path: root/policy/modules/kernel/corenetwork.te.in

policy_module(corenetwork)

########################################
#
# Declarations
#

attribute client_packet_type;
# This is an optimization for { port_type -port_t }
attribute defined_port_type;
attribute ipsec_spd_type;
attribute netif_type;
attribute node_type;
attribute packet_type;
attribute port_type;
attribute reserved_port_type;
attribute rpc_port_type;
attribute server_packet_type;
attribute ibpkey_type;
attribute ibendport_type;
# This is an optimization for { port_type -reserved_port_type }
attribute unreserved_port_type;

attribute corenet_unconfined_type;

type ppp_device_t;
dev_node(ppp_device_t)

#
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)

# double quotes needed here to avoid a build error
optional_policy(``
	container_mountpoint(tun_tap_device_t)
'')

########################################
#
# Ports and packets
#

#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
type client_packet_t, packet_type, client_packet_type;

#
# ICMP and ICMPv6
#
network_packet_simple(icmp)

#
# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
# connections using NetLabel which do not carry full SELinux contexts.
#
type netlabel_peer_t;
sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
mcs_constrained(netlabel_peer_t)

#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
sid port gen_context(system_u:object_r:port_t,s0)

#
# unreserved_port_t is the default type of INET port numbers above 1023
#
type unreserved_port_t, port_type, unreserved_port_type;

#
# reserved_port_t is the type of INET port numbers below 1024.
#
type reserved_port_t, port_type, reserved_port_type;

#
# hi_reserved_port_t is the type of INET port numbers between 512-1023.
#
type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;

#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;

network_port(adb, tcp,5037,s0)
network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
network_port(afs_vl, udp,7003,s0)
network_port(afs3_callback, tcp,7001,s0, udp,7001,s0)
network_port(agentx, udp,705,s0, tcp,705,s0)
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
network_port(aptcacher, tcp,3142,s0)
network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cma, tcp,1050,s0, udp,1050,s0)
network_port(cobbler, tcp,25151,s0)
network_port(commplex_link, tcp,5001,s0, udp,5001,s0)
network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
network_port(comsat, udp,512,s0)
network_port(condor, tcp,9618,s0, udp,9618,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
network_port(cslistener, tcp,9000,s0, udp,9000,s0)
network_port(ctdb, tcp,4379,s0, udp,4397,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, tcp,53,s0, udp,53,s0, tcp,853,s0)
network_port(dropbox, tcp,17500,s0, udp,17500,s0)
network_port(efs, tcp,520,s0)
network_port(embrace_dp_c, tcp,3198,s0, udp,3198,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
network_port(epmd, tcp,4369,s0, udp,4369,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(gdomap, tcp,538,s0, udp,538,s0)
network_port(gds_db, tcp,3050,s0, udp,3050,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
network_port(innd, tcp,119,s0)
network_port(interwise, tcp,7778,s0, udp,7778,s0)
network_port(ionixnetmon, tcp,7410,s0, udp,7410,s0)
network_port(ipmi, udp,623,s0, udp,664,s0)
network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6665,s0, tcp,6666,s0, tcp,6667,s0, tcp,6668,s0, tcp,6669,s0, tcp,6697,s0)
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
network_port(jboss_iiop, tcp,3528,s0, udp,3528,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kismet, tcp,2501,s0)
network_port(kdeconnect, tcp,1714,s0, udp,1714,s0)
network_port(kprop, tcp,754,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(l2tp, tcp,1701,s0, udp,1701,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0, tcp,3269,s0)
network_port(lirc, tcp,8765,s0)
network_port(llmnr, tcp,5355,s0, udp,5355,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(lrrd) # no defined portcon
network_port(mail, tcp,2000,s0, tcp,3905,s0)
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(milter) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(mon, tcp,2583,s0, udp,2583,s0)
network_port(monit, tcp,2812,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0)
network_port(mpd, tcp,6600,s0)
network_port(msgsrvr, tcp,8787,s0, udp,8787,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
network_port(nessus, tcp,1241,s0)
network_port(netport, tcp,3129,s0, udp,3129,s0)
network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nfs, tcp,2049,s0, udp,2049,s0)
network_port(nfsrdma, tcp,20049,s0, udp,20049,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
network_port(ntske, tcp,4460,s0)
network_port(oa_system, tcp,8022,s0, udp,8022,s0)
network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openhpid, tcp,4743,s0, udp,4743,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pdps, tcp,1314,s0, udp,1314,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
network_port(puppetclient, tcp, 8139, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(radsec, tcp,2083,s0)
network_port(razor, tcp,2703,s0)
network_port(redis, tcp,6379,s0, tcp,26379,s0)
network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rtorrent, tcp,6881,s0, udp,6881,s0, tcp,6926,s0)
network_port(rtsp, tcp,554,s0, udp,554,s0)
network_port(rwho, udp,513,s0)
network_port(salt, tcp,4505,s0, tcp,4506,s0)
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(servistaitsm, tcp,3636,s0, udp,3636,s0)
network_port(sieve, tcp,4190,s0)
network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
network_port(sixxsconfig, tcp,3874,s0, udp,3874,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
network_port(spamd, tcp,783,s0)
network_port(speech, tcp,8036,s0)
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
network_port(ssdp, tcp,1900,s0, udp,1900,s0)
network_port(ssh, tcp,22,s0)
network_port(stunnel) # no defined portcon
network_port(svn, tcp,3690,s0, udp,3690,s0)
network_port(svrloc, tcp,427,s0, udp,427,s0)
network_port(swat, tcp,901,s0)
network_port(syncthing, tcp,22000,s0)
network_port(syncthing_admin, tcp,8384,s0)
network_port(syncthing_discovery, udp,21027,s0)
network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
network_port(syslogd, udp,514,s0)
network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(trisoap, tcp,10200,s0, udp,10200,s0)
network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
network_port(ups, tcp,3493,s0)
network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
network_port(virt_migration, tcp,49152-49216,s0)
network_port(vnc, tcp,5900,s0)
network_port(wccp, udp,2048,s0)
network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp,4321,s0, udp,4321,s0)
network_port(winshadow, tcp,3261,s0, udp,3261,s0)
network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp,6000-6020,s0)
network_port(zarafa, tcp,236,s0, tcp,237,s0)
network_port(zabbix, tcp,10051,s0)
network_port(zabbix_agent, tcp,10050,s0)
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
network_port(zented, tcp,1229,s0, udp,1229,s0)
network_port(zope, tcp,8021,s0)

# Defaults for reserved ports.	Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.

portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)

########################################
#
# Network nodes
#

#
# node_t is the default type of network nodes.
# The node_*_t types are used for specific network
# nodes in net_contexts or net_contexts.mls.
#
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)

# network_node examples:
#network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)

########################################
#
# Network Interfaces
#

#
# netif_t is the default type of network interfaces.
#
type netif_t, netif_type;
sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)

build_option(`enable_mls',`
network_interface(lo, lo, s0 - mls_systemhigh)
',`
typealias netif_t alias lo_netif_t;
')

########################################
#
# Unconfined access to this module
#

allow corenet_unconfined_type node_type:node { recvfrom sendto };
allow corenet_unconfined_type netif_type:netif { ingress egress };
allow corenet_unconfined_type packet_type:packet { send recv relabelto forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { name_connect };
allow corenet_unconfined_type port_type:sctp_socket { name_connect };

# Bind to any network address.
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;

# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)