gentoo policies for daemontools, ucspi-tcp, publicfile, djbdns, clockspeed

gentoo policies for daemontools, ucspi-tcp, publicfile, djbdns, clockspeed

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 351 bytes --]


Hi,

This is a collection of policies that I've been using and maintaining for more than an year now.

[1] http://cr.yp.to/daemontools.html
[2] http://cr.yp.to/ucspi-tcp.html
[3] http://cr.yp.to/publicfile.html
[4] http://cr.yp.to/djbdns.html
[5] http://cr.yp.to/clockspeed.html

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: clockspeed.fc --]
[-- Type: text/plain, Size: 475 bytes --]

/usr/bin/clockspeed	--	system_u:object_r:clockspeed_exec_t
/usr/bin/clockadd	--	system_u:object_r:clockspeed_exec_t
/usr/bin/clockview	--	system_u:object_r:clockspeed_exec_t
/usr/bin/sntpclock	--	system_u:object_r:clockspeed_exec_t
/usr/bin/taiclock	--	system_u:object_r:clockspeed_exec_t
/usr/bin/taiclockd	--	system_u:object_r:clockspeed_exec_t
/usr/sbin/ntpclockset	--	system_u:object_r:clockspeed_exec_t

/var/lib/clockspeed(/.*)?	system_u:object_r:clockspeed_var_lib_t


[-- Attachment #1.3: clockspeed.te --]
[-- Type: text/plain, Size: 854 bytes --]

#DESC clockspeed - Simple network time protocol client
#
# Author Petre Rodan <kaiowas@gentoo.org>
#

type clockspeed_port_t, port_type;

daemon_base_domain(clockspeed)
var_lib_domain(clockspeed)
can_network(clockspeed_t)
read_locale(clockspeed_t)

allow clockspeed_t self:capability { sys_time net_bind_service };
allow clockspeed_t self:unix_dgram_socket create_socket_perms;
allow clockspeed_t self:unix_stream_socket create_socket_perms;
allow clockspeed_t clockspeed_port_t:udp_socket name_bind;
allow clockspeed_t domain:packet_socket recvfrom;

allow clockspeed_t var_t:dir search;
allow clockspeed_t clockspeed_var_lib_t:file create_file_perms;
allow clockspeed_t clockspeed_var_lib_t:fifo_file create_file_perms;

# sysadm can play with clockspeed
role sysadm_r types clockspeed_t;
domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)


[-- Attachment #1.4: daemontools.fc --]
[-- Type: text/plain, Size: 2143 bytes --]


/var/service/.*			system_u:object_r:svc_svc_t

# symlinks to /var/service/*
/service(/.*)?			system_u:object_r:svc_svc_t

# supervise scripts
/usr/bin/svc-add	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-isdown	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-isup	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-remove	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-start	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-status	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-stop	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-waitdown	--	system_u:object_r:svc_script_exec_t
/usr/bin/svc-waitup	--	system_u:object_r:svc_script_exec_t

# supervise init binaries
# these programs read/write to /service/*/supervise/* and /service/*/log/supervise/*
/usr/bin/svc		--	system_u:object_r:svc_start_exec_t
/usr/bin/svscan		--	system_u:object_r:svc_start_exec_t
/usr/bin/svscanboot	--	system_u:object_r:svc_start_exec_t
/usr/bin/svok		--	system_u:object_r:svc_start_exec_t
#/usr/bin/svstat		--	system_u:object_r:svc_start_exec_t
/usr/bin/supervise	--	system_u:object_r:svc_start_exec_t

# starting scripts
/var/service/.*/run.*		system_u:object_r:svc_run_exec_t
/var/service/.*/log/run		system_u:object_r:svc_run_exec_t

# configurations
/var/service/.*/env(/.*)?   system_u:object_r:svc_conf_t

# log
/var/service/.*/log/main(/.*)?  system_u:object_r:svc_log_t

# programs that impose a given environment to daemons
/usr/bin/softlimit	--	system_u:object_r:svc_run_exec_t
/usr/bin/setuidgid	--	system_u:object_r:svc_run_exec_t
/usr/bin/envuidgid	--	system_u:object_r:svc_run_exec_t
/usr/bin/envdir		--	system_u:object_r:svc_run_exec_t
/usr/bin/setlock	--	system_u:object_r:svc_run_exec_t

# helper programs
/usr/bin/fghack		--	system_u:object_r:svc_run_exec_t
/usr/bin/pgrphack	--	system_u:object_r:svc_run_exec_t

/var/run/svscan\.pid	--	system_u:object_r:initrc_var_run_t
# daemontools logger # writes to service/*/log/main/ and /var/log/*/
/usr/bin/multilog	--	system_u:object_r:svc_multilog_exec_t

/sbin/svcinit       --  system_u:object_r:initrc_exec_t
/sbin/runsvcscript\.sh	--	system_u:object_r:initrc_exec_t


[-- Attachment #1.5: daemontools.te --]
[-- Type: text/plain, Size: 6056 bytes --]

#DESC Daemontools - Tools for managing UNIX services
#
# Author:  Petre Rodan <kaiowas@gentoo.org>
# with the help of Chris PeBenito, Russell Coker and Tad Glines
# 

#
# selinux policy for daemontools
# http://cr.yp.to/daemontools.html
#
# thanks for D. J. Bernstein and the NSA team for the great software
# they provide
#

##############################################################
# type definitions

type svc_conf_t, file_type, sysadmfile;
type svc_log_t, file_type, sysadmfile;
type svc_svc_t, file_type, sysadmfile;


##############################################################
# the domains

define(`svc_sub_domain', `
daemon_sub_domain(svc_t, svc_$1)
')

define(`svc_filedir_domain', `
create_dir_file($1, svc_svc_t)
file_type_auto_trans($1, svc_svc_t, svc_svc_t);
')

define(`svc_confdir_domain', `
r_dir_file($1, svc_conf_t)
')

daemon_base_domain(svc_script)
svc_filedir_domain(svc_script_t)

# part started by initrc_t
daemon_base_domain(svc_start)
svc_filedir_domain(svc_start_t)

# also get here from svc_script_t
domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)

# the domain for /service/*/run and /service/*/log/run
daemon_sub_domain(svc_start_t, svc_run)
svc_confdir_domain(svc_run_t)

# the logger
daemon_sub_domain(svc_run_t, svc_multilog)
file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);

######
# rules for all those domains

# svc_start_t
allow svc_start_t self:fifo_file rw_file_perms;
allow svc_start_t self:capability kill;

allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
allow svc_start_t { var_t var_run_t }:dir search;
can_exec(svc_start_t, shell_exec_t)
allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
allow svc_start_t svc_run_t:process signal;

# svc_run_t
allow svc_run_t self:capability { setgid setuid chown fsetid };
allow svc_run_t self:fifo_file rw_file_perms;
allow svc_run_t self:file r_file_perms;
allow svc_run_t self:process { fork setrlimit };
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
allow svc_run_t svc_svc_t:dir r_dir_perms;
allow svc_run_t svc_svc_t:file r_file_perms;
allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
allow svc_run_t { var_t var_run_t }:dir search;
can_exec(svc_run_t, etc_t)
can_exec(svc_run_t, lib_t)
can_exec(svc_run_t, bin_t)
can_exec(svc_run_t, sbin_t)
can_exec(svc_run_t, ls_exec_t)
can_exec(svc_run_t, shell_exec_t)
allow svc_run_t devtty_t:chr_file rw_file_perms;
allow svc_run_t etc_runtime_t:file r_file_perms;
allow svc_run_t exec_type:{ file lnk_file } getattr;
allow svc_run_t init_t:fd use;
allow svc_run_t initrc_t:fd use;
allow svc_run_t proc_t:file r_file_perms;
allow svc_run_t sysctl_t:dir search;
allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
allow svc_run_t sysctl_kernel_t:file r_file_perms;
allow svc_run_t var_lib_t:dir r_dir_perms;


# multilog creates /service/*/log/status
allow svc_multilog_t svc_svc_t:dir { read search };
allow svc_multilog_t svc_svc_t:file { append write };
# writes to /var/log/*/*
allow svc_multilog_t var_t:dir search;
allow svc_multilog_t var_log_t:dir create_dir_perms;
allow svc_multilog_t var_log_t:file create_file_perms;
# misc
allow svc_multilog_t init_t:fd use;
allow svc_start_t svc_multilog_t:process signal;
svc_ipc_domain(svc_multilog_t)


# run_init can control svc_script_t and svc_start_t domains
domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
svc_filedir_domain(initrc_t)

allow svc_script_t self:capability sys_admin;
allow svc_script_t self:fifo_file { getattr read write };
allow svc_script_t self:file r_file_perms;
allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
allow svc_script_t bin_t:lnk_file r_file_perms;
can_exec(svc_script_t, bin_t)
can_exec(svc_script_t, shell_exec_t)
allow svc_script_t proc_t:file r_file_perms;
allow svc_script_t shell_exec_t:file rx_file_perms;
allow svc_script_t devtty_t:chr_file rw_file_perms;
allow svc_script_t etc_runtime_t:file r_file_perms;
allow svc_script_t svc_run_exec_t:file r_file_perms;
allow svc_script_t svc_script_exec_t:file execute_no_trans;
allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
allow svc_script_t sysctl_kernel_t:file r_file_perms;

# sysadm can tweak svc_run_exec_t files
allow sysadm_t svc_run_exec_t:file create_file_perms;

################################################################
# scripts that can be started by daemontools
# keep it sorted please.

ifdef(`apache.te', `
domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
svc_ipc_domain(httpd_t)
dontaudit httpd_t svc_svc_t:dir { search };
')

ifdef(`clockspeed.te', `
domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
svc_ipc_domain(clockspeed_t)
r_dir_file(svc_run_t, clockspeed_var_lib_t)
allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
')

ifdef(`dante.te', `
domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
svc_ipc_domain(dante_t)
')

ifdef(`publicfile.te', `
svc_ipc_domain(publicfile_t)
')

ifdef(`qmail.te', `
allow svc_run_t qmail_start_exec_t:file rx_file_perms;
domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
r_dir_file(svc_run_t, qmail_etc_t)
svc_ipc_domain(qmail_send_t)
svc_ipc_domain(qmail_start_t)
svc_ipc_domain(qmail_queue_t)
svc_ipc_domain(qmail_smtpd_t)
')

ifdef(`rsyncd.te', `
domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
svc_ipc_domain(rsyncd_t)
')

ifdef(`ssh.te', `
domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
svc_ipc_domain(sshd_t)
')

ifdef(`stunnel.te', `
domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
svc_ipc_domain(stunnel_t)
')

ifdef(`ucspi-tcp.te', `
domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
allow svc_run_t utcpserver_t:process { signal };
svc_ipc_domain(utcpserver_t)
')


[-- Attachment #1.6: daemontools_macros.te --]
[-- Type: text/plain, Size: 195 bytes --]


define(`svc_ipc_domain',`
allow $1 svc_start_t:process { sigchld };
allow $1 svc_start_t:fd { use };
allow $1 svc_start_t:fifo_file { read write };
allow svc_start_t $1:process { signal }; 
')


[-- Attachment #1.7: djbdns.fc --]
[-- Type: text/plain, Size: 1435 bytes --]


/usr/bin/dnscache               -- system_u:object_r:djbdns_dnscache_exec_t
/usr/bin/tinydns                -- system_u:object_r:djbdns_tinydns_exec_t
/usr/bin/axfrdns                -- system_u:object_r:djbdns_axfrdns_exec_t

/var/dnscache[a-z]?(/.*)?          system_u:object_r:svc_svc_t
/var/dnscache[a-z]?/run        --  system_u:object_r:svc_run_exec_t
/var/dnscache[a-z]?/log/run    --  system_u:object_r:svc_run_exec_t
/var/dnscache[a-z]?/env(/.*)?      system_u:object_r:svc_conf_t
/var/dnscache[a-z]?/root(/.*)?     system_u:object_r:djbdns_dnscache_conf_t
/var/dnscache[a-z]?/log/main(/.*)? system_u:object_r:var_log_t

/var/tinydns(/.*)?                 system_u:object_r:svc_svc_t
/var/tinydns/run               --  system_u:object_r:svc_run_exec_t
/var/tinydns/log/run           --  system_u:object_r:svc_run_exec_t
/var/tinydns/env(/.*)?             system_u:object_r:svc_conf_t
/var/tinydns/root(/.*)?            system_u:object_r:djbdns_tinydns_conf_t
/var/tinydns/log/main(/.*)?        system_u:object_r:var_log_t

/var/axfrdns(/.*)?                 system_u:object_r:svc_svc_t
/var/axfrdns/run               --  system_u:object_r:svc_run_exec_t
/var/axfrdns/log/run           --  system_u:object_r:svc_run_exec_t
/var/axfrdns/env(/.*)?             system_u:object_r:svc_conf_t
/var/axfrdns/root(/.*)?            system_u:object_r:djbdns_axfrdns_conf_t
/var/axfrdns/log/main(/.*)?        system_u:object_r:var_log_t


[-- Attachment #1.8: djbdns.te --]
[-- Type: text/plain, Size: 1264 bytes --]

# DESC selinux policy for djbdns
# http://cr.yp.to/djbdns.html
#
# Author:  petre rodan <kaiowas@gentoo.org>
#
# this policy depends on ucspi-tcp and daemontools policies
#

define(`djbdns_daemon_domain', `
type djbdns_$1_conf_t, file_type, sysadmfile;
daemon_domain(djbdns_$1)
domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
svc_ipc_domain(djbdns_$1_t)
can_network(djbdns_$1_t)
allow djbdns_$1_t dns_port_t:{ udp_socket tcp_socket } name_bind;
allow djbdns_$1_t port_t:udp_socket name_bind;
r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
allow djbdns_$1_t svc_svc_t:dir r_dir_perms;
')


define(`djbdns_tcpserver_domain', `
type djbdns_$1_conf_t, file_type, sysadmfile;
daemon_domain(djbdns_$1)
domain_auto_trans(utcpserver_t, djbdns_$1_exec_t, djbdns_$1_t)
svc_ipc_domain(djbdns_$1_t)
allow utcpserver_t dns_port_t:{ udp_socket tcp_socket } name_bind;
r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
allow djbdns_$1_t utcpserver_t:tcp_socket { read write };
')


djbdns_daemon_domain(dnscache)
# read 'seed' file
allow djbdns_dnscache_t svc_svc_t:file r_file_perms;

djbdns_daemon_domain(tinydns)

djbdns_tcpserver_domain(axfrdns)
r_dir_file(djbdns_axfrdns_t, djbdns_tinydns_t)


[-- Attachment #1.9: ucspi-tcp.fc --]
[-- Type: text/plain, Size: 59 bytes --]


/usr/bin/tcpserver	--	system_u:object_r:utcpserver_exec_t

[-- Attachment #1.10: ucspi-tcp.te --]
[-- Type: text/plain, Size: 894 bytes --]

#DESC ucspi-tcp - TCP Server and Client Tools
#
# Author Petre Rodan <kaiowas@gentoo.org>
#

# http://cr.yp.to/ucspi-tcp.html

type utcpserver_port_t, port_type;

daemon_base_domain(utcpserver)
can_network(utcpserver_t)

#reads /etc/nsswitch.conf and resolv.conf
allow utcpserver_t etc_t:file { getattr read };
allow utcpserver_t resolv_conf_t:file { read };

allow utcpserver_t { bin_t var_t }:dir { search };

allow utcpserver_t self:capability { net_bind_service setgid setuid };
allow utcpserver_t self:fifo_file { read write };
allow utcpserver_t self:process { fork sigchld };

ifdef(`qmail.te', `
domain_auto_trans(utcpserver_t, qmail_smtpd_exec_t, qmail_smtpd_t)
allow utcpserver_t smtp_port_t:tcp_socket name_bind;
allow qmail_smtpd_t utcpserver_t:tcp_socket { read write getattr };
allow utcpserver_t etc_qmail_t:dir r_dir_perms;
allow utcpserver_t etc_qmail_t:file r_file_perms;
')


[-- Attachment #1.11: net_types.diff --]
[-- Type: text/plain, Size: 2294 bytes --]

Index: net_contexts
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/net_contexts,v
retrieving revision 1.22
diff -u -B -r1.22 net_contexts
--- net_contexts	8 Nov 2004 20:57:03 -0000	1.22
+++ net_contexts	21 Nov 2004 11:12:56 -0000
@@ -38,7 +38,7 @@
 portcon udp 892 system_u:object_r:inetd_child_port_t
 portcon tcp 2105 system_u:object_r:inetd_child_port_t
 ')
-ifdef(`ftpd.te', `
+ifdef(`use_ftpd', `
 portcon tcp 20 system_u:object_r:ftp_data_port_t
 portcon tcp 21 system_u:object_r:ftp_port_t
 ')
@@ -57,7 +57,7 @@
 ifdef(`dhcpc.te', `portcon udp 68  system_u:object_r:dhcpc_port_t')
 ifdef(`tftpd.te', `portcon udp 69  system_u:object_r:tftp_port_t')
 ifdef(`fingerd.te', `portcon tcp 79  system_u:object_r:fingerd_port_t')
-ifdef(`apache.te', `
+ifdef(`use_http', `
 portcon tcp 80  system_u:object_r:http_port_t
 portcon tcp 443  system_u:object_r:http_port_t
 ')
@@ -215,6 +215,7 @@
 portcon tcp 8080  system_u:object_r:http_cache_port_t
 portcon udp 3130  system_u:object_r:http_cache_port_t
 ')
+ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
 ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
 ifdef(`amanda.te', `
 portcon udp 10080 system_u:object_r:amanda_port_t
Index: types/network.te
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux-usr/policy/types/network.te,v
retrieving revision 1.13
diff -u -B -r1.13 network.te
--- types/network.te	8 Nov 2004 20:57:08 -0000	1.13
+++ types/network.te	21 Nov 2004 11:12:57 -0000
@@ -26,6 +26,7 @@
 ifdef(`nsd.te', `define(`use_dns')')
 ifdef(`tinydns.te', `define(`use_dns')')
 ifdef(`dnsmasq.te', `define(`use_dns')')
+ifdef(`djbdns.te', `define(`use_dns')')
 ifdef(`use_dns', `
 type dns_port_t, port_type;
 ')
@@ -44,7 +45,17 @@
 ifdef(`use_pop', `
 type pop_port_t, port_type, reserved_port_type;
 ')
-ifdef(`apache.te', `define(`use_http_cache')')
+ifdef(`apache.te', `
+define(`use_http_cache')
+define(`use_http')
+')
+ifdef(`ftpd.te', `
+define(`use_ftpd')
+')
+ifdef(`publicfile.te', `
+define(`use_http')
+define(`use_ftpd')
+')
 ifdef(`squid.te', `define(`use_http_cache')')
 ifdef(`use_http_cache', `
 type http_cache_port_t, port_type;

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policies for daemontools, ucspi-tcp, publicfile, djbdns, clockspeed

[James Carter]

Do others use these tools?

Petre, you didn't include the publicfile policy, would you please send
it to the list.

Looking through these:

In Daemontools.te:
- The macro svc_sub_domain() is not used, so I will probably remove it.
- The macro svc_confdir_domain() is only used once (and it is only one
line long), so I will probably remove it as well.

In djbdns.te:
I will add ifdef(`daemontools.te' and ifdef(`ucspi-tcp.te'.

Anyone else have any comments on these?

On Sun, 2004-11-21 at 06:34, petre rodan wrote:
> Hi,
> 
> This is a collection of policies that I've been using and maintaining for more than an year now.
> 
> [1] http://cr.yp.to/daemontools.html
> [2] http://cr.yp.to/ucspi-tcp.html
> [3] http://cr.yp.to/publicfile.html
> [4] http://cr.yp.to/djbdns.html
> [5] http://cr.yp.to/clockspeed.html
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo policies for daemontools, ucspi-tcp, publicfile, djbdns, clockspeed

[petre rodan]

[-- Attachment #1.1: Type: text/plain, Size: 207 bytes --]

James Carter wrote:
> Do others use these tools?
>
> Petre, you didn't include the publicfile policy, would you please send
> it to the list.

oops, sorry, here it is =)


Happy Holidays To Everyone!

peter

[-- Attachment #1.2: publicfile.fc --]
[-- Type: text/plain, Size: 314 bytes --]


/usr/bin/ftpd			--	system_u:object_r:publicfile_exec_t
/usr/bin/httpd			--	system_u:object_r:publicfile_exec_t
/usr/bin/publicfile-conf	--	system_u:object_r:publicfile_exec_t

# this is the place where online content located
# set this to suit your needs
#/var/www(/.*)?			system_u:object_r:publicfile_content_t


[-- Attachment #1.3: publicfile.te --]
[-- Type: text/plain, Size: 931 bytes --]

#DESC Publicfile - HTTP and FTP file services
# http://cr.yp.to/publicfile.html
#
# Author: petre rodan <kaiowas@gentoo.org>
#
# this policy depends on ucspi-tcp
#

ifdef(`ftpd.te', `
', `
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
')

ifdef(`apache.te', `
', `
type http_port_t, port_type, reserved_port_type;
')

daemon_domain(publicfile)
type publicfile_content_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, publicfile_exec_t, publicfile_t)

ifdef(`ucspi-tcp.te', `
domain_auto_trans(utcpserver_t, publicfile_exec_t, publicfile_t)
allow publicfile_t utcpserver_t:tcp_socket { read write };
allow utcpserver_t { ftp_data_port_t ftp_port_t http_port_t }:tcp_socket name_bind;
')

allow publicfile_t initrc_t:tcp_socket { read write };

allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };

r_dir_file(publicfile_t, publicfile_content_t)



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: gentoo policies for daemontools, ucspi-tcp, publicfile, djbdns, clockspeed

[James Carter]

Sorry for the delay, but the policies for clockspeed, daemontools,
djbdns, publicfile, and ucspi-tcp have now been added.

On Sun, 2004-11-21 at 13:34 +0200, petre rodan wrote:
> Hi,
> 
> This is a collection of policies that I've been using and maintaining for more than an year now.
> 
> [1] http://cr.yp.to/daemontools.html
> [2] http://cr.yp.to/ucspi-tcp.html
> [3] http://cr.yp.to/publicfile.html
> [4] http://cr.yp.to/djbdns.html
> [5] http://cr.yp.to/clockspeed.html

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.