policy_module(tcpd, 1.5.0)

########################################
#
# Declarations
#

type tcpd_t;
type tcpd_exec_t;
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t)

type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)

########################################
#
# Local policy
#

allow tcpd_t self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })

corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_generic_if(tcpd_t)
corenet_tcp_sendrecv_generic_node(tcpd_t)
corenet_tcp_sendrecv_all_ports(tcpd_t)
corenet_tcp_bind_generic_node(tcpd_t)

# Allow tcpd_t bind to ports for services where there is a transition defined
corenet_tcp_bind_ircd_port(tcpd_t)
corenet_tcp_bind_interwise_port(tcpd_t)
corenet_tcp_bind_fingerd_port(tcpd_t)
corenet_tcp_bind_inetd_child_port(tcpd_t)
corenet_tcp_bind_rlogind_port(tcpd_t)
corenet_tcp_bind_rlogin_port(tcpd_t)
corenet_tcp_bind_rsh_port(tcpd_t)
corenet_tcp_bind_all_rpc_ports(tcpd_t)
corenet_tcp_bind_telnetd_port(tcpd_t)
corenet_tcp_bind_xserver_port(tcpd_t)
corenet_tcp_bind_vnc_port(tcpd_t)

fs_getattr_xattr_fs(tcpd_t)

corecmd_exec_bin(tcpd_t)

files_dontaudit_search_var(tcpd_t)

logging_send_syslog_msg(tcpd_t)

sysnet_read_config(tcpd_t)

inetd_domtrans_child(tcpd_t)

init_abstract_socket_activation(tcpd_t)

optional_policy(`
	nis_use_ypbind(tcpd_t)
')

tunable_policy(`ssh_use_tcpd',`
    corenet_tcp_bind_ssh_port(tcpd_t)
')