## <summary>Internet services daemon.</summary>
########################################
## <summary>
## Define the specified domain as a inetd service.
## </summary>
## <desc>
## <p>
## Define the specified domain as a inetd service. The
## inetd_service_domain(), inetd_tcp_service_domain(),
## or inetd_udp_service_domain() interfaces should be used
## instead of this interface, as this interface only provides
## the common rules to these three interfaces.
## </p>
## </desc>
## <param name="domain">
## <summary>
## The type associated with the inetd service process.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## </summary>
## </param>
#
interface(`inetd_core_service_domain',`
gen_require(`
type inetd_t;
role system_r;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
ifdef(`targeted_policy',`
# this regex is a hack, since it assumes there is a
# _t at the end of the domain type. If there is no _t
# at the end of the type, it returns empty!
ifdef(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'),`',`
bool regexp($1, `\(\w+\)_t', `\1_disable_trans') false;
define(`__define_'regexp($1, `\(\w+\)_t', `\1_disable_trans'))
')
if(regexp($1, `\(\w+\)_t', `\1_disable_trans') ) {
# can_exec(inetd_t,$2)
# cjp: this must be wrong
gen_require(`
type initrc_t, unconfined_t;
')
can_exec({ unconfined_t initrc_t },$2)
} else {
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
}
',`
domain_auto_trans(inetd_t,$2,$1)
allow inetd_t $1:fd use;
allow $1 inetd_t:fd use;
allow $1 inetd_t:fifo_file rw_file_perms;
allow $1 inetd_t:process sigchld;
dontaudit inetd_t $1:process { noatsecure siginh rlimitinh };
allow inetd_t $1:process sigkill;
# make sediff happy
allow $1 $2:file { rx_file_perms entrypoint };
')
')
########################################
## <summary>
## Define the specified domain as a TCP inetd service.
## </summary>
## <param name="domain">
## <summary>
## The type associated with the inetd service process.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## </summary>
## </param>
#
interface(`inetd_tcp_service_domain',`
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
')
########################################
## <summary>
## Define the specified domain as a UDP inetd service.
## </summary>
## <param name="domain">
## <summary>
## The type associated with the inetd service process.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## </summary>
## </param>
#
interface(`inetd_udp_service_domain',`
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:udp_socket rw_socket_perms;
')
########################################
## <summary>
## Define the specified domain as a TCP and UDP inetd service.
## </summary>
## <param name="domain">
## <summary>
## The type associated with the inetd service process.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## </summary>
## </param>
#
interface(`inetd_service_domain',`
gen_require(`
type inetd_t;
')
inetd_core_service_domain($1,$2)
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
allow $1 inetd_t:udp_socket rw_socket_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from inetd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`inetd_use_fd',`
gen_require(`
type inetd_t;
')
allow $1 inetd_t:fd use;
')
########################################
## <summary>
## Connect to the inetd service using a TCP connection.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`inetd_tcp_connect',`
gen_require(`
type inetd_t;
')
allow $1 inetd_t:tcp_socket { connectto recvfrom };
allow inetd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')
########################################
## <summary>
## Run inetd child process in the inet child domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`inetd_domtrans_child',`
gen_require(`
type inetd_child_t, inetd_child_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,inetd_child_exec_t,inetd_child_t)
allow $1 inetd_child_t:fd use;
allow inetd_child_t $1:fd use;
allow inetd_child_t $1:fifo_file rw_file_perms;
allow inetd_child_t $1:process sigchld;
')
########################################
## <summary>
## Send UDP network traffic to inetd.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`inetd_udp_sendto',`
gen_require(`
type inetd_t;
')
allow $1 inetd_t:udp_socket sendto;
allow inetd_t $1:udp_socket recvfrom;
')
########################################
## <summary>
## Read and write inetd TCP sockets.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`inetd_rw_tcp_sockets',`
gen_require(`
type inetd_t;
')
allow $1 inetd_t:tcp_socket rw_stream_socket_perms;
')