diff options
Diffstat (limited to 'policy/modules/contrib/tftp.te')
-rw-r--r-- | policy/modules/contrib/tftp.te | 140 |
1 files changed, 0 insertions, 140 deletions
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te deleted file mode 100644 index f455e70b8..000000000 --- a/policy/modules/contrib/tftp.te +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(tftp, 1.12.4) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether tftp can modify -## public files used for public file -## transfer services. Directories/Files must -## be labeled public_content_rw_t. -## </p> -## </desc> -gen_tunable(tftp_anon_write, false) - -## <desc> -## <p> -## Determine whether tftp can manage -## generic user home content. -## </p> -## </desc> -gen_tunable(tftp_enable_homedir, false) - -type tftpd_t; -type tftpd_exec_t; -init_daemon_domain(tftpd_t, tftpd_exec_t) - -type tftpd_conf_t; -files_config_file(tftpd_conf_t) - -type tftpd_var_run_t; -files_pid_file(tftpd_var_run_t) - -type tftpdir_t; -files_type(tftpdir_t) - -type tftpdir_rw_t; -files_type(tftpdir_rw_t) - -######################################## -# -# Local policy -# - -allow tftpd_t self:capability { setgid setuid sys_chroot }; -dontaudit tftpd_t self:capability sys_tty_config; -allow tftpd_t self:tcp_socket { accept listen }; -allow tftpd_t self:unix_stream_socket { accept listen }; - -allow tftpd_t tftpd_conf_t:file read_file_perms; - -allow tftpd_t tftpdir_t:dir list_dir_perms; -allow tftpd_t tftpdir_t:file read_file_perms; -allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; - -manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) -manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) - -manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t) -files_pid_filetrans(tftpd_t, tftpd_var_run_t, file) - -kernel_read_system_state(tftpd_t) -kernel_read_kernel_sysctls(tftpd_t) - -corenet_all_recvfrom_unlabeled(tftpd_t) -corenet_all_recvfrom_netlabel(tftpd_t) -corenet_udp_sendrecv_generic_if(tftpd_t) -corenet_udp_sendrecv_generic_node(tftpd_t) -corenet_udp_bind_generic_node(tftpd_t) - -corenet_sendrecv_tftp_server_packets(tftpd_t) -corenet_udp_bind_tftp_port(tftpd_t) -corenet_udp_sendrecv_tftp_port(tftpd_t) - -dev_read_sysfs(tftpd_t) - -domain_use_interactive_fds(tftpd_t) - -files_read_etc_runtime_files(tftpd_t) -files_read_var_files(tftpd_t) -files_read_var_symlinks(tftpd_t) -files_search_var(tftpd_t) - -fs_getattr_all_fs(tftpd_t) -fs_search_auto_mountpoints(tftpd_t) - -auth_use_nsswitch(tftpd_t) - -logging_send_syslog_msg(tftpd_t) - -miscfiles_read_localization(tftpd_t) -miscfiles_read_public_files(tftpd_t) - -userdom_dontaudit_use_unpriv_user_fds(tftpd_t) -userdom_dontaudit_use_user_terminals(tftpd_t) -userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file }) - -tunable_policy(`tftp_anon_write',` - miscfiles_manage_public_files(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir',` - allow tftpd_t self:capability { dac_override dac_read_search }; - - files_list_home(tftpd_t) - userdom_manage_user_home_content_dirs(tftpd_t) - userdom_manage_user_home_content_files(tftpd_t) - userdom_manage_user_home_content_symlinks(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',` - fs_manage_nfs_dirs(tftpd_t) - fs_manage_nfs_files(tftpd_t) - fs_read_nfs_symlinks(tftpd_t) -') - -tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',` - fs_manage_cifs_dirs(tftpd_t) - fs_manage_cifs_files(tftpd_t) - fs_read_cifs_symlinks(tftpd_t) -') - -optional_policy(` - cobbler_read_lib_files(tftpd_t) -') - -optional_policy(` - inetd_udp_service_domain(tftpd_t, tftpd_exec_t) -') - -optional_policy(` - seutil_sigchld_newrole(tftpd_t) -') - -optional_policy(` - udev_read_db(tftpd_t) -') |