diff options
author | Chris PeBenito <pebenito@ieee.org> | 2018-06-23 10:38:58 -0400 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2018-06-24 16:33:24 +0800 |
commit | 751926c0fbba4bf7105622ee65888b66740847a0 (patch) | |
tree | 6bbdd39cd5becdddc8e4cbc41332c383874c7972 /policy/modules/services/inetd.if | |
parent | xdg: move compat interfaces to upstream xdg module (diff) | |
download | hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.gz hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.tar.bz2 hardened-refpolicy-751926c0fbba4bf7105622ee65888b66740847a0.zip |
Move all files out of the old contrib directory.
Diffstat (limited to 'policy/modules/services/inetd.if')
-rw-r--r-- | policy/modules/services/inetd.if | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if new file mode 100644 index 00000000..593cd40b --- /dev/null +++ b/policy/modules/services/inetd.if @@ -0,0 +1,177 @@ +## <summary>Internet services daemon.</summary> + +######################################## +## <summary> +## Define the specified domain as a inetd service. +## </summary> +## <desc> +## <p> +## Define the specified domain as a inetd service. The +## inetd_service_domain(), inetd_tcp_service_domain(), +## or inetd_udp_service_domain() interfaces should be used +## instead of this interface, as this interface only provides +## the common rules to these three interfaces. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_core_service_domain',` + gen_require(` + type inetd_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; +') + +######################################## +## <summary> +## Define the specified domain as a TCP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_tcp_service_domain',` + + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_udp_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:udp_socket rw_socket_perms; +') + +######################################## +## <summary> +## Define the specified domain as a TCP and UDP inetd service. +## </summary> +## <param name="domain"> +## <summary> +## The type associated with the inetd service process. +## </summary> +## </param> +## <param name="entrypoint"> +## <summary> +## The type associated with the process program. +## </summary> +## </param> +# +interface(`inetd_service_domain',` + gen_require(` + type inetd_t; + ') + + inetd_core_service_domain($1, $2) + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; + allow $1 inetd_t:udp_socket rw_socket_perms; + + optional_policy(` + stunnel_service_domain($1, $2) + ') +') + +######################################## +## <summary> +## Inherit and use inetd file descriptors. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_use_fds',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:fd use; +') + +######################################## +## <summary> +## Run inetd child process in the +## inet child domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`inetd_domtrans_child',` + gen_require(` + type inetd_child_t, inetd_child_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) +') + +######################################## +## <summary> +## Read and write inetd TCP sockets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`inetd_rw_tcp_sockets',` + gen_require(` + type inetd_t; + ') + + allow $1 inetd_t:tcp_socket rw_stream_socket_perms; +') |