1 policy_module(corenetwork, 1.15.5)
3 ########################################
8 attribute client_packet_type;
9 attribute ipsec_spd_type;
12 attribute packet_type;
14 attribute defined_port_type;
15 attribute reserved_port_type;
16 attribute unreserved_port_type;
17 attribute ephemeral_port_type;
18 attribute rpc_port_type;
19 attribute server_packet_type;
21 attribute corenet_unconfined_type;
22 attribute corenet_unlabeled_type;
25 dev_node(ppp_device_t)
28 # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
30 type tun_tap_device_t;
31 dev_node(tun_tap_device_t)
32 mls_trusted_object(tun_tap_device_t)
34 ########################################
40 # client_packet_t is the default type of IPv4 and IPv6 client packets.
42 type intranet_packet_t;
43 corenet_packet(intranet_packet_t)
46 # client_packet_t is the default type of IPv4 and IPv6 client packets.
48 type internet_packet_t;
49 corenet_packet(internet_packet_t)
52 # client_packet_t is the default type of IPv4 and IPv6 client packets.
54 type client_packet_t, packet_type, client_packet_type;
57 # The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
58 # connections using NetLabel which do not carry full SELinux contexts.
61 sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
64 # port_t is the default type of INET port numbers.
66 type port_t, port_type;
67 sid port gen_context(system_u:object_r:port_t,s0)
70 # unreserved_port_t is the default type of port numbers > 1024 and non ephemeral
72 type unreserved_port_t, port_type, unreserved_port_type;
75 # ephemeral_port_t is the default type of ephemeral port numbers.
76 # cat /proc/sys/net/ipv4/ip_local_port_range
78 type ephemeral_port_t, port_type, ephemeral_port_type;
81 # reserved_port_t is the type of INET port numbers below 1024.
83 type reserved_port_t, port_type, reserved_port_type;
86 # hi_reserved_port_t is the type of INET port numbers between 512-1023.
88 type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
91 # server_packet_t is the default type of IPv4 and IPv6 server packets.
93 type server_packet_t, packet_type, server_packet_type;
95 network_port(afs_bos, udp,7007,s0)
96 network_port(afs_client, udp,7001,s0)
97 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
98 network_port(afs_ka, udp,7004,s0)
99 network_port(afs_pt, udp,7002,s0)
100 network_port(afs_vl, udp,7003,s0)
101 network_port(agentx, udp,705,s0, tcp,705,s0)
102 network_port(ajaxterm, tcp,8022,s0)
103 network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
104 network_port(amavisd_recv, tcp,10024,s0)
105 network_port(amavisd_send, tcp,10025,s0)
106 network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
107 network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
108 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
109 network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
110 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
111 network_port(audit, tcp,60,s0)
112 network_port(auth, tcp,113,s0)
113 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
114 network_port(boinc, tcp,31416,s0)
115 network_port(boinc_client_ctrl, tcp,1043,s0)
116 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
117 network_port(certmaster, tcp,51235,s0)
118 network_port(chronyd, udp,323,s0)
119 network_port(clamd, tcp,3310,s0)
120 network_port(clockspeed, udp,4041,s0)
121 network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
122 network_port(cma, tcp,1050,s0, udp,1050,s0)
123 network_port(cobbler, tcp,25151,s0)
124 network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
125 network_port(comsat, udp,512,s0)
126 network_port(ctdb, tcp,4379,s0, udp,4379,s0)
127 network_port(cvs, tcp,2401,s0, udp,2401,s0)
128 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
129 network_port(daap, tcp,3689,s0, udp,3689,s0)
130 network_port(dbskkd, tcp,1178,s0)
131 network_port(dcc, udp,6276,s0, udp,6277,s0)
132 network_port(dccm, tcp,5679,s0, udp,5679,s0)
133 network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
134 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
135 network_port(dict, tcp,2628,s0)
136 network_port(distccd, tcp,3632,s0)
137 network_port(dogtag, tcp,7390,s0)
138 network_port(dns, udp,53,s0, tcp,53,s0, tcp,8953,s0 )
139 network_port(epmap, tcp,135,s0, udp,135,s0)
140 network_port(epmd, tcp,4369,s0, udp,4369,s0)
141 network_port(festival, tcp,1314,s0)
142 network_port(fingerd, tcp,79,s0)
143 network_port(firebird, tcp,3050,s0, udp,3050,s0)
144 network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
145 network_port(fprot, tcp,10200,s0)
146 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
147 network_port(ftp_data, tcp,20,s0)
148 network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
149 network_port(giftd, tcp,1213,s0)
150 network_port(git, tcp,9418,s0, udp,9418,s0)
151 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
152 network_port(gopher, tcp,70,s0, udp,70,s0)
153 network_port(gpsd, tcp,2947,s0)
154 network_port(hadoop_datanode, tcp,50010,s0)
155 network_port(hadoop_namenode, tcp,8020,s0)
156 network_port(hddtemp, tcp,7634,s0)
157 network_port(howl, tcp,5335,s0, udp,5353,s0)
158 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
159 network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
160 network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy
161 network_port(i18n_input, tcp,9010,s0)
162 network_port(imaze, tcp,5323,s0, udp,5323,s0)
163 network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
164 network_port(innd, tcp,119,s0)
165 network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
166 network_port(ipmi, udp,623,s0, udp,664,s0)
167 network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
168 network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
169 network_port(ircd, tcp,6667,s0)
170 network_port(isakmp, udp,500,s0)
171 network_port(iscsi, tcp,3260,s0)
172 network_port(isns, tcp,3205,s0, udp,3205,s0)
173 network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
174 network_port(jabber_interserver, tcp,5269,s0)
175 network_port(jabber_router, tcp,5347,s0)
176 network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
177 network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
178 network_port(kerberos_admin, tcp,749,s0)
179 network_port(kerberos_password, tcp,464,s0, udp,464,s0)
180 network_port(kismet, tcp,2501,s0)
181 network_port(kprop, tcp,754,s0)
182 network_port(ktalkd, udp,517,s0, udp,518,s0)
183 network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
184 network_port(lirc, tcp,8765,s0)
185 network_port(luci, tcp,8084,s0)
186 network_port(lmtp, tcp,24,s0, udp,24,s0)
187 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
188 network_port(mail, tcp,2000,s0, tcp,3905,s0)
189 network_port(matahari, tcp,49000,s0, udp,49000,s0)
190 network_port(memcache, tcp,11211,s0, udp,11211,s0)
191 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
192 network_port(mongod, tcp,27017,s0)
193 network_port(monopd, tcp,1234,s0)
194 network_port(movaz_ssc, tcp,5252,s0)
195 network_port(mpd, tcp,6600,s0)
196 network_port(msnp, tcp,1863,s0, udp,1863,s0)
197 network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
198 network_port(munin, tcp,4949,s0, udp,4949,s0)
199 network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
200 network_port(mysqlmanagerd, tcp,2273,s0)
201 network_port(nessus, tcp,1241,s0)
202 network_port(netport, tcp,3129,s0, udp,3129,s0)
203 network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
204 network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
205 network_port(nmbd, udp,137,s0, udp,138,s0)
206 network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
207 network_port(ntp, udp,123,s0)
208 network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
209 network_port(ocsp, tcp,9080,s0)
210 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
211 network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
212 network_port(pegasus_http, tcp,5988,s0)
213 network_port(pegasus_https, tcp,5989,s0)
214 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
215 network_port(pingd, tcp,9125,s0)
216 network_port(piranha, tcp,3636,s0)
217 network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9447, s0)
218 network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443-10446, s0)
219 network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443-11446, s0)
220 network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443-13446, s0)
221 network_port(pki_ra, tcp,12888-12889,s0)
222 network_port(pki_tps, tcp,7888-7889,s0)
223 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
224 network_port(portmap, udp,111,s0, tcp,111,s0)
225 network_port(postfix_policyd, tcp,10031,s0)
226 network_port(postgresql, tcp,5432,s0)
227 network_port(postgrey, tcp,60000,s0)
228 network_port(pptp, tcp, 1723,s0, udp, 1723, s0)
229 network_port(prelude, tcp,4690,s0, udp,4690,s0)
230 network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
231 network_port(printer, tcp,515,s0)
232 network_port(ptal, tcp,5703,s0)
233 network_port(pulseaudio, tcp,4713,s0)
234 network_port(puppet, tcp, 8140, s0)
235 network_port(pxe, udp,4011,s0)
236 network_port(pyzor, udp,24441,s0)
237 network_port(radacct, udp,1646,s0, udp,1813,s0)
238 network_port(radius, udp,1645,s0, udp,1812,s0)
239 network_port(radsec, tcp,2083,s0)
240 network_port(razor, tcp,2703,s0)
241 network_port(repository, tcp, 6363, s0)
242 network_port(ricci, tcp,11111,s0, udp,11111,s0)
243 network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
244 network_port(rlogind, tcp,513,s0)
245 network_port(rndc, tcp,953,s0)
246 network_port(router, udp,520-521,s0, tcp,521,s0)
247 network_port(rsh, tcp,514,s0)
248 network_port(rsync, tcp,873,s0, udp,873,s0)
249 network_port(rwho, udp,513,s0)
250 network_port(sap, tcp,9875,s0, udp,9875,s0)
251 network_port(sametime, tcp,1533,s0, udp,1533,s0)
252 network_port(sieve, tcp,4190,s0)
253 network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
254 network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
255 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
256 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
257 network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
258 type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
259 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
260 network_port(spamd, tcp,783,s0)
261 network_port(speech, tcp,8036,s0)
262 network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
263 network_port(ssdp, tcp,1900,s0, udp, 1900, s0)
264 network_port(ssh, tcp,22,s0)
265 network_port(streaming, tcp, 554, s0, udp, 554, s0, tcp, 1755, s0, udp, 1755, s0)
266 type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
267 network_port(swat, tcp,901,s0)
268 network_port(sype, tcp,9911,s0, udp,9911,s0)
269 network_port(syslogd, udp,514,s0, tcp,6514,s0, udp,6514,s0)
270 network_port(tcs, tcp, 30003, s0)
271 network_port(telnetd, tcp,23,s0)
272 network_port(tftp, udp,69,s0)
273 network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9051,s0)
274 network_port(tor_socks, tcp,9050,s0)
275 network_port(traceroute, udp,64000-64010,s0)
276 network_port(transproxy, tcp,8081,s0)
277 network_port(ups, tcp,3493,s0)
278 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
279 network_port(uucpd, tcp,540,s0)
280 network_port(varnishd, tcp,6081-6082,s0)
281 network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
282 network_port(virt_migration, tcp,49152-49216,s0)
283 network_port(vnc, tcp,5900-5999,s0)
284 network_port(wccp, udp,2048,s0)
285 network_port(websm, tcp,9090,s0, udp,9090,s0)
286 network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
287 network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
288 network_port(xdmcp, udp,177,s0, tcp,177,s0)
289 network_port(xen, tcp,8002,s0)
290 network_port(xfs, tcp,7100,s0)
291 network_port(xserver, tcp,6000-6020,s0)
292 network_port(zarafa, tcp,236,s0, tcp,237,s0)
293 network_port(zabbix, tcp,10051,s0)
294 network_port(zabbix_agent, tcp,10050,s0)
295 network_port(zookeeper_client, tcp,2181,s0)
296 network_port(zookeeper_election, tcp,3888,s0)
297 network_port(zookeeper_leader, tcp,2888,s0)
298 network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
299 network_port(zented, tcp,1229,s0, udp,1229,s0)
300 network_port(zope, tcp,8021,s0)
302 # Defaults for reserved ports. Earlier portcon entries take precedence;
303 # these entries just cover any remaining reserved ports not otherwise declared.
305 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
306 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
307 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
308 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
309 portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
310 portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
311 portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
312 portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
313 portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
314 portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
316 ########################################
322 # node_t is the default type of network nodes.
323 # The node_*_t types are used for specific network
324 # nodes in net_contexts or net_contexts.mls.
326 type node_t, node_type;
327 typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
328 sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
330 # network_node examples:
331 #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
332 #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
334 ########################################
340 # netif_t is the default type of network interfaces.
342 type netif_t, netif_type;
343 sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
345 build_option(`enable_mls',`
346 network_interface(lo, lo, s0 - mls_systemhigh)
348 typealias netif_t alias { lo_netif_t netif_lo_t };
351 ########################################
353 # Unconfined access to this module
356 allow corenet_unconfined_type node_type:node *;
357 allow corenet_unconfined_type netif_type:netif *;
358 allow corenet_unconfined_type packet_type:packet *;
359 allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
360 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
361 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
363 # Bind to any network address.
364 allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
365 allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
projects / people / stevee / selinux-policy.git / blob