diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 162ad3f..de09fa8 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -2,6 +2,11 @@ policy_module(bootloader,1.0) +######################################## +# +# Declarations +# + attribute can_modify_kernel_modules; # @@ -9,6 +14,7 @@ attribute can_modify_kernel_modules; # type boot_t; files_make_file(boot_t) +files_make_mountpoint(boot_t) # # boot_runtime_t is the type for /boot/kernel.h, @@ -51,7 +57,6 @@ neverallow ~can_modify_kernel_modules modules_object_t:file { create append writ type system_map_t; files_make_file(system_map_t) - ######################################## # # bootloader local policy @@ -76,6 +81,12 @@ devices_set_all_block_device_attributes(bootloader_t) # for reading BIOS data (cjp: ?) devices_raw_read_memory(bootloader_t) +init_get_control_channel_attributes(bootloader_t) +init_script_use_pseudoterminal(bootloader_t) +init_script_use_file_descriptors(bootloader_t) + +domain_use_widely_inheritable_file_descriptors(bootloader_t) + libraries_use_dynamic_loader(bootloader_t) libraries_read_shared_libraries(bootloader_t) @@ -92,10 +103,11 @@ logging_send_system_log_message(bootloader_t) filesystem_get_persistent_filesystem_attributes(bootloader_t) terminal_use_controlling_terminal(bootloader_t) +terminal_get_user_terminal_attributes(bootloader_t) allow bootloader_t bootloader_etc_t:file { getattr read }; -define(`initrc_insmod_optional_policy', ` +optional_policy(modutils.te,` modutils_insmod_execute(insmod_t) ') @@ -116,6 +128,7 @@ bootloader_install_initrd(bootloader_t) devices_get_random_data(bootloader_t) devices_get_pseudorandom_data(bootloader_t) + corecommands_execute_general_programs(bootloader_t) corecommands_execute_system_programs(bootloader_t) corecommands_execute_shell(bootloader_t) @@ -144,23 +157,36 @@ optional_policy(`fsadm.te', ` filesystemtools_execute(bootloader_t) ') -################################################################################ +ifdef(`distro_debian', ` +allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; +allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; +allow bootloader_t boot_t:file relabelfrom; +') + +ifdef(`distro_redhat', ` +files_make_mountpoint(bootloader_tmp_t) + +# for mke2fs +mount_transition(bootloader_t) +allow bootloader_t modules_object_t:lnk_file { getattr read }; + +# new file system defaults to file_t, granting file_t access is still bad. +allow bootloader_t self:unix_stream_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown }; +allow bootloader_t boot_runtime_t:file { read getattr unlink }; + +# for memlock +devices_get_zeros(bootloader_t) +allow bootloader_t self:capability ipc_lock; +') + ifdef(`TODO',` # admin runs bootloader: domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t) allow bootloader_t admin_tty_type:chr_file rw_file_perms; -allow bootloader_t privfd:fd use; - -allow bootloader_t { device_type ttyfile }:chr_file getattr; -allow bootloader_t initctl_t:fifo_file getattr; -# no transition from initrc to bootloader, -# so why are these rules needed role system_r types bootloader_t; -allow bootloader_t initrc_devpts_t:chr_file rw_file_perms; allow bootloader_t initrc_t:fifo_file { read write }; -allow bootloader_t initrc_t:fd use; allow bootloader_t lib_t:file { getattr read }; @@ -171,17 +197,14 @@ allow bootloader_t var_t:file { getattr read }; # LVM2 / Device Mapper's /dev/mapper/control # maybe we should change the labeling for this -ifdef(`lvm.te', ` +optional_policy(`lvm.te', ` +lvm_transition(bootloader_t) allow bootloader_t lvm_control_t:chr_file rw_file_perms; -domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t) allow lvm_t bootloader_tmp_t:file rw_file_perms; r_dir_file(bootloader_t, lvm_etc_t) ') ifdef(`distro_debian', ` -allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; -allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink }; -allow bootloader_t boot_t:file relabelfrom; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto; allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms; allow bootloader_t tmpfs_t:dir r_dir_perms; @@ -194,21 +217,10 @@ can_exec(bootloader_t, usr_t) ') ifdef(`distro_redhat', ` -# for mke2fs -domain_auto_trans(bootloader_t, mount_exec_t, mount_t); -allow mount_t bootloader_tmp_t:dir mounton; -allow bootloader_t modules_object_t:lnk_file { getattr read }; - # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t file_t:dir create_dir_perms; allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms; allow bootloader_t file_t:lnk_file create_lnk_perms; -allow bootloader_t self:unix_stream_socket create_socket_perms; -allow bootloader_t boot_runtime_t:file { read getattr unlink }; - -# for memlock -allow bootloader_t zero_device_t:chr_file { getattr read }; -allow bootloader_t self:capability ipc_lock; ') dontaudit bootloader_t selinux_config_t:dir search; @@ -218,15 +230,3 @@ dontaudit bootloader_t devpts_t:dir create_dir_perms; dontaudit bootloader_t var_run_t:dir search; ') dnl end TODO - -######################################## -# -# Conditional policy logic -# - -ifdef(`monolithic_policy',` -ifdef(`modutils.te',`initrc_insmod_optional_policy') -',` -optional modutils { modutils_insmod_execute_depend } -ifopt (modutils) { initrc_insmod_optional_policy } -') dnl end monolithic_policy diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if index cf9f6d8..b8447ed 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if +++ b/refpolicy/policy/modules/kernel/corenetwork.if @@ -791,7 +791,7 @@ allow $1 self:capability net_bind_service; ') define(`corenetwork_bind_udp_on_all_reserved_ports_depend',` -type reserved_port_type; +attribute reserved_port_type; class tcp_socket name_bind; class capability net_bind_service; ') @@ -807,11 +807,39 @@ allow $1 self:capability net_bind_service; ') define(`corenetwork_bind_udp_on_all_reserved_ports_depend',` -type reserved_port_type; +attribute reserved_port_type; class udp_socket name_bind; class self:capability net_bind_service; ') +####################################### +# +# corenetwork_ignore_bind_tcp_on_all_reserved_ports(domain,[`optional']) +# +define(`corenetwork_ignore_bind_tcp_on_all_reserved_ports',` +requires_block_template(`corenetwork_ignore_bind_tcp_on_all_reserved_ports_depend',$2) +dontaudit $1 reserved_port_type:tcp_socket name_bind; +') + +define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',` +attribute reserved_port_type; +class tcp_socket name_bind; +') + +####################################### +# +# corenetwork_ignore_bind_udp_on_all_reserved_ports(domain,[`optional']) +# +define(`corenetwork_ignore_bind_udp_on_all_reserved_ports',` +requires_block_template(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',$2) +dontaudit $1 reserved_port_type:udp_socket name_bind; +') + +define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',` +attribute reserved_port_type; +class udp_socket name_bind; +') + ######################################## # # This section is processed through m4 to create real interfaces diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index e4482d1..422d7fb 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -13,6 +13,7 @@ attribute device_node; # type device_t; files_make_file(device_t) +files_make_mountpoint(device_t) filesystem_tmpfs_associate(device_t) # Only directories and symlinks should be labeled device_t. diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index be8788a..fe81f05 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -110,6 +110,7 @@ allow removable_t usbfs_t:filesystem associate; # and their files. # type nfs_t, fs_type; +files_make_mountpoint(nfs_t) allow nfs_t self:filesystem associate; genfscon nfs / system_u:object_r:nfs_t genfscon nfs4 / system_u:object_r:nfs_t diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 224daf6..47f3ef6 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -57,6 +57,20 @@ class fd use; ######################################## # +# kernel_ignore_use_file_descriptors(domain,[`optional']) +# +define(`kernel_ignore_use_file_descriptors',` +requires_block_template(kernel_ignore_use_file_descriptors_depend,$2) +dontaudit $1 kernel_t:fd use; +') + +define(`kernel_ignore_use_file_descriptors_depend',` +type kernel_t; +class fd use; +') + +######################################## +# # kernel_make_root_filesystem_mountpoint(domain,[`optional']) # define(`kernel_make_root_filesystem_mountpoint',` diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index a8173ef..2092546 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -36,6 +36,7 @@ genfscon selinuxfs / system_u:object_r:security_t # sysfs_t is the type for /sys # type sysfs_t; +files_make_mountpoint(sysfs_t) filesystem_make_filesystem(sysfs_t) genfscon sysfs / system_u:object_r:sysfs_t @@ -43,6 +44,7 @@ genfscon sysfs / system_u:object_r:sysfs_t # usbfs_t is the type for /proc/bus/usb # type usbfs_t alias usbdevfs_t; +files_make_mountpoint(usbfs_t) filesystem_make_filesystem(usbfs_t) genfscon usbfs / system_u:object_r:usbfs_t genfscon usbdevfs / system_u:object_r:usbfs_t @@ -52,6 +54,7 @@ genfscon usbdevfs / system_u:object_r:usbfs_t # type proc_t; +files_make_mountpoint(proc_t) genfscon proc / system_u:object_r:proc_t genfscon proc /sysvipc system_u:object_r:proc_t @@ -89,6 +92,7 @@ genfscon proc /sys system_u:object_r:sysctl_t # /proc/sys/fs directory and files type sysctl_fs_t; +files_make_mountpoint(sysctl_fs_t) genfscon proc /sys/fs system_u:object_r:sysctl_fs_t # /proc/sys/kernel directory and files diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 64da779..bf48426 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -153,3 +153,19 @@ define(`terminal_ignore_list_pseudoterminals_depend',` type devpts_t; class dir { getattr search read }; ') + +######################################## +# +# terminal_get_user_terminal_attributes(domain,[`optional']) +# +define(`terminal_get_user_terminal_attributes',` +requires_block_template(terminal_get_user_terminal_attributes_depend,$2) +devices_list_device_nodes($1,optional) +allow $1 ttynode:chr_file getattr; +') + +define(`terminal_get_user_terminal_attributes_depend',` +attribute ttynode; +class chr_file getattr; +devices_list_device_nodes_depend +') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index 8b1323a..36d172b 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -6,43 +6,44 @@ attribute ttynode; attribute ptynode; # +# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] +type bsdpty_device_t; +devices_make_device_node(bsdpty_device_t) + +# # console_device_t is the type of /dev/console. # type console_device_t; devices_make_device_node(console_device_t) # +# devpts_t is the type of the devpts file system and +# the type of the root directory of the file system. +# +type devpts_t; +files_make_mountpoint(devpts_t) +filesystem_make_filesystem(devpts_t) + +# # devtty_t is the type of /dev/tty. # type devtty_t; devices_make_device_node(devtty_t) # -# tty_device_t is the type of /dev/*tty* +# ptmx_t is the type for /dev/ptmx. # -type tty_device_t, ttynode; -devices_make_device_node(tty_device_t) +type ptmx_t; +devices_make_device_node(ptmx_t) # -# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] -type bsdpty_device_t, ptynode; -devices_make_device_node(bsdpty_device_t) +# tty_device_t is the type of /dev/*tty* +# +type tty_device_t; +devices_make_device_node(tty_device_t) # # usbtty_device_t is the type of /dev/usr/tty* # type usbtty_device_t; devices_make_device_node(usbtty_device_t) - -# -# ptmx_t is the type for /dev/ptmx. -# -type ptmx_t; -devices_make_device_node(ptmx_t) - -# -# devpts_t is the type of the devpts file system and -# the type of the root directory of the file system. -# -type devpts_t; -filesystem_make_filesystem(devpts_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 42e2333..fbc39fe 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -115,6 +115,20 @@ attribute privfd; ######################################## # +# domain_use_widely_inheritable_file_descriptors(domain,[`optional']) +# +define(`domain_use_widely_inheritable_file_descriptors',` +requires_block_template(domain_use_widely_inheritable_file_descriptors_depend,$2) +allow $1 privfd:fd use; +') + +define(`domain_use_widely_inheritable_file_descriptors_depend',` +attribute privfd; +class fd use; +') + +######################################## +# # domain_all_init_domains_transition(domain,[`optional']) # define(`domain_all_init_domains_transition',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 53b3ac0..8adce40 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -19,6 +19,19 @@ filesystem_noxattr_associate_depend ######################################## # +# files_make_mountpoint(type,[`optional']) +# +define(`files_make_mountpoint',` +requires_block_template(files_make_mountpoint_depend,$2) +typeattribute $1 mountpoint; +') + +define(`files_make_mountpoint_depend',` +attribute mountpoint; +') + +######################################## +# # files_get_all_file_attributes(type,[`optional']) # define(`files_get_all_file_attributes',` @@ -95,6 +108,20 @@ class dir { getattr search read }; ######################################## # +# files_mount_on_all_mountpoints(type,[`optional']) +# +define(`files_mount_on_all_mountpoints',` +requires_block_template(files_mount_on_all_mountpoints_depend,$2) +allow $1 mountpoint:dir { getattr search mounton }; +') + +define(`files_mount_on_all_mountpoints_depend',` +attribute mountpoint; +class dir { getattr search mounton }; +') + +######################################## +# # files_read_root_dir(domain,[`optional']) # define(`files_read_root_dir',` @@ -186,6 +213,20 @@ class dir { getattr search read write remove_name }; ######################################## # +# files_unmount_root_filesystem(domain,[`optional']) +# +define(`files_unmount_root_filesystem',` +requires_block_template(files_unmount_root_filesystem_depend,$2) +allow $1 root_t:filesystem unmount; +') + +define(`files_unmount_root_filesystem_depend',` +type root_t; +class filesystem unmount; +') + +######################################## +# # files_read_general_system_config(type,[`optional']) # define(`files_read_general_system_config',` diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index 66e2247..c3aa666 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -6,11 +6,12 @@ attribute file_type; attribute lockfile; attribute pidfile; attribute tmpfile; +attribute mountpoint; # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. -type default_t, file_type; +type default_t, file_type, mountpoint; filesystem_associate(default_t) filesystem_noxattr_associate(default_t) @@ -35,26 +36,16 @@ filesystem_noxattr_associate(etc_runtime_t) # assigned an extended attribute (EA) value (when using a filesystem # that supports EAs). # -type file_t, file_type; +type file_t, file_type, mountpoint; filesystem_associate(file_t) filesystem_noxattr_associate(file_t) kernel_make_root_filesystem_mountpoint(file_t) # -# root_t is the type for rootfs and the root directory. -# -type root_t, file_type; -filesystem_associate(root_t) -filesystem_noxattr_associate(root_t) -kernel_read_directory_from(root_t) -kernel_make_root_filesystem_mountpoint(root_t) -genfscon rootfs / system_u:object_r:root_t - -# # home_root_t is the type for the directory where user home directories # are created # -type home_root_t, file_type; +type home_root_t, file_type, mountpoint; filesystem_associate(home_root_t) filesystem_noxattr_associate(home_root_t) @@ -68,7 +59,7 @@ filesystem_noxattr_associate(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # -type mnt_t, file_type; +type mnt_t, file_type, mountpoint; filesystem_associate(mnt_t) filesystem_noxattr_associate(mnt_t) @@ -85,6 +76,16 @@ filesystem_associate(readable_t) filesystem_noxattr_associate(readable_t) # +# root_t is the type for rootfs and the root directory. +# +type root_t, file_type, mountpoint; +filesystem_associate(root_t) +filesystem_noxattr_associate(root_t) +kernel_read_directory_from(root_t) +kernel_make_root_filesystem_mountpoint(root_t) +genfscon rootfs / system_u:object_r:root_t + +# # src_t is the type of files in the system src directories. # type src_t, file_type; @@ -94,21 +95,21 @@ filesystem_noxattr_associate(src_t) # # tmp_t is the type of the temporary directories # -type tmp_t, file_type, tmpfile; +type tmp_t, file_type, tmpfile, mountpoint; filesystem_associate(tmp_t) filesystem_noxattr_associate(tmp_t) # # usr_t is the type for /usr. # -type usr_t, file_type; +type usr_t, file_type, mountpoint; filesystem_associate(usr_t) filesystem_noxattr_associate(usr_t) # # var_t is the type of /var # -type var_t, file_type; +type var_t, file_type, mountpoint; filesystem_associate(var_t) filesystem_noxattr_associate(var_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 7284838..8b2e2f2 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -20,6 +20,20 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # +# init_get_control_channel_attributes(domain,[`optional']) +# +define(`init_get_control_channel_attributes',` +requires_block_template(init_get_control_channel_attributes_depend,$2) +allow $1 initctl_t:fifo_file getattr; +') + +define(`init_get_control_channel_attributes_depend',` +type initctl_t; +class fifo_file getattr; +') + +######################################## +# # init_sigchld(domain,[`optional']) # define(`init_sigchld',` diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index fd8a76c..af0b7b1 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -21,6 +21,7 @@ allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlin allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; kernel_read_system_state(mount_t) +kernel_ignore_use_file_descriptors(mount_t) devices_get_all_block_device_attributes(mount_t) devices_list_device_nodes(mount_t) @@ -34,13 +35,23 @@ filesystem_get_persistent_filesystem_attributes(mount_t) filesystem_mount_all_filesystems(mount_t) filesystem_unmount_all_filesystems(mount_t) filesystem_remount_all_filesystems(mount_t) +files_unmount_root_filesystem(mount_t) terminal_use_console(mount_t) +corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t) +corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t) + +init_use_file_descriptors(mount_t) +init_script_use_pseudoterminal(mount_t) + +domain_use_widely_inheritable_file_descriptors(mount_t) + files_search_all_directories(mount_t) files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) files_read_general_system_config(mount_t) files_create_runtime_system_config(mount_t) +files_mount_on_all_mountpoints(mount_t) libraries_use_dynamic_loader(mount_t) libraries_read_shared_libraries(mount_t) @@ -54,31 +65,9 @@ logging_send_system_log_message(mount_t) miscfiles_read_localization(mount_t) ifdef(`TODO',` - # Mount, remount and unmount file systems. -allow mount_t default_t:dir mounton; -allow mount_t file_t:dir mounton; -allow mount_t usr_t:dir mounton; -allow mount_t var_t:dir mounton; -allow mount_t proc_t:dir mounton; -allow mount_t root_t:dir mounton; -allow mount_t home_root_t:dir mounton; -allow mount_t tmp_t:dir mounton; -allow mount_t mnt_t:dir { mounton getattr }; -allow mount_t devpts_t:dir mounton; -allow mount_t usbdevfs_t:dir mounton; -allow mount_t sysfs_t:dir { mounton search }; -allow mount_t nfs_t:dir { mounton search }; # nfsv4 has a filesystem to mount for its userspace daemons allow mount_t var_lib_nfs_t:dir mounton; -allow mount_t boot_t:dir mounton; -allow mount_t device_t:dir mounton; -# mount binfmt_misc on /proc/sys/fs/binfmt_misc -allow mount_t sysctl_t:dir { mounton search }; -#TODO: Need macro for unmounting root filesystem -#allow mount_t root_t:filesystem unmount; - -allow mount_t initrc_devpts_t:chr_file { read write }; #domain_auto_trans(initrc_t, mount_exec_t, mount_t) @@ -91,10 +80,6 @@ allow sysadm_t sysadm_mount_source_t:file create_file_perms; allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom }; allow mount_t sysadm_mount_source_t:file rw_file_perms; -# TODO: Examine these further; may need macros -allow mount_t init_t:fd use; -allow mount_t privfd:fd use; - # TODO: Probably need a macro for reading/unlinking files # for when /etc/mtab loses its type allow mount_t file_t:file { getattr read unlink }; @@ -123,7 +108,6 @@ allow $2_t dosfs_t:filesystem relabelfrom; ') dnl end pamconsole.te ') dnl end distro_redhat -# TODO: This macro contains an ifdef for rhgb.te ifdef(`rhgb.te', ` allow mount_t rhgb_t:process sigchld; allow mount_t rhgb_t:fd use; @@ -152,8 +136,4 @@ can_udp_send(portmap_t, mount_t) allow mount_t rpc_pipefs_t:dir search; ') -# Dontaudits -dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind; -dontaudit mount_t kernel_t:fd use; - ') dnl endif TODO