From b6b5747bac2ba6d8a0827ee9b556363f56aa6a26 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 27 Apr 2006 18:11:26 +0000
Subject: [PATCH] add authbind, bug 1516

---
 refpolicy/Changelog                       |  1 +
 refpolicy/policy/modules/apps/authbind.fc |  3 ++
 refpolicy/policy/modules/apps/authbind.if | 23 +++++++++++++++
 refpolicy/policy/modules/apps/authbind.te | 36 +++++++++++++++++++++++
 4 files changed, 63 insertions(+)
 create mode 100644 refpolicy/policy/modules/apps/authbind.fc
 create mode 100644 refpolicy/policy/modules/apps/authbind.if
 create mode 100644 refpolicy/policy/modules/apps/authbind.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ab3793c43..08b3f25f8 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -37,6 +37,7 @@
 	apt (Erich Schubert)
 	asterisk
 	audioentropy
+	authbind
 	backup
 	calamaris
 	cipe
diff --git a/refpolicy/policy/modules/apps/authbind.fc b/refpolicy/policy/modules/apps/authbind.fc
new file mode 100644
index 000000000..af7a8e00d
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.fc
@@ -0,0 +1,3 @@
+/etc/authbind(/.*)?			gen_require(system_u:object_r:authbind_etc_t,s0)
+
+/usr/lib(64)?/authbind/helper	--	gen_require(system_u:object_r:authbind_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/authbind.if b/refpolicy/policy/modules/apps/authbind.if
new file mode 100644
index 000000000..84134d087
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.if
@@ -0,0 +1,23 @@
+## <summary>Tool for non-root processes to bind to reserved ports</summary>
+
+########################################
+## <summary>
+##	Use authbind to bind to a reserved port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`authbind_domtrans',`
+	gen_require(`
+		type authbind_t, authbind_exec_t;
+	')
+
+	domain_auto_trans($1,authbind_exec_t,authbind_t)
+	allow authbind_t $1:fd use;
+	allow authbind_t $1:fifo_file rw_file_perms;
+	allow authbind_t $1:process sigchld;
+	allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
+')
diff --git a/refpolicy/policy/modules/apps/authbind.te b/refpolicy/policy/modules/apps/authbind.te
new file mode 100644
index 000000000..292dda200
--- /dev/null
+++ b/refpolicy/policy/modules/apps/authbind.te
@@ -0,0 +1,36 @@
+
+policy_module(authbind,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type authbind_t;
+type authbind_exec_t;
+domain_type(authbind_t)
+domain_entry_file(authbind_t,authbind_exec_t)
+role system_r types authbind_t;
+
+type authbind_etc_t;
+files_config_file(authbind_etc_t)
+
+########################################
+#
+# Local policy
+#
+
+allow authbind_t self:capability net_bind_service;
+
+can_exec(authbind_t, authbind_etc_t)
+allow authbind_t authbind_etc_t:file r_file_perms;
+allow authbind_t authbind_etc_t:dir r_dir_perms;
+allow authbind_t authbind_etc_t:lnk_file { getattr read };
+files_list_etc(authbind_t)
+
+term_use_console(authbind_t)
+
+logging_send_syslog_msg(authbind_t)
+
+libs_use_ld_so(authbind_t)
+libs_use_shared_libs(authbind_t)