1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
policy_module(portmap, 1.10.0)
########################################
#
# Declarations
#
type portmap_t;
type portmap_exec_t;
init_daemon_domain(portmap_t, portmap_exec_t)
type portmap_helper_t;
type portmap_helper_exec_t;
init_system_domain(portmap_helper_t, portmap_helper_exec_t)
role system_r types portmap_helper_t;
type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)
type portmap_var_run_t;
files_pid_file(portmap_var_run_t)
########################################
#
# Portmap local policy
#
allow portmap_t self:capability { setuid setgid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_t self:unix_dgram_socket create_socket_perms;
allow portmap_t self:unix_stream_socket create_stream_socket_perms;
allow portmap_t self:tcp_socket create_stream_socket_perms;
allow portmap_t self:udp_socket create_socket_perms;
manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
files_pid_filetrans(portmap_t, portmap_var_run_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
corenet_tcp_sendrecv_generic_node(portmap_t)
corenet_udp_sendrecv_generic_node(portmap_t)
corenet_tcp_sendrecv_all_ports(portmap_t)
corenet_udp_sendrecv_all_ports(portmap_t)
corenet_tcp_bind_generic_node(portmap_t)
corenet_udp_bind_generic_node(portmap_t)
corenet_tcp_bind_portmap_port(portmap_t)
corenet_udp_bind_portmap_port(portmap_t)
corenet_tcp_connect_all_ports(portmap_t)
corenet_sendrecv_portmap_client_packets(portmap_t)
corenet_sendrecv_portmap_server_packets(portmap_t)
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_ports(portmap_t)
dev_read_sysfs(portmap_t)
fs_getattr_all_fs(portmap_t)
fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
files_read_etc_files(portmap_t)
logging_send_syslog_msg(portmap_t)
miscfiles_read_localization(portmap_t)
sysnet_read_config(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
optional_policy(`
nis_use_ypbind(portmap_t)
')
optional_policy(`
nscd_socket_use(portmap_t)
')
optional_policy(`
seutil_sigchld_newrole(portmap_t)
')
optional_policy(`
udev_read_db(portmap_t)
')
########################################
#
# Portmap helper local policy
#
dontaudit portmap_helper_t self:capability net_admin;
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
allow portmap_helper_t self:tcp_socket create_stream_socket_perms;
allow portmap_helper_t self:udp_socket create_socket_perms;
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
corenet_raw_sendrecv_generic_if(portmap_helper_t)
corenet_tcp_sendrecv_generic_node(portmap_helper_t)
corenet_udp_sendrecv_generic_node(portmap_helper_t)
corenet_raw_sendrecv_generic_node(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
corenet_tcp_bind_generic_node(portmap_helper_t)
corenet_udp_bind_generic_node(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
corenet_udp_bind_reserved_port(portmap_helper_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
corenet_tcp_connect_all_ports(portmap_helper_t)
domain_dontaudit_use_interactive_fds(portmap_helper_t)
files_read_etc_files(portmap_helper_t)
files_rw_generic_pids(portmap_helper_t)
init_rw_utmp(portmap_helper_t)
logging_send_syslog_msg(portmap_helper_t)
sysnet_read_config(portmap_helper_t)
userdom_use_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
optional_policy(`
nis_use_ypbind(portmap_helper_t)
')
|
GitWeb