selinux-refpolicy/policy/modules/services/dictd.te
Topi Miettinen 1d8333d7a7
Remove unlabeled packet access
When SECMARK or Netlabel packet labeling is used, it's useful to
forbid receiving and sending unlabeled packets. If packet labeling is
not active, there's no effect.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-06-03 23:16:19 +03:00

85 lines
1.9 KiB
Plaintext

policy_module(dictd, 1.14.0)
########################################
#
# Declarations
#
type dictd_t;
type dictd_exec_t;
init_daemon_domain(dictd_t, dictd_exec_t)
type dictd_etc_t;
files_config_file(dictd_etc_t)
type dictd_initrc_exec_t;
init_script_file(dictd_initrc_exec_t)
type dictd_runtime_t alias dictd_var_run_t;
files_pid_file(dictd_runtime_t)
type dictd_var_lib_t alias var_lib_dictd_t;
files_type(dictd_var_lib_t)
########################################
#
# Local policy
#
allow dictd_t self:capability { setgid setuid };
dontaudit dictd_t self:capability sys_tty_config;
allow dictd_t self:process { signal_perms setpgid };
allow dictd_t self:unix_stream_socket { accept listen };
allow dictd_t self:tcp_socket { accept listen };
allow dictd_t dictd_etc_t:file read_file_perms;
allow dictd_t dictd_var_lib_t:dir list_dir_perms;
allow dictd_t dictd_var_lib_t:file read_file_perms;
manage_files_pattern(dictd_t, dictd_runtime_t, dictd_runtime_t)
files_pid_filetrans(dictd_t, dictd_runtime_t, file)
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_generic_if(dictd_t)
corenet_tcp_sendrecv_generic_node(dictd_t)
corenet_tcp_bind_generic_node(dictd_t)
corenet_sendrecv_dict_server_packets(dictd_t)
corenet_tcp_bind_dict_port(dictd_t)
dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
files_map_usr_files(dictd_t)
files_read_etc_runtime_files(dictd_t)
files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
fs_getattr_xattr_fs(dictd_t)
fs_search_auto_mountpoints(dictd_t)
auth_use_nsswitch(dictd_t)
logging_send_syslog_msg(dictd_t)
miscfiles_read_localization(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
dbus_system_bus_client(dictd_t)
')
optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
optional_policy(`
udev_read_db(dictd_t)
')