policy/modules/services/rpcbind.te

   1 policy_module(rpcbind, 1.5.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type rpcbind_t;
   9 type rpcbind_exec_t;
  10 init_daemon_domain(rpcbind_t, rpcbind_exec_t)
  11
  12 type rpcbind_initrc_exec_t;
  13 init_script_file(rpcbind_initrc_exec_t)
  14
  15 type rpcbind_var_run_t;
  16 files_pid_file(rpcbind_var_run_t)
  17
  18 type rpcbind_var_lib_t;
  19 files_type(rpcbind_var_lib_t)
  20
  21 ########################################
  22 #
  23 # rpcbind local policy
  24 #
  25
  26 allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
  27 allow rpcbind_t self:fifo_file rw_file_perms;
  28 allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
  29 allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
  30 allow rpcbind_t self:udp_socket create_socket_perms;
  31 allow rpcbind_t self:tcp_socket create_stream_socket_perms;
  32
  33 manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  34 manage_sock_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
  35 files_pid_filetrans(rpcbind_t, rpcbind_var_run_t, { file sock_file })
  36
  37 manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
  38 manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
  39 manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
  40 files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
  41
  42 kernel_read_system_state(rpcbind_t)
  43 kernel_read_network_state(rpcbind_t)
  44 kernel_request_load_module(rpcbind_t)
  45
  46 corenet_all_recvfrom_unlabeled(rpcbind_t)
  47 corenet_all_recvfrom_netlabel(rpcbind_t)
  48 corenet_tcp_sendrecv_generic_if(rpcbind_t)
  49 corenet_udp_sendrecv_generic_if(rpcbind_t)
  50 corenet_tcp_sendrecv_generic_node(rpcbind_t)
  51 corenet_udp_sendrecv_generic_node(rpcbind_t)
  52 corenet_tcp_sendrecv_all_ports(rpcbind_t)
  53 corenet_udp_sendrecv_all_ports(rpcbind_t)
  54 corenet_tcp_bind_generic_node(rpcbind_t)
  55 corenet_udp_bind_generic_node(rpcbind_t)
  56 corenet_tcp_bind_portmap_port(rpcbind_t)
  57 corenet_udp_bind_portmap_port(rpcbind_t)
  58 corenet_udp_bind_all_rpc_ports(rpcbind_t)
  59
  60 domain_use_interactive_fds(rpcbind_t)
  61
  62 files_read_etc_files(rpcbind_t)
  63 files_read_etc_runtime_files(rpcbind_t)
  64
  65 logging_send_syslog_msg(rpcbind_t)
  66
  67 miscfiles_read_localization(rpcbind_t)
  68
  69 sysnet_dns_name_resolve(rpcbind_t)
  70
  71 ifdef(`hide_broken_symptoms',`
  72         dontaudit rpcbind_t self:udp_socket listen;
  73 ')