selinux-policy/refpolicy/policy/modules/services/rlogin.te


policy_module(rlogin,1.1.0)

########################################
#
# Declarations
#

type rlogind_t;
type rlogind_exec_t;
inetd_service_domain(rlogind_t,rlogind_exec_t)
role system_r types rlogind_t;

type rlogind_devpts_t; #, userpty_type;
term_login_pty(rlogind_devpts_t)

type rlogind_tmp_t;
files_tmp_file(rlogind_tmp_t)

type rlogind_var_run_t;
files_pid_file(rlogind_var_run_t)

########################################
#
# Local policy
#

allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t self:capability { setuid setgid };

allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)

# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)

allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
allow rlogind_t rlogind_tmp_t:file create_file_perms;
files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })

allow rlogind_t rlogind_var_run_t:file create_file_perms;
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)

kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)

corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
corenet_raw_sendrecv_all_if(rlogind_t)
corenet_tcp_sendrecv_all_nodes(rlogind_t)
corenet_udp_sendrecv_all_nodes(rlogind_t)
corenet_raw_sendrecv_all_nodes(rlogind_t)
corenet_tcp_sendrecv_all_ports(rlogind_t)
corenet_udp_sendrecv_all_ports(rlogind_t)
corenet_non_ipsec_sendrecv(rlogind_t)
corenet_tcp_bind_all_nodes(rlogind_t)
corenet_udp_bind_all_nodes(rlogind_t)

dev_read_urand(rlogind_t)

fs_getattr_xattr_fs(rlogind_t)

auth_domtrans_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)

files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
files_search_home(rlogind_t)
files_search_default(rlogind_t)

init_rw_utmp(rlogind_t)

libs_use_ld_so(rlogind_t)
libs_use_shared_libs(rlogind_t)

logging_send_syslog_msg(rlogind_t)

miscfiles_read_localization(rlogind_t)

seutil_dontaudit_search_config(rlogind_t)

sysnet_read_config(rlogind_t)

userdom_setattr_unpriv_users_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_all_users_home_content_files(rlogind_t)

remotelogin_domtrans(rlogind_t)

optional_policy(`kerberos',`
	kerberos_read_keytab(rlogind_t)

	# for identd; cjp: this should probably only be inetd_child rules?
	kerberos_use(rlogind_t)
')

optional_policy(`nis',`
	nis_use_ypbind(rlogind_t)
')

optional_policy(`nscd',`
	nscd_socket_use(rlogind_t)
')

ifdef(`TODO',`
# Allow krb5 rlogind to use fork and open /dev/tty for use
allow rlogind_t userpty_type:chr_file setattr;
')
add rlogin and telnet 2005-09-20 17:11:53 +00:00
fix module versions 2005-12-09 16:38:39 +00:00			`policy_module(rlogin,1.1.0)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

			`type rlogind_t;`
			`type rlogind_exec_t;`
			`inetd_service_domain(rlogind_t,rlogind_exec_t)`
			`role system_r types rlogind_t;`

			`type rlogind_devpts_t; #, userpty_type;`
			`term_login_pty(rlogind_devpts_t)`

			`type rlogind_tmp_t;`
			`files_tmp_file(rlogind_tmp_t)`

			`type rlogind_var_run_t;`
			`files_pid_file(rlogind_var_run_t)`

			`########################################`
			`#`
			`# Local policy`
			`#`

			`allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };`
			`allow rlogind_t self:process signal_perms;`
			`allow rlogind_t self:fifo_file rw_file_perms;`
			`allow rlogind_t self:tcp_socket connected_stream_socket_perms;`
			`# for identd; cjp: this should probably only be inetd_child rules?`
			`allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;`
			`allow rlogind_t self:capability { setuid setgid };`

			`allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };`
more of the same 2005-10-31 22:44:03 +00:00			`term_create_pty(rlogind_t,rlogind_devpts_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
			`# for /usr/lib/telnetlogin`
			`can_exec(rlogind_t, rlogind_exec_t)`

			`allow rlogind_t rlogind_tmp_t:dir create_dir_perms;`
			`allow rlogind_t rlogind_tmp_t:file create_file_perms;`
another round of renaming 2006-02-21 18:40:44 +00:00			`files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { file dir })`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
			`allow rlogind_t rlogind_var_run_t:file create_file_perms;`
clean up last var_run_domain expansion errors 2005-11-01 19:52:37 +00:00			`allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;`
make (almost) all interface parameters required. move boot_t, system_map_t, and modules_object_t to files module. fd use interface renames, udp sendto interface renames. 2006-03-02 23:41:11 +00:00			`files_pid_filetrans(rlogind_t,rlogind_var_run_t,file)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
renaming from 20060131 interface review, round 2 2006-01-31 16:49:43 +00:00			`kernel_read_kernel_sysctls(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`kernel_read_system_state(rlogind_t)`
			`kernel_read_network_state(rlogind_t)`

			`corenet_tcp_sendrecv_all_if(rlogind_t)`
			`corenet_udp_sendrecv_all_if(rlogind_t)`
			`corenet_raw_sendrecv_all_if(rlogind_t)`
			`corenet_tcp_sendrecv_all_nodes(rlogind_t)`
			`corenet_udp_sendrecv_all_nodes(rlogind_t)`
			`corenet_raw_sendrecv_all_nodes(rlogind_t)`
			`corenet_tcp_sendrecv_all_ports(rlogind_t)`
			`corenet_udp_sendrecv_all_ports(rlogind_t)`
add unlabeled association rules 2005-12-06 19:59:50 +00:00			`corenet_non_ipsec_sendrecv(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`corenet_tcp_bind_all_nodes(rlogind_t)`
			`corenet_udp_bind_all_nodes(rlogind_t)`

			`dev_read_urand(rlogind_t)`

			`fs_getattr_xattr_fs(rlogind_t)`

			`auth_domtrans_chk_passwd(rlogind_t)`
			`auth_rw_login_records(rlogind_t)`

			`files_read_etc_files(rlogind_t)`
			`files_read_etc_runtime_files(rlogind_t)`
			`files_search_home(rlogind_t)`
			`files_search_default(rlogind_t)`

Change initrc_var_run_t interface noun from script_pid to utmp for clarity. 2006-01-18 18:08:39 +00:00			`init_rw_utmp(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
			`libs_use_ld_so(rlogind_t)`
			`libs_use_shared_libs(rlogind_t)`

			`logging_send_syslog_msg(rlogind_t)`

			`miscfiles_read_localization(rlogind_t)`

			`seutil_dontaudit_search_config(rlogind_t)`

			`sysnet_read_config(rlogind_t)`

another round of renaming 2006-02-20 21:33:25 +00:00			`userdom_setattr_unpriv_users_ptys(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`# cjp: this is egregious`
another round of renaming 2006-02-21 18:40:44 +00:00			`userdom_read_all_users_home_content_files(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00
			`remotelogin_domtrans(rlogind_t)`

Change optional_policy() to refer to the module name rather than modulename.te. 2005-11-23 20:24:27 +00:00			optional_policy(`kerberos',`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`kerberos_read_keytab(rlogind_t)`

			`# for identd; cjp: this should probably only be inetd_child rules?`
			`kerberos_use(rlogind_t)`
			`')`

Change optional_policy() to refer to the module name rather than modulename.te. 2005-11-23 20:24:27 +00:00			optional_policy(`nis',`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`nis_use_ypbind(rlogind_t)`
			`')`

Change optional_policy() to refer to the module name rather than modulename.te. 2005-11-23 20:24:27 +00:00			optional_policy(`nscd',`
another slew of renaming 2006-02-02 21:08:12 +00:00			`nscd_socket_use(rlogind_t)`
add rlogin and telnet 2005-09-20 17:11:53 +00:00			`')`

			ifdef(`TODO',`
			`# Allow krb5 rlogind to use fork and open /dev/tty for use`
			`allow rlogind_t userpty_type:chr_file setattr;`
			`')`