| Lorenzo Colitti | ab7dfab | 2013-08-05 15:32:56 +0900 | [diff] [blame] | 1 | # 464xlat daemon |
| 2 | type clatd, domain; |
| Lorenzo Colitti | ab7dfab | 2013-08-05 15:32:56 +0900 | [diff] [blame] | 3 | type clatd_exec, exec_type, file_type; |
| 4 | |
| Lorenzo Colitti | ab7dfab | 2013-08-05 15:32:56 +0900 | [diff] [blame] | 5 | net_domain(clatd) |
| Stephen Smalley | a770ee5 | 2014-02-21 11:08:15 -0500 | [diff] [blame] | 6 | |
| 7 | # Access objects inherited from netd. |
| 8 | allow clatd netd:fd use; |
| 9 | allow clatd netd:fifo_file { read write }; |
| Stephen Smalley | e42cebe | 2014-03-14 08:22:19 -0400 | [diff] [blame] | 10 | # TODO: Check whether some or all of these sockets should be close-on-exec. |
| Stephen Smalley | a770ee5 | 2014-02-21 11:08:15 -0500 | [diff] [blame] | 11 | allow clatd netd:netlink_kobject_uevent_socket { read write }; |
| 12 | allow clatd netd:netlink_nflog_socket { read write }; |
| 13 | allow clatd netd:netlink_route_socket { read write }; |
| 14 | allow clatd netd:udp_socket { read write }; |
| 15 | allow clatd netd:unix_stream_socket { read write }; |
| Stephen Smalley | e42cebe | 2014-03-14 08:22:19 -0400 | [diff] [blame] | 16 | allow clatd netd:unix_dgram_socket { read write }; |
| Stephen Smalley | a770ee5 | 2014-02-21 11:08:15 -0500 | [diff] [blame] | 17 | |
| Lorenzo Colitti | 6cd57a4 | 2014-06-05 23:30:08 +0900 | [diff] [blame] | 18 | allow clatd self:capability { net_admin net_raw setuid setgid }; |
| Stephen Smalley | a770ee5 | 2014-02-21 11:08:15 -0500 | [diff] [blame] | 19 | |
| Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 20 | allow clatd self:netlink_route_socket nlmsg_write; |
| Lorenzo Colitti | 6cd57a4 | 2014-06-05 23:30:08 +0900 | [diff] [blame] | 21 | allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms; |
| Stephen Smalley | a770ee5 | 2014-02-21 11:08:15 -0500 | [diff] [blame] | 22 | allow clatd tun_device:chr_file rw_file_perms; |