppasswdd_t)
 185 corecmd_exec_shell(yppasswdd_t)
 186
 187 domain_use_interactive_fds(yppasswdd_t)
 188
 189 files_read_etc_files(yppasswdd_t)
 190 files_read_etc_runtime_files(yppasswdd_t)
 191 files_relabel_etc_files(yppasswdd_t)
 192
 193 logging_send_syslog_msg(yppasswdd_t)
 194
 195 miscfiles_read_localization(yppasswdd_t)
 196
 197 sysnet_read_config(yppasswdd_t)
 198
 199 userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
 200 userdom_dontaudit_search_user_home_dirs(yppasswdd_t)
 201
 202 optional_policy(`
 203         hostname_exec(yppasswdd_t)
 204 ')
 205
 206 optional_policy(`
 207         seutil_sigchld_newrole(yppasswdd_t)
 208 ')
 209
 210 optional_policy(`
 211         udev_read_db(yppasswdd_t)
 212 ')
 213
 214 ########################################
 215 #
 216 # ypserv local policy
 217 #
 218
 219 dontaudit ypserv_t self:capability sys_tty_config;
 220 allow ypserv_t self:fifo_file rw_fifo_file_perms;
 221 allow ypserv_t self:process signal_perms;
 222 allow ypserv_t self:unix_dgram_socket create_socket_perms;
 223 allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
 224 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
 225 allow ypserv_t self:tcp_socket connected_stream_socket_perms;
 226 allow ypserv_t self:udp_socket create_socket_perms;
 227
 228 manage_files_pattern(ypserv_t, var_yp_t, var_yp_t)
 229
 230 allow ypserv_t ypserv_conf_t:file read_file_perms;
 231
 232 manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
 233 manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t)
 234 files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir })
 235
 236 manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t)
 237 files_pid_filetrans(ypserv_t, ypserv_var_run_t, file)
 238
 239 kernel_read_kernel_sysctls(ypserv_t)
 240 kernel_list_proc(ypserv_t)
 241 kernel_read_proc_symlinks(ypserv_t)
 242
 243 corenet_all_recvfrom_unlabeled(ypserv_t)
 244 corenet_all_recvfrom_netlabel(ypserv_t)
 245 corenet_tcp_sendrecv_generic_if(ypserv_t)
 246 corenet_udp_sendrecv_generic_if(ypserv_t)
 247 corenet_tcp_sendrecv_generic_node(ypserv_t)
 248 corenet_udp_sendrecv_generic_node(ypserv_t)
 249 corenet_tcp_sendrecv_all_ports(ypserv_t)
 250 corenet_udp_sendrecv_all_ports(ypserv_t)
 251 corenet_tcp_bind_generic_node(ypserv_t)
 252 corenet_udp_bind_generic_node(ypserv_t)
 253 corenet_tcp_bind_all_rpc_ports(ypserv_t)
 254 corenet_udp_bind_all_rpc_ports(ypserv_t)
 255 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 256 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 257 corenet_sendrecv_generic_server_packets(ypserv_t)
 258
 259 dev_read_sysfs(ypserv_t)
 260
 261 fs_getattr_all_fs(ypserv_t)
 262 fs_search_auto_mountpoints(ypserv_t)
 263
 264 corecmd_exec_bin(ypserv_t)
 265
 266 domain_use_interactive_fds(ypserv_t)
 267
 268 files_read_var_files(ypserv_t)
 269 files_read_etc_files(ypserv_t)
 270
 271 logging_send_syslog_msg(ypserv_t)
 272
 273 miscfiles_read_localization(ypserv_t)
 274
 275 nis_domtrans_ypxfr(ypserv_t)
 276
 277 sysnet_read_config(ypserv_t)
 278
 279 userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
 280 userdom_dontaudit_search_user_home_dirs(ypserv_t)
 281
 282 optional_policy(`
 283         seutil_sigchld_newrole(ypserv_t)
 284 ')
 285
 286 optional_policy(`
 287         udev_read_db(ypserv_t)
 288 ')
 289
 290 ########################################
 291 #
 292 # ypxfr local policy
 293 #
 294
 295 allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
 296 allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
 297 allow ypxfr_t self:tcp_socket create_stream_socket_perms;
 298 allow ypxfr_t self:udp_socket create_socket_perms;
 299 allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
 300
 301 manage_files_pattern(ypxfr_t, var_yp_t, var_yp_t)
 302
 303 allow ypxfr_t ypserv_t:tcp_socket { read write };
 304 allow ypxfr_t ypserv_t:udp_socket { read write };
 305
 306 allow ypxfr_t ypserv_conf_t:file read_file_perms;
 307
 308 corenet_all_recvfrom_unlabeled(ypxfr_t)
 309 corenet_all_recvfrom_netlabel(ypxfr_t)
 310 corenet_tcp_sendrecv_generic_if(ypxfr_t)
 311 corenet_udp_sendrecv_generic_if(ypxfr_t)
 312 corenet_tcp_sendrecv_generic_node(ypxfr_t)
 313 corenet_udp_sendrecv_generic_node(ypxfr_t)
 314 corenet_tcp_sendrecv_all_ports(ypxfr_t)
 315 corenet_udp_sendrecv_all_ports(ypxfr_t)
 316 corenet_tcp_bind_generic_node(ypxfr_t)
 317 corenet_udp_bind_generic_node(ypxfr_t)
 318 corenet_tcp_bind_all_rpc_ports(ypxfr_t)
 319 corenet_udp_bind_all_rpc_ports(ypxfr_t)
 320 corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
 321 corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
 322 corenet_tcp_connect_all_ports(ypxfr_t)
 323 corenet_sendrecv_generic_server_packets(ypxfr_t)
 324 corenet_sendrecv_all_client_packets(ypxfr_t)
 325
 326 files_read_etc_files(ypxfr_t)
 327 files_search_usr(ypxfr_t)
 328
 329 logging_send_syslog_msg(ypxfr_t)
 330
 331 miscfiles_read_localization(ypxfr_t)
 332
 333 sysnet_read_config(ypxfr_t)