selinux-refpolicy/refpolicy/policy/modules/services/portslave.te

143 lines
3.9 KiB
Plaintext

policy_module(portslave,1.0.0)
########################################
#
# Declarations
#
type portslave_t;
type portslave_exec_t;
init_domain(portslave_t,portslave_exec_t)
init_daemon_domain(portslave_t,portslave_exec_t)
type portslave_etc_t;
files_type(portslave_etc_t)
type portslave_lock_t;
files_lock_file(portslave_lock_t)
########################################
#
# Local policy
#
# setuid setgid net_admin fsetid for pppd
# sys_admin for ctlportslave
# net_bind_service for rlogin
allow portslave_t self:capability { setuid setgid net_admin fsetid net_bind_service sys_tty_config };
dontaudit portslave_t self:capability sys_admin;
allow portslave_t self:process signal_perms;
allow portslave_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow portslave_t self:fd use;
allow portslave_t self:fifo_file rw_file_perms;
allow portslave_t self:unix_dgram_socket create_socket_perms;
allow portslave_t self:unix_stream_socket create_stream_socket_perms;
allow portslave_t self:unix_dgram_socket sendto;
allow portslave_t self:unix_stream_socket connectto;
allow portslave_t self:shm create_shm_perms;
allow portslave_t self:sem create_sem_perms;
allow portslave_t self:msgq create_msgq_perms;
allow portslave_t self:msg { send receive };
allow portslave_t self:tcp_socket create_stream_socket_perms;
allow portslave_t self:udp_socket create_socket_perms;
allow portslave_t portslave_etc_t:dir r_dir_perms;
allow portslave_t portslave_etc_t:file r_file_perms;
allow portslave_t portslave_etc_t:lnk_file { getattr read };
allow portslave_t portslave_lock_t:file create_file_perms;
files_lock_filetrans(portslave_t,portslave_lock_t,file)
kernel_read_system_state(portslave_t)
kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
corenet_non_ipsec_sendrecv(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
corenet_udp_sendrecv_all_nodes(portslave_t)
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
corenet_tcp_bind_all_nodes(portslave_t)
corenet_udp_bind_all_nodes(portslave_t)
corenet_rw_ppp_dev(portslave_t)
dev_read_sysfs(portslave_t)
# for ssh
dev_read_urand(portslave_t)
domain_use_interactive_fds(portslave_t)
files_read_etc_files(portslave_t)
files_read_etc_runtime_files(portslave_t)
files_exec_etc_files(portslave_t)
fs_search_auto_mountpoints(portslave_t)
fs_getattr_xattr_fs(portslave_t)
term_use_unallocated_ttys(portslave_t)
term_setattr_unallocated_ttys(portslave_t)
term_use_all_user_ttys(portslave_t)
term_dontaudit_use_console(portslave_t)
term_search_ptys(portslave_t)
auth_rw_login_records(portslave_t)
auth_domtrans_chk_passwd(portslave_t)
init_use_fds(portslave_t)
init_use_script_ptys(portslave_t)
init_rw_utmp(portslave_t)
libs_use_ld_so(portslave_t)
libs_use_shared_libs(portslave_t)
logging_send_syslog_msg(portslave_t)
logging_search_logs(portslave_t)
sysnet_read_config(portslave_t)
userdom_use_unpriv_users_fds(portslave_t)
# for ~/.ppprc - if it actually exists then you need some policy to read it
userdom_search_all_users_home_dirs(portslave_t)
mta_send_mail(portslave_t)
# this should probably be a domtrans to pppd
# instead of exec.
ppp_read_rw_config(portslave_t)
ppp_exec(portslave_t)
ppp_read_secrets(portslave_t)
ppp_manage_pid_files(portslave_t)
ppp_pid_filetrans(portslave_t)
ssh_exec(portslave_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(portslave_t)
term_dontaudit_use_generic_ptys(portslave_t)
files_dontaudit_read_root_files(portslave_t)
')
optional_policy(`
inetd_tcp_service_domain(portslave_t,portslave_exec_t)
')
optional_policy(`
nis_use_ypbind(portslave_t)
')
optional_policy(`
radius_use(portslave_t)
')
optional_policy(`
seutil_sigchld_newrole(portslave_t)
')
optional_policy(`
udev_read_db(portslave_t)
')