refpolicy/policy/modules/services/inetd.te

   1
   2 policy_module(inetd,1.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type inetd_t;
  10 type inetd_exec_t;
  11 init_daemon_domain(inetd_t,inetd_exec_t)
  12
  13 type inetd_log_t;
  14 logging_log_file(inetd_log_t)
  15
  16 type inetd_tmp_t;
  17 files_tmp_file(inetd_tmp_t)
  18
  19 type inetd_var_run_t;
  20 files_pid_file(inetd_var_run_t)
  21
  22 type inetd_child_t;
  23 type inetd_child_exec_t;
  24 inetd_service_domain(inetd_child_t,inetd_child_exec_t)
  25 role system_r types inetd_child_t;
  26
  27 type inetd_child_tmp_t;
  28 files_tmp_file(inetd_child_tmp_t)
  29
  30 type inetd_child_var_run_t;
  31 files_pid_file(inetd_child_var_run_t)
  32
  33 ########################################
  34 #
  35 # Local policy
  36 #
  37
  38 allow inetd_t self:capability { setuid setgid };
  39 dontaudit inetd_t self:capability sys_tty_config;
  40 allow inetd_t self:process setsched;
  41 allow inetd_t self:fifo_file rw_file_perms;
  42 allow inetd_t self:tcp_socket create_stream_socket_perms;
  43 allow inetd_t self:udp_socket { connect connected_socket_perms };
  44
  45 allow inetd_t inetd_log_t:file create_file_perms;
  46 logging_create_log(inetd_t,inetd_log_t)
  47
  48 allow inetd_t inetd_tmp_t:dir create_dir_perms;
  49 allow inetd_t inetd_tmp_t:file create_file_perms;
  50 files_create_tmp_files(inetd_t, inetd_tmp_t, { file dir })
  51
  52 allow inetd_t inetd_var_run_t:file create_file_perms;
  53 files_create_pid(inetd_t,inetd_var_run_t)
  54
  55 kernel_read_kernel_sysctl(inetd_t)
  56 kernel_list_proc(inetd_t)
  57 kernel_read_proc_symlinks(inetd_t)
  58 kernel_tcp_recvfrom(inetd_t)
  59
  60 # networking:
  61 corenet_tcp_sendrecv_all_if(inetd_t)
  62 corenet_udp_sendrecv_all_if(inetd_t)
  63 corenet_raw_sendrecv_all_if(inetd_t)
  64 corenet_tcp_sendrecv_all_nodes(inetd_t)
  65 corenet_udp_sendrecv_all_nodes(inetd_t)
  66 corenet_raw_sendrecv_all_nodes(inetd_t)
  67 corenet_tcp_sendrecv_all_ports(inetd_t)
  68 corenet_udp_sendrecv_all_ports(inetd_t)
  69 corenet_tcp_bind_all_nodes(inetd_t)
  70 corenet_udp_bind_all_nodes(inetd_t)
  71 corenet_tcp_connect_all_ports(inetd_t)
  72
  73 # listen on service ports:
  74 corenet_tcp_bind_amanda_port(inetd_t)
  75 corenet_udp_bind_amanda_port(inetd_t)
  76 corenet_tcp_bind_auth_port(inetd_t)
  77 #corenet_udp_bind_comsat_port(inetd_t)
  78 corenet_tcp_bind_dbskkd_port(inetd_t)
  79 corenet_udp_bind_dbskkd_port(inetd_t)
  80 corenet_udp_bind_ftp_port(inetd_t)
  81 corenet_tcp_bind_inetd_child_port(inetd_t)
  82 corenet_tcp_bind_inetd_child_port(inetd_t)
  83 corenet_udp_bind_ktalkd_port(inetd_t)
  84 corenet_tcp_bind_printer_port(inetd_t)
  85 corenet_udp_bind_rsh_port(inetd_t)
  86 corenet_tcp_bind_rsync_port(inetd_t)
  87 corenet_udp_bind_rsync_port(inetd_t)
  88 #corenet_tcp_bind_stunnel_port(inetd_t)
  89 corenet_tcp_bind_swat_port(inetd_t)
  90 corenet_udp_bind_swat_port(inetd_t)
  91 corenet_udp_bind_tftp_port(inetd_t)
  92
  93 dev_read_sysfs(inetd_t)
  94
  95 fs_getattr_all_fs(inetd_t)
  96 fs_search_auto_mountpoints(inetd_t)
  97
  98 term_dontaudit_use_console(inetd_t)
  99
 100 # Run other daemons in the inetd_child_t domain.
 101 corecmd_search_bin(inetd_t)
 102 corecmd_read_sbin_symlink(inetd_t)
 103
 104 domain_use_wide_inherit_fd(inetd_t)
 105
 106 files_read_etc_files(inetd_t)
 107
 108 init_use_fd(inetd_t)
 109 init_use_script_pty(inetd_t)
 110
 111 libs_use_ld_so(inetd_t)
 112 libs_use_shared_libs(inetd_t)
 113
 114 logging_send_syslog_msg(inetd_t)
 115
 116 miscfiles_read_localization(inetd_t)
 117
 118 sysnet_read_config(inetd_t)
 119
 120 userdom_dontaudit_use_unpriv_user_fd(inetd_t)
 121 userdom_dontaudit_search_sysadm_home_dir(inetd_t)
 122
 123 ifdef(`targeted_policy', `
 124         term_dontaudit_use_unallocated_tty(inetd_t)
 125         term_dontaudit_use_generic_pty(inetd_t)
 126         files_dontaudit_read_root_file(inetd_t)
 127 ')
 128
 129 optional_policy(`amanda.te',`
 130         amanda_search_lib(inetd_t)
 131 ')
 132
 133 optional_policy(`mount.te',`
 134         mount_send_nfs_client_request(inetd_t)
 135 ')
 136
 137 # Communicate with the portmapper.
 138 optional_policy(`portmap.te',`
 139         portmap_udp_sendto(inetd_t)
 140 ')
 141
 142 optional_policy(`selinuxutil.te',`
 143         seutil_sigchld_newrole(inetd_t)
 144 ')
 145
 146 optional_policy(`udev.te', `
 147         udev_read_db(inetd_t)
 148 ')
 149
 150 optional_policy(`unconfined.te', `
 151         unconfined_domtrans(inetd_t)
 152 ')
 153
 154 ifdef(`targeted_policy',`
 155         unconfined_domain_template(inetd_t)
 156 ')
 157
 158 ifdef(`TODO',`
 159 optional_policy(`rhgb.te',`
 160         rhgb_domain(inetd_t)
 161 ')
 162 ') dnl TODO
 163
 164 ########################################
 165 #
 166 # inetd child local_policy
 167 #
 168
 169 allow inetd_child_t self:process signal_perms;
 170 allow inetd_child_t self:fifo_file rw_file_perms;
 171 allow inetd_child_t self:tcp_socket { listen accept connected_socket_perms };
 172
 173 # for identd
 174 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 175 allow inetd_child_t self:capability { setuid setgid };
 176 allow inetd_child_t self:dir search;
 177 allow inetd_child_t self:{ lnk_file file } { getattr read };
 178 files_search_home(inetd_child_t)
 179
 180 allow inetd_child_t inetd_child_tmp_t:dir create_dir_perms;
 181 allow inetd_child_t inetd_child_tmp_t:file create_file_perms;
 182 files_create_tmp_files(inetd_child_t, inetd_child_tmp_t, { file dir })
 183
 184 allow inetd_child_t inetd_child_var_run_t:file create_file_perms;
 185 files_create_pid(inetd_child_t,inetd_child_var_run_t)
 186
 187 kernel_read_kernel_sysctl(inetd_child_t)
 188 kernel_read_system_state(inetd_child_t)
 189 kernel_read_network_state(inetd_child_t)
 190
 191 corenet_tcp_sendrecv_all_if(inetd_child_t)
 192 corenet_udp_sendrecv_all_if(inetd_child_t)
 193 corenet_raw_sendrecv_all_if(inetd_child_t)
 194 corenet_tcp_sendrecv_all_nodes(inetd_child_t)
 195 corenet_udp_sendrecv_all_nodes(inetd_child_t)
 196 corenet_raw_sendrecv_all_nodes(inetd_child_t)
 197 corenet_tcp_bind_all_nodes(inetd_child_t)
 198 corenet_tcp_sendrecv_all_ports(inetd_child_t)
 199
 200 dev_read_urand(inetd_child_t)
 201
 202 fs_getattr_xattr_fs(inetd_child_t)
 203
 204 files_read_etc_files(inetd_child_t)
 205
 206 libs_use_ld_so(inetd_child_t)
 207 libs_use_shared_libs(inetd_child_t)
 208
 209 logging_send_syslog_msg(inetd_child_t)
 210
 211 miscfiles_read_localization(inetd_child_t)
 212
 213 sysnet_read_config(inetd_child_t)
 214
 215 tunable_policy(`run_ssh_inetd',`
 216         corenet_tcp_bind_ssh_port(inetd_t)
 217 ')
 218
 219 optional_policy(`ftp.te',`
 220         tunable_policy(`ftpd_is_daemon',`
 221                 # Allows it to check exec privs on daemon
 222                 ftp_check_exec(inetd_t)
 223         ')
 224 ')
 225
 226 optional_policy(`kerberos.te',`
 227         kerberos_use(inetd_child_t)
 228 ')
 229
 230 optional_policy(`nis.te',`
 231         nis_use_ypbind(inetd_child_t)
 232 ')
 233
 234 optional_policy(`nscd.te',`
 235         nscd_use_socket(inetd_child_t)
 236 ')