policy/modules/services/portmap.te

   1
   2 policy_module(portmap, 1.7.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type portmap_t;
  10 type portmap_exec_t;
  11 init_daemon_domain(portmap_t,portmap_exec_t)
  12
  13 type portmap_helper_t;
  14 type portmap_helper_exec_t;
  15 init_system_domain(portmap_helper_t,portmap_helper_exec_t)
  16 role system_r types portmap_helper_t;
  17
  18 type portmap_tmp_t;
  19 files_tmp_file(portmap_tmp_t)
  20
  21 type portmap_var_run_t;
  22 files_pid_file(portmap_var_run_t)
  23
  24 ########################################
  25 #
  26 # Portmap local policy
  27 #
  28
  29 allow portmap_t self:capability { setuid setgid };
  30 dontaudit portmap_t self:capability sys_tty_config;
  31 allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
  32 allow portmap_t self:unix_dgram_socket create_socket_perms;
  33 allow portmap_t self:unix_stream_socket create_stream_socket_perms;
  34 allow portmap_t self:tcp_socket create_stream_socket_perms;
  35 allow portmap_t self:udp_socket create_socket_perms;
  36
  37 manage_dirs_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t)
  38 manage_files_pattern(portmap_t,portmap_tmp_t,portmap_tmp_t)
  39 files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
  40
  41 manage_files_pattern(portmap_t,portmap_var_run_t,portmap_var_run_t)
  42 files_pid_filetrans(portmap_t,portmap_var_run_t,file)
  43
  44 kernel_read_kernel_sysctls(portmap_t)
  45 kernel_list_proc(portmap_t)
  46 kernel_read_proc_symlinks(portmap_t)
  47
  48 corenet_all_recvfrom_unlabeled(portmap_t)
  49 corenet_all_recvfrom_netlabel(portmap_t)
  50 corenet_tcp_sendrecv_all_if(portmap_t)
  51 corenet_udp_sendrecv_all_if(portmap_t)
  52 corenet_tcp_sendrecv_all_nodes(portmap_t)
  53 corenet_udp_sendrecv_all_nodes(portmap_t)
  54 corenet_tcp_sendrecv_all_ports(portmap_t)
  55 corenet_udp_sendrecv_all_ports(portmap_t)
  56 corenet_tcp_bind_all_nodes(portmap_t)
  57 corenet_udp_bind_all_nodes(portmap_t)
  58 corenet_tcp_bind_portmap_port(portmap_t)
  59 corenet_udp_bind_portmap_port(portmap_t)
  60 corenet_tcp_connect_all_ports(portmap_t)
  61 corenet_sendrecv_portmap_client_packets(portmap_t)
  62 corenet_sendrecv_portmap_server_packets(portmap_t)
  63 # portmap binds to arbitary ports
  64 corenet_tcp_bind_generic_port(portmap_t)
  65 corenet_udp_bind_generic_port(portmap_t)
  66 corenet_tcp_bind_reserved_port(portmap_t)
  67 corenet_udp_bind_reserved_port(portmap_t)
  68 corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
  69 corenet_dontaudit_udp_bind_all_ports(portmap_t)
  70
  71 dev_read_sysfs(portmap_t)
  72
  73 fs_getattr_all_fs(portmap_t)
  74 fs_search_auto_mountpoints(portmap_t)
  75
  76 domain_use_interactive_fds(portmap_t)
  77
  78 files_read_etc_files(portmap_t)
  79
  80 libs_use_ld_so(portmap_t)
  81 libs_use_shared_libs(portmap_t)
  82
  83 logging_send_syslog_msg(portmap_t)
  84
  85 miscfiles_read_localization(portmap_t)
  86
  87 sysnet_read_config(portmap_t)
  88
  89 userdom_dontaudit_use_unpriv_user_fds(portmap_t)
  90
  91 sysadm_dontaudit_search_home_dirs(portmap_t)
  92
  93 optional_policy(`
  94         nis_use_ypbind(portmap_t)
  95 ')
  96
  97 optional_policy(`
  98         nscd_socket_use(portmap_t)
  99 ')
 100
 101 optional_policy(`
 102         seutil_sigchld_newrole(portmap_t)
 103 ')
 104
 105 optional_policy(`
 106         udev_read_db(portmap_t)
 107 ')
 108
 109 ########################################
 110 #
 111 # Portmap helper local policy
 112 #
 113
 114 dontaudit portmap_helper_t self:capability net_admin;
 115 allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
 116 allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
 117 allow portmap_helper_t self:udp_socket create_socket_perms;
 118
 119 allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
 120 files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
 121
 122 corenet_all_recvfrom_unlabeled(portmap_helper_t)
 123 corenet_all_recvfrom_netlabel(portmap_helper_t)
 124 corenet_tcp_sendrecv_all_if(portmap_helper_t)
 125 corenet_udp_sendrecv_all_if(portmap_helper_t)
 126 corenet_raw_sendrecv_all_if(portmap_helper_t)
 127 corenet_tcp_sendrecv_all_nodes(portmap_helper_t)
 128 corenet_udp_sendrecv_all_nodes(portmap_helper_t)
 129 corenet_raw_sendrecv_all_nodes(portmap_helper_t)
 130 corenet_tcp_sendrecv_all_ports(portmap_helper_t)
 131 corenet_udp_sendrecv_all_ports(portmap_helper_t)
 132 corenet_tcp_bind_all_nodes(portmap_helper_t)
 133 corenet_udp_bind_all_nodes(portmap_helper_t)
 134 corenet_tcp_bind_reserved_port(portmap_helper_t)
 135 corenet_udp_bind_reserved_port(portmap_helper_t)
 136 corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
 137 corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
 138 corenet_tcp_connect_all_ports(portmap_helper_t)
 139
 140 domain_dontaudit_use_interactive_fds(portmap_helper_t)
 141
 142 files_read_etc_files(portmap_helper_t)
 143 files_rw_generic_pids(portmap_helper_t)
 144
 145 init_rw_utmp(portmap_helper_t)
 146
 147 libs_use_ld_so(portmap_helper_t)
 148 libs_use_shared_libs(portmap_helper_t)
 149
 150 logging_send_syslog_msg(portmap_helper_t)
 151
 152 sysnet_read_config(portmap_helper_t)
 153
 154 userdom_dontaudit_use_all_users_fds(portmap_helper_t)
 155
 156 optional_policy(`
 157         nis_use_ypbind(portmap_helper_t)
 158 ')