1 files changed, 177 insertions, 0 deletions

diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
new file mode 100644
index 000000000..593cd40bc
--- /dev/null
+++ b/policy/modules/services/inetd.if
@@ -0,0 +1,177 @@
+## <summary>Internet services daemon.</summary>
+
+########################################
+## <summary>
+##	Define the specified domain as a inetd service.
+## </summary>
+## <desc>
+##	<p>
+##	Define the specified domain as a inetd service.  The
+##	inetd_service_domain(), inetd_tcp_service_domain(),
+##	or inetd_udp_service_domain() interfaces should be used
+##	instead of this interface, as this interface only provides
+##	the common rules to these three interfaces.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_core_service_domain',`
+	gen_require(`
+		type inetd_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(inetd_t, $2, $1)
+	allow inetd_t $1:process { siginh sigkill };
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a TCP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_tcp_service_domain',`
+
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a UDP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_udp_service_domain',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:udp_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a TCP and UDP inetd service.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type associated with the inetd service process.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`inetd_service_domain',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	inetd_core_service_domain($1, $2)
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+	allow $1 inetd_t:udp_socket rw_socket_perms;
+
+	optional_policy(`
+		stunnel_service_domain($1, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Inherit and use inetd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_use_fds',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	allow $1 inetd_t:fd use;
+')
+
+########################################
+## <summary>
+##	Run inetd child process in the
+##	inet child domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`inetd_domtrans_child',`
+	gen_require(`
+		type inetd_child_t, inetd_child_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, inetd_child_exec_t, inetd_child_t)
+')
+
+########################################
+## <summary>
+##	Read and write inetd TCP sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`inetd_rw_tcp_sockets',`
+	gen_require(`
+		type inetd_t;
+	')
+
+	allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
+')