1 # Copyright (C) 2007-2012 Red Hat 2 # see file 'COPYING' for use and warranty information 3 # 4 # policygentool is a tool for the initial generation of SELinux policy 5 # 6 # This program is free software; you can redistribute it and/or 7 # modify it under the terms of the GNU General Public License as 8 # published by the Free Software Foundation; either version 2 of 9 # the License, or (at your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, 12 # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 # GNU General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 19 # 02111-1307 USA 20 # 21 # 22 ########################### Type Enforcement File ############################# 23 te_types=""" 24 type TEMPLATETYPE_port_t; 25 corenet_port(TEMPLATETYPE_port_t) 26 """ 27 28 te_network="""\ 29 sysnet_dns_name_resolve(TEMPLATETYPE_t) 30 corenet_all_recvfrom_unlabeled(TEMPLATETYPE_t) 31 """ 32 33 te_tcp="""\ 34 allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms; 35 corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t) 36 corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t) 37 corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t) 38 """ 39 40 te_in_tcp="""\ 41 corenet_tcp_bind_generic_node(TEMPLATETYPE_t) 42 """ 43 44 te_in_need_port_tcp="""\ 45 allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_bind; 46 """ 47 48 te_out_need_port_tcp="""\ 49 allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_connect; 50 """ 51 52 te_udp="""\ 53 allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen }; 54 corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t) 55 corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t) 56 corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t) 57 """ 58 59 te_in_udp="""\ 60 corenet_udp_bind_generic_node(TEMPLATETYPE_t) 61 """ 62 63 te_in_need_port_udp="""\ 64 allow TEMPLATETYPE_t TEMPLATETYPE_port_t:udp_socket name_bind; 65 """ 66 67 te_out_all_ports_tcp="""\ 68 corenet_tcp_connect_all_ports(TEMPLATETYPE_t) 69 """ 70 71 te_out_reserved_ports_tcp="""\ 72 corenet_tcp_connect_all_rpc_ports(TEMPLATETYPE_t) 73 """ 74 75 te_out_unreserved_ports_tcp="""\ 76 corenet_tcp_connect_all_unreserved_ports(TEMPLATETYPE_t) 77 """ 78 79 te_in_all_ports_tcp="""\ 80 corenet_tcp_bind_all_ports(TEMPLATETYPE_t) 81 """ 82 83 te_in_reserved_ports_tcp="""\ 84 corenet_tcp_bind_all_rpc_ports(TEMPLATETYPE_t) 85 """ 86 87 te_in_unreserved_ports_tcp="""\ 88 corenet_tcp_bind_all_unreserved_ports(TEMPLATETYPE_t) 89 """ 90 91 te_in_all_ports_udp="""\ 92 corenet_udp_bind_all_ports(TEMPLATETYPE_t) 93 """ 94 95 te_in_reserved_ports_udp="""\ 96 corenet_udp_bind_all_rpc_ports(TEMPLATETYPE_t) 97 """ 98 99 te_in_unreserved_ports_udp="""\ 100 corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) 101 """ 102 103 if_rules="""\ 104 ######################################## 105 ## <summary> 106 ## Send and receive TCP traffic on the TEMPLATETYPE port. 107 ## </summary> 108 ## <param name="domain"> 109 ## <summary> 110 ## Domain allowed access. 111 ## </summary> 112 ## </param> 113 ## <infoflow type="both" weight="10"/> 114 # 115 interface(`corenet_tcp_sendrecv_TEMPLATETYPE_port',` 116 gen_require(` 117 type TEMPLATETYPE_port_t; 118 ') 119 120 allow $1 TEMPLATETYPE_port_t:tcp_socket { send_msg recv_msg }; 121 ') 122 123 ######################################## 124 ## <summary> 125 ## Send UDP traffic on the TEMPLATETYPE port. 126 ## </summary> 127 ## <param name="domain"> 128 ## <summary> 129 ## Domain allowed access. 130 ## </summary> 131 ## </param> 132 ## <infoflow type="write" weight="10"/> 133 # 134 interface(`corenet_udp_send_TEMPLATETYPE_port',` 135 gen_require(` 136 type TEMPLATETYPE_port_t; 137 ') 138 139 allow $1 TEMPLATETYPE_port_t:udp_socket send_msg; 140 ') 141 142 ######################################## 143 ## <summary> 144 ## Do not audit attempts to send UDP traffic on the TEMPLATETYPE port. 145 ## </summary> 146 ## <param name="domain"> 147 ## <summary> 148 ## Domain to not audit. 149 ## </summary> 150 ## </param> 151 ## <infoflow type="none"/> 152 # 153 interface(`corenet_dontaudit_udp_send_TEMPLATETYPE_port',` 154 gen_require(` 155 type TEMPLATETYPE_port_t; 156 ') 157 158 dontaudit $1 TEMPLATETYPE_port_t:udp_socket send_msg; 159 ') 160 161 ######################################## 162 ## <summary> 163 ## Receive UDP traffic on the TEMPLATETYPE port. 164 ## </summary> 165 ## <param name="domain"> 166 ## <summary> 167 ## Domain allowed access. 168 ## </summary> 169 ## </param> 170 ## <infoflow type="read" weight="10"/> 171 # 172 interface(`corenet_udp_receive_TEMPLATETYPE_port',` 173 gen_require(` 174 type TEMPLATETYPE_port_t; 175 ') 176 177 allow $1 TEMPLATETYPE_port_t:udp_socket recv_msg; 178 ') 179 180 ######################################## 181 ## <summary> 182 ## Do not audit attempts to receive UDP traffic on the TEMPLATETYPE port. 183 ## </summary> 184 ## <param name="domain"> 185 ## <summary> 186 ## Domain to not audit. 187 ## </summary> 188 ## </param> 189 ## <infoflow type="none"/> 190 # 191 interface(`corenet_dontaudit_udp_receive_TEMPLATETYPE_port',` 192 gen_require(` 193 type TEMPLATETYPE_port_t; 194 ') 195 196 dontaudit $1 TEMPLATETYPE_port_t:udp_socket recv_msg; 197 ') 198 199 ######################################## 200 ## <summary> 201 ## Send and receive UDP traffic on the TEMPLATETYPE port. 202 ## </summary> 203 ## <param name="domain"> 204 ## <summary> 205 ## Domain allowed access. 206 ## </summary> 207 ## </param> 208 ## <infoflow type="both" weight="10"/> 209 # 210 interface(`corenet_udp_sendrecv_TEMPLATETYPE_port',` 211 corenet_udp_send_TEMPLATETYPE_port($1) 212 corenet_udp_receive_TEMPLATETYPE_port($1) 213 ') 214 215 ######################################## 216 ## <summary> 217 ## Do not audit attempts to send and receive 218 ## UDP traffic on the TEMPLATETYPE port. 219 ## </summary> 220 ## <param name="domain"> 221 ## <summary> 222 ## Domain to not audit. 223 ## </summary> 224 ## </param> 225 ## <infoflow type="none"/> 226 # 227 interface(`corenet_dontaudit_udp_sendrecv_TEMPLATETYPE_port',` 228 corenet_dontaudit_udp_send_TEMPLATETYPE_port($1) 229 corenet_dontaudit_udp_receive_TEMPLATETYPE_port($1) 230 ') 231 232 ######################################## 233 ## <summary> 234 ## Bind TCP sockets to the TEMPLATETYPE port. 235 ## </summary> 236 ## <param name="domain"> 237 ## <summary> 238 ## Domain allowed access. 239 ## </summary> 240 ## </param> 241 ## <infoflow type="none"/> 242 # 243 interface(`corenet_tcp_bind_TEMPLATETYPE_port',` 244 gen_require(` 245 type TEMPLATETYPE_port_t; 246 ') 247 248 allow $1 TEMPLATETYPE_port_t:tcp_socket name_bind; 249 250 ') 251 252 ######################################## 253 ## <summary> 254 ## Bind UDP sockets to the TEMPLATETYPE port. 255 ## </summary> 256 ## <param name="domain"> 257 ## <summary> 258 ## Domain allowed access. 259 ## </summary> 260 ## </param> 261 ## <infoflow type="none"/> 262 # 263 interface(`corenet_udp_bind_TEMPLATETYPE_port',` 264 gen_require(` 265 type TEMPLATETYPE_port_t; 266 ') 267 268 allow $1 TEMPLATETYPE_port_t:udp_socket name_bind; 269 270 ') 271 272 ######################################## 273 ## <summary> 274 ## Do not audit attempts to sbind to TEMPLATETYPE port. 275 ## </summary> 276 ## <param name="domain"> 277 ## <summary> 278 ## Domain to not audit. 279 ## </summary> 280 ## </param> 281 ## <infoflow type="none"/> 282 # 283 interface(`corenet_dontaudit_udp_bind_TEMPLATETYPE_port',` 284 gen_require(` 285 type TEMPLATETYPE_port_t; 286 ') 287 288 dontaudit $1 TEMPLATETYPE_port_t:udp_socket name_bind; 289 290 ') 291 292 ######################################## 293 ## <summary> 294 ## Make a TCP connection to the TEMPLATETYPE port. 295 ## </summary> 296 ## <param name="domain"> 297 ## <summary> 298 ## Domain allowed access. 299 ## </summary> 300 ## </param> 301 # 302 interface(`corenet_tcp_connect_TEMPLATETYPE_port',` 303 gen_require(` 304 type TEMPLATETYPE_port_t; 305 ') 306 307 allow $1 TEMPLATETYPE_port_t:tcp_socket name_connect; 308 ') 309 ######################################## 310 ## <summary> 311 ## Do not audit attempts to make a TCP connection to TEMPLATETYPE port. 312 ## </summary> 313 ## <param name="domain"> 314 ## <summary> 315 ## Domain allowed access. 316 ## </summary> 317 ## </param> 318 # 319 interface(`corenet_dontaudit_tcp_connect_TEMPLATETYPE_port',` 320 gen_require(` 321 type TEMPLATETYPE_port_t; 322 ') 323 324 dontaudit $1 TEMPLATETYPE_port_t:tcp_socket name_connect; 325 ') 326 327 328 ######################################## 329 ## <summary> 330 ## Send TEMPLATETYPE_client packets. 331 ## </summary> 332 ## <param name="domain"> 333 ## <summary> 334 ## Domain allowed access. 335 ## </summary> 336 ## </param> 337 ## <infoflow type="write" weight="10"/> 338 # 339 interface(`corenet_send_TEMPLATETYPE_client_packets',` 340 gen_require(` 341 type TEMPLATETYPE_client_packet_t; 342 ') 343 344 allow $1 TEMPLATETYPE_client_packet_t:packet send; 345 ') 346 347 ######################################## 348 ## <summary> 349 ## Do not audit attempts to send TEMPLATETYPE_client packets. 350 ## </summary> 351 ## <param name="domain"> 352 ## <summary> 353 ## Domain to not audit. 354 ## </summary> 355 ## </param> 356 ## <infoflow type="none"/> 357 # 358 interface(`corenet_dontaudit_send_TEMPLATETYPE_client_packets',` 359 gen_require(` 360 type TEMPLATETYPE_client_packet_t; 361 ') 362 363 dontaudit $1 TEMPLATETYPE_client_packet_t:packet send; 364 ') 365 366 ######################################## 367 ## <summary> 368 ## Receive TEMPLATETYPE_client packets. 369 ## </summary> 370 ## <param name="domain"> 371 ## <summary> 372 ## Domain allowed access. 373 ## </summary> 374 ## </param> 375 ## <infoflow type="read" weight="10"/> 376 # 377 interface(`corenet_receive_TEMPLATETYPE_client_packets',` 378 gen_require(` 379 type TEMPLATETYPE_client_packet_t; 380 ') 381 382 allow $1 TEMPLATETYPE_client_packet_t:packet recv; 383 ') 384 385 ######################################## 386 ## <summary> 387 ## Do not audit attempts to receive TEMPLATETYPE_client packets. 388 ## </summary> 389 ## <param name="domain"> 390 ## <summary> 391 ## Domain allowed access. 392 ## </summary> 393 ## </param> 394 ## <infoflow type="none"/> 395 # 396 interface(`corenet_dontaudit_receive_TEMPLATETYPE_client_packets',` 397 gen_require(` 398 type TEMPLATETYPE_client_packet_t; 399 ') 400 401 dontaudit $1 TEMPLATETYPE_client_packet_t:packet recv; 402 ') 403 404 ######################################## 405 ## <summary> 406 ## Send and receive TEMPLATETYPE_client packets. 407 ## </summary> 408 ## <param name="domain"> 409 ## <summary> 410 ## Domain allowed access. 411 ## </summary> 412 ## </param> 413 ## <infoflow type="both" weight="10"/> 414 # 415 interface(`corenet_sendrecv_TEMPLATETYPE_client_packets',` 416 corenet_send_TEMPLATETYPE_client_packets($1) 417 corenet_receive_TEMPLATETYPE_client_packets($1) 418 ') 419 420 ######################################## 421 ## <summary> 422 ## Do not audit attempts to send and receive TEMPLATETYPE_client packets. 423 ## </summary> 424 ## <param name="domain"> 425 ## <summary> 426 ## Domain to not audit. 427 ## </summary> 428 ## </param> 429 ## <infoflow type="none"/> 430 # 431 interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_client_packets',` 432 corenet_dontaudit_send_TEMPLATETYPE_client_packets($1) 433 corenet_dontaudit_receive_TEMPLATETYPE_client_packets($1) 434 ') 435 436 ######################################## 437 ## <summary> 438 ## Relabel packets to TEMPLATETYPE_client the packet type. 439 ## </summary> 440 ## <param name="domain"> 441 ## <summary> 442 ## Domain allowed access. 443 ## </summary> 444 ## </param> 445 # 446 interface(`corenet_relabelto_TEMPLATETYPE_client_packets',` 447 gen_require(` 448 type TEMPLATETYPE_client_packet_t; 449 ') 450 451 allow $1 TEMPLATETYPE_client_packet_t:packet relabelto; 452 ') 453 454 455 ######################################## 456 ## <summary> 457 ## Send TEMPLATETYPE_server packets. 458 ## </summary> 459 ## <param name="domain"> 460 ## <summary> 461 ## Domain allowed access. 462 ## </summary> 463 ## </param> 464 ## <infoflow type="write" weight="10"/> 465 # 466 interface(`corenet_send_TEMPLATETYPE_server_packets',` 467 gen_require(` 468 type TEMPLATETYPE_server_packet_t; 469 ') 470 471 allow $1 TEMPLATETYPE_server_packet_t:packet send; 472 ') 473 474 ######################################## 475 ## <summary> 476 ## Do not audit attempts to send TEMPLATETYPE_server packets. 477 ## </summary> 478 ## <param name="domain"> 479 ## <summary> 480 ## Domain to not audit. 481 ## </summary> 482 ## </param> 483 ## <infoflow type="none"/> 484 # 485 interface(`corenet_dontaudit_send_TEMPLATETYPE_server_packets',` 486 gen_require(` 487 type TEMPLATETYPE_server_packet_t; 488 ') 489 490 dontaudit $1 TEMPLATETYPE_server_packet_t:packet send; 491 ') 492 493 ######################################## 494 ## <summary> 495 ## Receive TEMPLATETYPE_server packets. 496 ## </summary> 497 ## <param name="domain"> 498 ## <summary> 499 ## Domain allowed access. 500 ## </summary> 501 ## </param> 502 ## <infoflow type="read" weight="10"/> 503 # 504 interface(`corenet_receive_TEMPLATETYPE_server_packets',` 505 gen_require(` 506 type TEMPLATETYPE_server_packet_t; 507 ') 508 509 allow $1 TEMPLATETYPE_server_packet_t:packet recv; 510 ') 511 512 ######################################## 513 ## <summary> 514 ## Do not audit attempts to receive TEMPLATETYPE_server packets. 515 ## </summary> 516 ## <param name="domain"> 517 ## <summary> 518 ## Domain allowed access. 519 ## </summary> 520 ## </param> 521 ## <infoflow type="none"/> 522 # 523 interface(`corenet_dontaudit_receive_TEMPLATETYPE_server_packets',` 524 gen_require(` 525 type TEMPLATETYPE_server_packet_t; 526 ') 527 528 dontaudit $1 TEMPLATETYPE_server_packet_t:packet recv; 529 ') 530 531 ######################################## 532 ## <summary> 533 ## Send and receive TEMPLATETYPE_server packets. 534 ## </summary> 535 ## <param name="domain"> 536 ## <summary> 537 ## Domain allowed access. 538 ## </summary> 539 ## </param> 540 ## <infoflow type="both" weight="10"/> 541 # 542 interface(`corenet_sendrecv_TEMPLATETYPE_server_packets',` 543 corenet_send_TEMPLATETYPE_server_packets($1) 544 corenet_receive_TEMPLATETYPE_server_packets($1) 545 ') 546 547 ######################################## 548 ## <summary> 549 ## Do not audit attempts to send and receive TEMPLATETYPE_server packets. 550 ## </summary> 551 ## <param name="domain"> 552 ## <summary> 553 ## Domain to not audit. 554 ## </summary> 555 ## </param> 556 ## <infoflow type="none"/> 557 # 558 interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_server_packets',` 559 corenet_dontaudit_send_TEMPLATETYPE_server_packets($1) 560 corenet_dontaudit_receive_TEMPLATETYPE_server_packets($1) 561 ') 562 563 ######################################## 564 ## <summary> 565 ## Relabel packets to TEMPLATETYPE_server the packet type. 566 ## </summary> 567 ## <param name="domain"> 568 ## <summary> 569 ## Domain allowed access. 570 ## </summary> 571 ## </param> 572 # 573 interface(`corenet_relabelto_TEMPLATETYPE_server_packets',` 574 gen_require(` 575 type TEMPLATETYPE_server_packet_t; 576 ') 577 578 allow $1 TEMPLATETYPE_server_packet_t:packet relabelto; 579 ') 580 """ 581 582 te_rules=""" 583 """ 584