1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
policy_module(portmap, 1.14.0)
########################################
#
# Declarations
#
attribute_role portmap_helper_roles;
type portmap_t;
type portmap_exec_t;
init_daemon_domain(portmap_t, portmap_exec_t)
type portmap_helper_t;
type portmap_helper_exec_t;
init_system_domain(portmap_helper_t, portmap_helper_exec_t)
role portmap_helper_roles types portmap_helper_t;
type portmap_initrc_exec_t;
init_script_file(portmap_initrc_exec_t)
type portmap_runtime_t alias portmap_var_run_t;
files_pid_file(portmap_runtime_t)
type portmap_tmp_t;
files_tmp_file(portmap_tmp_t)
########################################
#
# Local policy
#
allow portmap_t self:capability { setgid setuid };
dontaudit portmap_t self:capability sys_tty_config;
allow portmap_t self:unix_stream_socket { accept listen };
allow portmap_t self:tcp_socket { accept listen };
manage_dirs_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
manage_files_pattern(portmap_t, portmap_tmp_t, portmap_tmp_t)
files_tmp_filetrans(portmap_t, portmap_tmp_t, { file dir })
manage_files_pattern(portmap_t, portmap_runtime_t, portmap_runtime_t)
files_pid_filetrans(portmap_t, portmap_runtime_t, file)
kernel_read_system_state(portmap_t)
kernel_read_kernel_sysctls(portmap_t)
corenet_all_recvfrom_unlabeled(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_generic_if(portmap_t)
corenet_udp_sendrecv_generic_if(portmap_t)
corenet_tcp_sendrecv_generic_node(portmap_t)
corenet_udp_sendrecv_generic_node(portmap_t)
corenet_tcp_sendrecv_all_ports(portmap_t)
corenet_udp_sendrecv_all_ports(portmap_t)
corenet_tcp_bind_generic_node(portmap_t)
corenet_udp_bind_generic_node(portmap_t)
corenet_sendrecv_all_client_packets(portmap_t)
corenet_sendrecv_all_server_packets(portmap_t)
corenet_tcp_bind_portmap_port(portmap_t)
corenet_udp_bind_portmap_port(portmap_t)
corenet_tcp_connect_all_ports(portmap_t)
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
corenet_tcp_bind_reserved_port(portmap_t)
corenet_udp_bind_reserved_port(portmap_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_t)
corenet_dontaudit_udp_bind_all_ports(portmap_t)
dev_read_sysfs(portmap_t)
fs_getattr_all_fs(portmap_t)
fs_search_auto_mountpoints(portmap_t)
domain_use_interactive_fds(portmap_t)
logging_send_syslog_msg(portmap_t)
miscfiles_read_localization(portmap_t)
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
userdom_dontaudit_search_user_home_dirs(portmap_t)
optional_policy(`
seutil_sigchld_newrole(portmap_t)
')
optional_policy(`
udev_read_db(portmap_t)
')
########################################
#
# Helper local policy
#
dontaudit portmap_helper_t self:capability net_admin;
allow portmap_helper_t self:tcp_socket { accept listen };
allow portmap_helper_t portmap_runtime_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t, portmap_runtime_t, file)
corenet_all_recvfrom_unlabeled(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
corenet_udp_sendrecv_generic_if(portmap_helper_t)
corenet_tcp_sendrecv_generic_node(portmap_helper_t)
corenet_udp_sendrecv_generic_node(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
corenet_tcp_bind_generic_node(portmap_helper_t)
corenet_udp_bind_generic_node(portmap_helper_t)
corenet_sendrecv_all_client_packets(portmap_helper_t)
corenet_sendrecv_all_server_packets(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
corenet_udp_bind_reserved_port(portmap_helper_t)
corenet_tcp_connect_all_ports(portmap_helper_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
domain_dontaudit_use_interactive_fds(portmap_helper_t)
files_rw_generic_pids(portmap_helper_t)
auth_use_nsswitch(portmap_helper_t)
init_rw_utmp(portmap_helper_t)
logging_send_syslog_msg(portmap_helper_t)
userdom_use_user_terminals(portmap_helper_t)
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
|
GitWeb