1d8333d7a7
When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
51 lines
1.4 KiB
Plaintext
51 lines
1.4 KiB
Plaintext
policy_module(minissdpd, 1.6.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type minissdpd_t;
|
|
type minissdpd_exec_t;
|
|
init_daemon_domain(minissdpd_t, minissdpd_exec_t)
|
|
|
|
type minissdpd_initrc_exec_t;
|
|
init_script_file(minissdpd_initrc_exec_t)
|
|
|
|
type minissdpd_conf_t;
|
|
files_config_file(minissdpd_conf_t)
|
|
|
|
type minissdpd_runtime_t alias minissdpd_var_run_t;
|
|
files_pid_file(minissdpd_runtime_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow minissdpd_t self:capability { net_admin sys_module };
|
|
allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow minissdpd_t self:udp_socket create_socket_perms;
|
|
allow minissdpd_t self:unix_dgram_socket create_socket_perms;
|
|
allow minissdpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow minissdpd_t minissdpd_runtime_t:file manage_file_perms;
|
|
allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms;
|
|
files_pid_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file })
|
|
|
|
kernel_load_module(minissdpd_t)
|
|
kernel_read_network_state(minissdpd_t)
|
|
kernel_request_load_module(minissdpd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(minissdpd_t)
|
|
corenet_udp_sendrecv_generic_if(minissdpd_t)
|
|
corenet_udp_sendrecv_generic_node(minissdpd_t)
|
|
corenet_udp_bind_generic_node(minissdpd_t)
|
|
|
|
corenet_sendrecv_ssdp_server_packets(minissdpd_t)
|
|
corenet_udp_bind_ssdp_port(minissdpd_t)
|
|
|
|
logging_send_syslog_msg(minissdpd_t)
|
|
|
|
miscfiles_read_localization(minissdpd_t)
|