161bda392e
Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. The corresponding classmap declarations were removed from the mainline kernel in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
181 lines
3.7 KiB
Plaintext
181 lines
3.7 KiB
Plaintext
## <summary>Simple network management protocol services.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to snmpd with a unix
|
|
## domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_stream_connect',`
|
|
gen_require(`
|
|
type snmpd_t, snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to snmp over the TCP network.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_tcp_connect',`
|
|
gen_require(`
|
|
type snmpd_t;
|
|
')
|
|
|
|
corenet_tcp_recvfrom_labeled($1, snmpd_t)
|
|
corenet_tcp_connect_snmp_port($1)
|
|
corenet_sendrecv_snmp_client_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## snmp lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_manage_var_lib_dirs',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
allow $1 snmpd_var_lib_t:dir manage_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
## snmp lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_manage_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read snmpd lib content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_read_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read
|
|
## snmpd lib content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_dontaudit_read_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
|
|
dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write
|
|
## snmpd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`snmp_dontaudit_write_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
dontaudit $1 snmpd_var_lib_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an snmp environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`snmp_admin',`
|
|
gen_require(`
|
|
type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t;
|
|
type snmpd_var_lib_t, snmpd_runtime_t;
|
|
')
|
|
|
|
allow $1 snmpd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, snmpd_t)
|
|
|
|
init_startstop_service($1, $2, snmpd_t, snmpd_initrc_exec_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, snmpd_log_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, snmpd_var_lib_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, snmpd_runtime_t)
|
|
')
|