1# Copyright (C) 2007-2012 Red Hat
2# see file 'COPYING' for use and warranty information
3#
4# policygentool is a tool for the initial generation of SELinux policy
5#
6#    This program is free software; you can redistribute it and/or
7#    modify it under the terms of the GNU General Public License as
8#    published by the Free Software Foundation; either version 2 of
9#    the License, or (at your option) any later version.
10#
11#    This program is distributed in the hope that it will be useful,
12#    but WITHOUT ANY WARRANTY; without even the implied warranty of
13#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#    GNU General Public License for more details.
15#
16#    You should have received a copy of the GNU General Public License
17#    along with this program; if not, write to the Free Software
18#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19#                                        02111-1307  USA
20#
21#
22########################### Type Enforcement File #############################
23te_types="""
24type TEMPLATETYPE_port_t;
25corenet_port(TEMPLATETYPE_port_t)
26"""
27
28te_network="""\
29sysnet_dns_name_resolve(TEMPLATETYPE_t)
30corenet_all_recvfrom_unlabeled(TEMPLATETYPE_t)
31"""
32
33te_tcp="""\
34allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms;
35corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t)
36corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t)
37corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
38"""
39
40te_in_tcp="""\
41corenet_tcp_bind_generic_node(TEMPLATETYPE_t)
42"""
43
44te_in_need_port_tcp="""\
45allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_bind;
46"""
47
48te_out_need_port_tcp="""\
49allow TEMPLATETYPE_t TEMPLATETYPE_port_t:tcp_socket name_connect;
50"""
51
52te_udp="""\
53allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen };
54corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t)
55corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t)
56corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t)
57"""
58
59te_in_udp="""\
60corenet_udp_bind_generic_node(TEMPLATETYPE_t)
61"""
62
63te_in_need_port_udp="""\
64allow TEMPLATETYPE_t TEMPLATETYPE_port_t:udp_socket name_bind;
65"""
66
67te_out_all_ports_tcp="""\
68corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
69"""
70
71te_out_reserved_ports_tcp="""\
72corenet_tcp_connect_all_rpc_ports(TEMPLATETYPE_t)
73"""
74
75te_out_unreserved_ports_tcp="""\
76corenet_tcp_connect_all_unreserved_ports(TEMPLATETYPE_t)
77"""
78
79te_in_all_ports_tcp="""\
80corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
81"""
82
83te_in_reserved_ports_tcp="""\
84corenet_tcp_bind_all_rpc_ports(TEMPLATETYPE_t)
85"""
86
87te_in_unreserved_ports_tcp="""\
88corenet_tcp_bind_all_unreserved_ports(TEMPLATETYPE_t)
89"""
90
91te_in_all_ports_udp="""\
92corenet_udp_bind_all_ports(TEMPLATETYPE_t)
93"""
94
95te_in_reserved_ports_udp="""\
96corenet_udp_bind_all_rpc_ports(TEMPLATETYPE_t)
97"""
98
99te_in_unreserved_ports_udp="""\
100corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
101"""
102
103if_rules="""\
104########################################
105## <summary>
106##	Send and receive TCP traffic on the TEMPLATETYPE port.
107## </summary>
108## <param name="domain">
109##	<summary>
110##	Domain allowed access.
111##	</summary>
112## </param>
113## <infoflow type="both" weight="10"/>
114#
115interface(`corenet_tcp_sendrecv_TEMPLATETYPE_port',`
116	gen_require(`
117		type TEMPLATETYPE_port_t;
118	')
119
120	allow $1 TEMPLATETYPE_port_t:tcp_socket { send_msg recv_msg };
121')
122
123########################################
124## <summary>
125##	Send UDP traffic on the TEMPLATETYPE port.
126## </summary>
127## <param name="domain">
128##	<summary>
129##	Domain allowed access.
130##	</summary>
131## </param>
132## <infoflow type="write" weight="10"/>
133#
134interface(`corenet_udp_send_TEMPLATETYPE_port',`
135	gen_require(`
136		type TEMPLATETYPE_port_t;
137	')
138
139	allow $1 TEMPLATETYPE_port_t:udp_socket send_msg;
140')
141
142########################################
143## <summary>
144##	Do not audit attempts to send UDP traffic on the TEMPLATETYPE port.
145## </summary>
146## <param name="domain">
147##	<summary>
148##	Domain to not audit.
149##	</summary>
150## </param>
151## <infoflow type="none"/>
152#
153interface(`corenet_dontaudit_udp_send_TEMPLATETYPE_port',`
154	gen_require(`
155		type TEMPLATETYPE_port_t;
156	')
157
158	dontaudit $1 TEMPLATETYPE_port_t:udp_socket send_msg;
159')
160
161########################################
162## <summary>
163##	Receive UDP traffic on the TEMPLATETYPE port.
164## </summary>
165## <param name="domain">
166##	<summary>
167##	Domain allowed access.
168##	</summary>
169## </param>
170## <infoflow type="read" weight="10"/>
171#
172interface(`corenet_udp_receive_TEMPLATETYPE_port',`
173	gen_require(`
174		type TEMPLATETYPE_port_t;
175	')
176
177	allow $1 TEMPLATETYPE_port_t:udp_socket recv_msg;
178')
179
180########################################
181## <summary>
182##	Do not audit attempts to receive UDP traffic on the TEMPLATETYPE port.
183## </summary>
184## <param name="domain">
185##	<summary>
186##	Domain to not audit.
187##	</summary>
188## </param>
189## <infoflow type="none"/>
190#
191interface(`corenet_dontaudit_udp_receive_TEMPLATETYPE_port',`
192	gen_require(`
193		type TEMPLATETYPE_port_t;
194	')
195
196	dontaudit $1 TEMPLATETYPE_port_t:udp_socket recv_msg;
197')
198
199########################################
200## <summary>
201##	Send and receive UDP traffic on the TEMPLATETYPE port.
202## </summary>
203## <param name="domain">
204##	<summary>
205##	Domain allowed access.
206##	</summary>
207## </param>
208## <infoflow type="both" weight="10"/>
209#
210interface(`corenet_udp_sendrecv_TEMPLATETYPE_port',`
211	corenet_udp_send_TEMPLATETYPE_port($1)
212	corenet_udp_receive_TEMPLATETYPE_port($1)
213')
214
215########################################
216## <summary>
217##	Do not audit attempts to send and receive
218##	UDP traffic on the TEMPLATETYPE port.
219## </summary>
220## <param name="domain">
221##	<summary>
222##	Domain to not audit.
223##	</summary>
224## </param>
225## <infoflow type="none"/>
226#
227interface(`corenet_dontaudit_udp_sendrecv_TEMPLATETYPE_port',`
228	corenet_dontaudit_udp_send_TEMPLATETYPE_port($1)
229	corenet_dontaudit_udp_receive_TEMPLATETYPE_port($1)
230')
231
232########################################
233## <summary>
234##	Bind TCP sockets to the TEMPLATETYPE port.
235## </summary>
236## <param name="domain">
237##	<summary>
238##	Domain allowed access.
239##	</summary>
240## </param>
241## <infoflow type="none"/>
242#
243interface(`corenet_tcp_bind_TEMPLATETYPE_port',`
244	gen_require(`
245		type TEMPLATETYPE_port_t;
246	')
247
248	allow $1 TEMPLATETYPE_port_t:tcp_socket name_bind;
249
250')
251
252########################################
253## <summary>
254##	Bind UDP sockets to the TEMPLATETYPE port.
255## </summary>
256## <param name="domain">
257##	<summary>
258##	Domain allowed access.
259##	</summary>
260## </param>
261## <infoflow type="none"/>
262#
263interface(`corenet_udp_bind_TEMPLATETYPE_port',`
264	gen_require(`
265		type TEMPLATETYPE_port_t;
266	')
267
268	allow $1 TEMPLATETYPE_port_t:udp_socket name_bind;
269
270')
271
272########################################
273## <summary>
274##	Do not audit attempts to sbind to TEMPLATETYPE port.
275## </summary>
276## <param name="domain">
277##	<summary>
278##	Domain to not audit.
279##	</summary>
280## </param>
281## <infoflow type="none"/>
282#
283interface(`corenet_dontaudit_udp_bind_TEMPLATETYPE_port',`
284	gen_require(`
285		type TEMPLATETYPE_port_t;
286	')
287
288	dontaudit $1 TEMPLATETYPE_port_t:udp_socket name_bind;
289
290')
291
292########################################
293## <summary>
294##	Make a TCP connection to the TEMPLATETYPE port.
295## </summary>
296## <param name="domain">
297##	<summary>
298##	Domain allowed access.
299##	</summary>
300## </param>
301#
302interface(`corenet_tcp_connect_TEMPLATETYPE_port',`
303	gen_require(`
304		type TEMPLATETYPE_port_t;
305	')
306
307	allow $1 TEMPLATETYPE_port_t:tcp_socket name_connect;
308')
309########################################
310## <summary>
311##	Do not audit attempts to make a TCP connection to TEMPLATETYPE port.
312## </summary>
313## <param name="domain">
314##	<summary>
315##	Domain allowed access.
316##	</summary>
317## </param>
318#
319interface(`corenet_dontaudit_tcp_connect_TEMPLATETYPE_port',`
320	gen_require(`
321		type TEMPLATETYPE_port_t;
322	')
323
324	dontaudit $1 TEMPLATETYPE_port_t:tcp_socket name_connect;
325')
326
327
328########################################
329## <summary>
330##	Send TEMPLATETYPE_client packets.
331## </summary>
332## <param name="domain">
333##	<summary>
334##	Domain allowed access.
335##	</summary>
336## </param>
337## <infoflow type="write" weight="10"/>
338#
339interface(`corenet_send_TEMPLATETYPE_client_packets',`
340	gen_require(`
341		type TEMPLATETYPE_client_packet_t;
342	')
343
344	allow $1 TEMPLATETYPE_client_packet_t:packet send;
345')
346
347########################################
348## <summary>
349##	Do not audit attempts to send TEMPLATETYPE_client packets.
350## </summary>
351## <param name="domain">
352##	<summary>
353##	Domain to not audit.
354##	</summary>
355## </param>
356## <infoflow type="none"/>
357#
358interface(`corenet_dontaudit_send_TEMPLATETYPE_client_packets',`
359	gen_require(`
360		type TEMPLATETYPE_client_packet_t;
361	')
362
363	dontaudit $1 TEMPLATETYPE_client_packet_t:packet send;
364')
365
366########################################
367## <summary>
368##	Receive TEMPLATETYPE_client packets.
369## </summary>
370## <param name="domain">
371##	<summary>
372##	Domain allowed access.
373##	</summary>
374## </param>
375## <infoflow type="read" weight="10"/>
376#
377interface(`corenet_receive_TEMPLATETYPE_client_packets',`
378	gen_require(`
379		type TEMPLATETYPE_client_packet_t;
380	')
381
382	allow $1 TEMPLATETYPE_client_packet_t:packet recv;
383')
384
385########################################
386## <summary>
387##	Do not audit attempts to receive TEMPLATETYPE_client packets.
388## </summary>
389## <param name="domain">
390##	<summary>
391##	Domain allowed access.
392##	</summary>
393## </param>
394## <infoflow type="none"/>
395#
396interface(`corenet_dontaudit_receive_TEMPLATETYPE_client_packets',`
397	gen_require(`
398		type TEMPLATETYPE_client_packet_t;
399	')
400
401	dontaudit $1 TEMPLATETYPE_client_packet_t:packet recv;
402')
403
404########################################
405## <summary>
406##	Send and receive TEMPLATETYPE_client packets.
407## </summary>
408## <param name="domain">
409##	<summary>
410##	Domain allowed access.
411##	</summary>
412## </param>
413## <infoflow type="both" weight="10"/>
414#
415interface(`corenet_sendrecv_TEMPLATETYPE_client_packets',`
416	corenet_send_TEMPLATETYPE_client_packets($1)
417	corenet_receive_TEMPLATETYPE_client_packets($1)
418')
419
420########################################
421## <summary>
422##	Do not audit attempts to send and receive TEMPLATETYPE_client packets.
423## </summary>
424## <param name="domain">
425##	<summary>
426##	Domain to not audit.
427##	</summary>
428## </param>
429## <infoflow type="none"/>
430#
431interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_client_packets',`
432	corenet_dontaudit_send_TEMPLATETYPE_client_packets($1)
433	corenet_dontaudit_receive_TEMPLATETYPE_client_packets($1)
434')
435
436########################################
437## <summary>
438##	Relabel packets to TEMPLATETYPE_client the packet type.
439## </summary>
440## <param name="domain">
441##	<summary>
442##	Domain allowed access.
443##	</summary>
444## </param>
445#
446interface(`corenet_relabelto_TEMPLATETYPE_client_packets',`
447	gen_require(`
448		type TEMPLATETYPE_client_packet_t;
449	')
450
451	allow $1 TEMPLATETYPE_client_packet_t:packet relabelto;
452')
453
454
455########################################
456## <summary>
457##	Send TEMPLATETYPE_server packets.
458## </summary>
459## <param name="domain">
460##	<summary>
461##	Domain allowed access.
462##	</summary>
463## </param>
464## <infoflow type="write" weight="10"/>
465#
466interface(`corenet_send_TEMPLATETYPE_server_packets',`
467	gen_require(`
468		type TEMPLATETYPE_server_packet_t;
469	')
470
471	allow $1 TEMPLATETYPE_server_packet_t:packet send;
472')
473
474########################################
475## <summary>
476##	Do not audit attempts to send TEMPLATETYPE_server packets.
477## </summary>
478## <param name="domain">
479##	<summary>
480##	Domain to not audit.
481##	</summary>
482## </param>
483## <infoflow type="none"/>
484#
485interface(`corenet_dontaudit_send_TEMPLATETYPE_server_packets',`
486	gen_require(`
487		type TEMPLATETYPE_server_packet_t;
488	')
489
490	dontaudit $1 TEMPLATETYPE_server_packet_t:packet send;
491')
492
493########################################
494## <summary>
495##	Receive TEMPLATETYPE_server packets.
496## </summary>
497## <param name="domain">
498##	<summary>
499##	Domain allowed access.
500##	</summary>
501## </param>
502## <infoflow type="read" weight="10"/>
503#
504interface(`corenet_receive_TEMPLATETYPE_server_packets',`
505	gen_require(`
506		type TEMPLATETYPE_server_packet_t;
507	')
508
509	allow $1 TEMPLATETYPE_server_packet_t:packet recv;
510')
511
512########################################
513## <summary>
514##	Do not audit attempts to receive TEMPLATETYPE_server packets.
515## </summary>
516## <param name="domain">
517##	<summary>
518##	Domain allowed access.
519##	</summary>
520## </param>
521## <infoflow type="none"/>
522#
523interface(`corenet_dontaudit_receive_TEMPLATETYPE_server_packets',`
524	gen_require(`
525		type TEMPLATETYPE_server_packet_t;
526	')
527
528	dontaudit $1 TEMPLATETYPE_server_packet_t:packet recv;
529')
530
531########################################
532## <summary>
533##	Send and receive TEMPLATETYPE_server packets.
534## </summary>
535## <param name="domain">
536##	<summary>
537##	Domain allowed access.
538##	</summary>
539## </param>
540## <infoflow type="both" weight="10"/>
541#
542interface(`corenet_sendrecv_TEMPLATETYPE_server_packets',`
543	corenet_send_TEMPLATETYPE_server_packets($1)
544	corenet_receive_TEMPLATETYPE_server_packets($1)
545')
546
547########################################
548## <summary>
549##	Do not audit attempts to send and receive TEMPLATETYPE_server packets.
550## </summary>
551## <param name="domain">
552##	<summary>
553##	Domain to not audit.
554##	</summary>
555## </param>
556## <infoflow type="none"/>
557#
558interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_server_packets',`
559	corenet_dontaudit_send_TEMPLATETYPE_server_packets($1)
560	corenet_dontaudit_receive_TEMPLATETYPE_server_packets($1)
561')
562
563########################################
564## <summary>
565##	Relabel packets to TEMPLATETYPE_server the packet type.
566## </summary>
567## <param name="domain">
568##	<summary>
569##	Domain allowed access.
570##	</summary>
571## </param>
572#
573interface(`corenet_relabelto_TEMPLATETYPE_server_packets',`
574	gen_require(`
575		type TEMPLATETYPE_server_packet_t;
576	')
577
578	allow $1 TEMPLATETYPE_server_packet_t:packet relabelto;
579')
580"""
581
582te_rules="""
583"""
584