# FLASK # # Security contexts for network entities # If no context is specified, then a default initial SID is used. # # Modified by Reino Wallin # Multi NIC, and IPSEC features # Modified by Russell Coker # ifdefs to encapsulate domains, and many additional port contexts # # Port numbers (default = initial SID "port") # # protocol number context # protocol low-high context # ifdef(`inetd.te', ` portcon tcp 7 system_u:object_r:inetd_child_port_t portcon udp 7 system_u:object_r:inetd_child_port_t portcon tcp 9 system_u:object_r:inetd_child_port_t portcon udp 9 system_u:object_r:inetd_child_port_t portcon tcp 13 system_u:object_r:inetd_child_port_t portcon udp 13 system_u:object_r:inetd_child_port_t portcon tcp 19 system_u:object_r:inetd_child_port_t portcon udp 19 system_u:object_r:inetd_child_port_t portcon tcp 37 system_u:object_r:inetd_child_port_t portcon udp 37 system_u:object_r:inetd_child_port_t portcon tcp 113 system_u:object_r:auth_port_t portcon tcp 512 system_u:object_r:inetd_child_port_t portcon tcp 543 system_u:object_r:inetd_child_port_t portcon tcp 544 system_u:object_r:inetd_child_port_t portcon tcp 891 system_u:object_r:inetd_child_port_t portcon udp 891 system_u:object_r:inetd_child_port_t portcon tcp 892 system_u:object_r:inetd_child_port_t portcon udp 892 system_u:object_r:inetd_child_port_t portcon tcp 2105 system_u:object_r:inetd_child_port_t ') ifdef(`ftpd.te', ` portcon tcp 20 system_u:object_r:ftp_data_port_t portcon tcp 21 system_u:object_r:ftp_port_t ') ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t') ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t') ifdef(`mta.te', ` portcon tcp 25 system_u:object_r:smtp_port_t portcon tcp 465 system_u:object_r:smtp_port_t portcon tcp 587 system_u:object_r:smtp_port_t ') ifdef(`use_dns', ` portcon udp 53 system_u:object_r:dns_port_t portcon tcp 53 system_u:object_r:dns_port_t ') ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t') ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t') ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t') ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t') ifdef(`apache.te', ` portcon tcp 80 system_u:object_r:http_port_t portcon tcp 443 system_u:object_r:http_port_t ') ifdef(`use_pop', ` portcon tcp 106 system_u:object_r:pop_port_t portcon tcp 109 system_u:object_r:pop_port_t portcon tcp 110 system_u:object_r:pop_port_t ') ifdef(`portmap.te', ` portcon udp 111 system_u:object_r:portmap_port_t portcon tcp 111 system_u:object_r:portmap_port_t ') ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t') ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t') ifdef(`samba.te', ` portcon tcp 137 system_u:object_r:smbd_port_t portcon udp 137 system_u:object_r:nmbd_port_t portcon tcp 138 system_u:object_r:smbd_port_t portcon udp 138 system_u:object_r:nmbd_port_t portcon tcp 139 system_u:object_r:smbd_port_t portcon udp 139 system_u:object_r:nmbd_port_t portcon tcp 445 system_u:object_r:smbd_port_t ') ifdef(`use_pop', ` portcon tcp 143 system_u:object_r:pop_port_t portcon tcp 220 system_u:object_r:pop_port_t ') ifdef(`snmpd.te', ` portcon udp 161 system_u:object_r:snmp_port_t portcon udp 162 system_u:object_r:snmp_port_t portcon tcp 199 system_u:object_r:snmp_port_t ') ifdef(`comsat.te', ` portcon udp 512 system_u:object_r:comsat_port_t ') ifdef(`slapd.te', ` portcon tcp 389 system_u:object_r:ldap_port_t portcon udp 389 system_u:object_r:ldap_port_t portcon tcp 636 system_u:object_r:ldap_port_t portcon udp 636 system_u:object_r:ldap_port_t ') ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t') ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t') ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t') ifdef(`syslogd.te', ` portcon udp 514 system_u:object_r:syslogd_port_t ') ifdef(`ktalkd.te', ` portcon udp 517 system_u:object_r:ktalkd_port_t portcon udp 518 system_u:object_r:ktalkd_port_t ') ifdef(`cups.te', ` portcon tcp 631 system_u:object_r:ipp_port_t portcon udp 631 system_u:object_r:ipp_port_t ') portcon tcp 88 system_u:object_r:kerberos_port_t portcon udp 88 system_u:object_r:kerberos_port_t portcon tcp 464 system_u:object_r:kerberos_admin_port_t portcon udp 464 system_u:object_r:kerberos_admin_port_t portcon tcp 749 system_u:object_r:kerberos_admin_port_t portcon tcp 750 system_u:object_r:kerberos_port_t portcon udp 750 system_u:object_r:kerberos_port_t portcon tcp 4444 system_u:object_r:kerberos_master_port_t portcon udp 4444 system_u:object_r:kerberos_master_port_t ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t') ifdef(`rsync.te', ` portcon tcp 873 system_u:object_r:rsync_port_t portcon udp 873 system_u:object_r:rsync_port_t ') ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t') ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t') ifdef(`use_pop', ` portcon tcp 993 system_u:object_r:pop_port_t portcon tcp 995 system_u:object_r:pop_port_t portcon tcp 1109 system_u:object_r:pop_port_t ') ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t') ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t') ifdef(`radius.te', ` portcon udp 1645 system_u:object_r:radius_port_t portcon udp 1646 system_u:object_r:radacct_port_t portcon udp 1812 system_u:object_r:radius_port_t portcon udp 1813 system_u:object_r:radacct_port_t ') ifdef(`dbskkd.te', `portcon tcp 1178 system_u:object_r:dbskkd_port_t') ifdef(`gatekeeper.te', ` portcon udp 1718 system_u:object_r:gatekeeper_port_t portcon udp 1719 system_u:object_r:gatekeeper_port_t portcon tcp 1721 system_u:object_r:gatekeeper_port_t portcon tcp 7000 system_u:object_r:gatekeeper_port_t ') ifdef(`asterisk.te', ` portcon tcp 1720 system_u:object_r:asterisk_port_t portcon udp 2427 system_u:object_r:asterisk_port_t portcon udp 2727 system_u:object_r:asterisk_port_t portcon udp 4569 system_u:object_r:asterisk_port_t portcon udp 5060 system_u:object_r:asterisk_port_t ') portcon tcp 2000 system_u:object_r:mail_port_t ifdef(`zebra.te', `portcon tcp 2601 system_u:object_r:zebra_port_t') ifdef(`dictd.te', `portcon tcp 2628 system_u:object_r:dict_port_t') ifdef(`mysqld.te', `portcon tcp 3306 system_u:object_r:mysqld_port_t') ifdef(`distcc.te', `portcon tcp 3632 system_u:object_r:distccd_port_t') ifdef(`use_pxe', `portcon udp 4011 system_u:object_r:pxe_port_t') ifdef(`openvpn.te', `portcon udp 5000 system_u:object_r:openvpn_port_t') ifdef(`imazesrv.te',` portcon tcp 5323 system_u:object_r:imaze_port_t portcon udp 5323 system_u:object_r:imaze_port_t ') ifdef(`howl.te', ` portcon tcp 5335 system_u:object_r:howl_port_t portcon udp 5353 system_u:object_r:howl_port_t ') ifdef(`jabberd.te', ` portcon tcp 5222 system_u:object_r:jabber_client_port_t portcon tcp 5223 system_u:object_r:jabber_client_port_t portcon tcp 5269 system_u:object_r:jabber_interserver_port_t ') ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t') ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t') ifdef(`xdm.te', ` portcon tcp 5900 system_u:object_r:vnc_port_t ') ifdef(`use_x_ports', ` portcon tcp 6000 system_u:object_r:xserver_port_t portcon tcp 6001 system_u:object_r:xserver_port_t portcon tcp 6002 system_u:object_r:xserver_port_t portcon tcp 6003 system_u:object_r:xserver_port_t portcon tcp 6004 system_u:object_r:xserver_port_t portcon tcp 6005 system_u:object_r:xserver_port_t portcon tcp 6006 system_u:object_r:xserver_port_t portcon tcp 6007 system_u:object_r:xserver_port_t portcon tcp 6008 system_u:object_r:xserver_port_t portcon tcp 6009 system_u:object_r:xserver_port_t portcon tcp 6010 system_u:object_r:xserver_port_t portcon tcp 6011 system_u:object_r:xserver_port_t portcon tcp 6012 system_u:object_r:xserver_port_t portcon tcp 6013 system_u:object_r:xserver_port_t portcon tcp 6014 system_u:object_r:xserver_port_t portcon tcp 6015 system_u:object_r:xserver_port_t portcon tcp 6016 system_u:object_r:xserver_port_t portcon tcp 6017 system_u:object_r:xserver_port_t portcon tcp 6018 system_u:object_r:xserver_port_t portcon tcp 6019 system_u:object_r:xserver_port_t ') ifdef(`ircd.te', `portcon tcp 6667 system_u:object_r:ircd_port_t') ifdef(`ciped.te', `portcon udp 7007 system_u:object_r:cipe_port_t') ifdef(`sound-server.te', ` portcon tcp 8000 system_u:object_r:soundd_port_t # 9433 is for YIFF portcon tcp 9433 system_u:object_r:soundd_port_t ') ifdef(`use_http_cache', ` portcon tcp 3128 system_u:object_r:http_cache_port_t portcon tcp 8080 system_u:object_r:http_cache_port_t portcon udp 3130 system_u:object_r:http_cache_port_t ') ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t') ifdef(`amanda.te', ` portcon udp 10080 system_u:object_r:amanda_port_t portcon tcp 10080 system_u:object_r:amanda_port_t portcon udp 10081 system_u:object_r:amanda_port_t portcon tcp 10081 system_u:object_r:amanda_port_t portcon tcp 10082 system_u:object_r:amanda_port_t portcon tcp 10083 system_u:object_r:amanda_port_t ') ifdef(`postgrey.te', `portcon tcp 60000 system_u:object_r:postgrey_port_t') # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise # declared or omitted due to removal of a domain. portcon tcp 1-1023 system_u:object_r:reserved_port_t portcon udp 1-1023 system_u:object_r:reserved_port_t # Network interfaces (default = initial SID "netif" and "netmsg") # # interface netif_context default_msg_context # netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t # Nodes (default = initial SID "node") # # address mask context # nodecon 127.0.0.1 255.255.255.255 system_u:object_r:node_lo_t nodecon 0.0.0.0 255.255.255.255 system_u:object_r:node_inaddr_any_t nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_unspec_t nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system_u:object_r:node_lo_t nodecon ff00:: ff00:: system_u:object_r:node_multicast_t nodecon fe80:: ffff:ffff:ffff:ffff:: system_u:object_r:node_link_local_t nodecon fec0:: ffc0:: system_u:object_r:node_site_local_t nodecon :: ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_compat_ipv4_t nodecon ::ffff:0000:0000 ffff:ffff:ffff:ffff:ffff:ffff:: system_u:object_r:node_mapped_ipv4_t # FLASK