1d8333d7a7
When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
85 lines
1.9 KiB
Plaintext
85 lines
1.9 KiB
Plaintext
policy_module(dictd, 1.14.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type dictd_t;
|
|
type dictd_exec_t;
|
|
init_daemon_domain(dictd_t, dictd_exec_t)
|
|
|
|
type dictd_etc_t;
|
|
files_config_file(dictd_etc_t)
|
|
|
|
type dictd_initrc_exec_t;
|
|
init_script_file(dictd_initrc_exec_t)
|
|
|
|
type dictd_runtime_t alias dictd_var_run_t;
|
|
files_pid_file(dictd_runtime_t)
|
|
|
|
type dictd_var_lib_t alias var_lib_dictd_t;
|
|
files_type(dictd_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow dictd_t self:capability { setgid setuid };
|
|
dontaudit dictd_t self:capability sys_tty_config;
|
|
allow dictd_t self:process { signal_perms setpgid };
|
|
allow dictd_t self:unix_stream_socket { accept listen };
|
|
allow dictd_t self:tcp_socket { accept listen };
|
|
|
|
allow dictd_t dictd_etc_t:file read_file_perms;
|
|
|
|
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
|
|
allow dictd_t dictd_var_lib_t:file read_file_perms;
|
|
|
|
manage_files_pattern(dictd_t, dictd_runtime_t, dictd_runtime_t)
|
|
files_pid_filetrans(dictd_t, dictd_runtime_t, file)
|
|
|
|
kernel_read_system_state(dictd_t)
|
|
kernel_read_kernel_sysctls(dictd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(dictd_t)
|
|
corenet_tcp_sendrecv_generic_if(dictd_t)
|
|
corenet_tcp_sendrecv_generic_node(dictd_t)
|
|
corenet_tcp_bind_generic_node(dictd_t)
|
|
|
|
corenet_sendrecv_dict_server_packets(dictd_t)
|
|
corenet_tcp_bind_dict_port(dictd_t)
|
|
|
|
dev_read_sysfs(dictd_t)
|
|
|
|
domain_use_interactive_fds(dictd_t)
|
|
|
|
files_map_usr_files(dictd_t)
|
|
files_read_etc_runtime_files(dictd_t)
|
|
files_read_usr_files(dictd_t)
|
|
files_search_var_lib(dictd_t)
|
|
|
|
fs_getattr_xattr_fs(dictd_t)
|
|
fs_search_auto_mountpoints(dictd_t)
|
|
|
|
auth_use_nsswitch(dictd_t)
|
|
|
|
logging_send_syslog_msg(dictd_t)
|
|
|
|
miscfiles_read_localization(dictd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(dictd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(dictd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(dictd_t)
|
|
')
|