86 lines
2.5 KiB
Plaintext
86 lines
2.5 KiB
Plaintext
|
#DESC Portslave - Terminal server software
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: portslave
|
||
|
# Depends: pppd.te
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the portslave_t domain.
|
||
|
#
|
||
|
daemon_base_domain(portslave, `, privmail, auth_chkpwd')
|
||
|
|
||
|
type portslave_etc_t, file_type, sysadmfile;
|
||
|
|
||
|
general_domain_access(portslave_t)
|
||
|
domain_auto_trans(init_t, portslave_exec_t, portslave_t)
|
||
|
ifdef(`rlogind.te', `
|
||
|
domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
|
||
|
')
|
||
|
ifdef(`inetd.te', `
|
||
|
domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
|
||
|
allow portslave_t inetd_t:tcp_socket { getattr read write };
|
||
|
')
|
||
|
|
||
|
allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
|
||
|
read_locale(portslave_t)
|
||
|
r_dir_file(portslave_t, portslave_etc_t)
|
||
|
|
||
|
allow portslave_t pppd_etc_t:dir r_dir_perms;
|
||
|
allow portslave_t pppd_etc_rw_t:file { getattr read };
|
||
|
|
||
|
allow portslave_t proc_t:file { getattr read };
|
||
|
|
||
|
allow portslave_t { var_t var_log_t devpts_t }:dir search;
|
||
|
|
||
|
allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
|
||
|
|
||
|
allow portslave_t pppd_secret_t:file r_file_perms;
|
||
|
|
||
|
can_network_server(portslave_t)
|
||
|
allow portslave_t fs_t:filesystem getattr;
|
||
|
ifdef(`radius.te', `
|
||
|
can_udp_send(portslave_t, radiusd_t)
|
||
|
can_udp_send(radiusd_t, portslave_t)
|
||
|
')
|
||
|
# for rlogin etc
|
||
|
can_exec(portslave_t, { bin_t ssh_exec_t })
|
||
|
# net_bind_service for rlogin
|
||
|
allow portslave_t self:capability { net_bind_service sys_tty_config };
|
||
|
# for ssh
|
||
|
allow portslave_t urandom_device_t:chr_file read;
|
||
|
ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
|
||
|
|
||
|
# for pppd
|
||
|
allow portslave_t self:capability { setuid setgid net_admin fsetid };
|
||
|
allow portslave_t ppp_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
||
|
allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
|
||
|
|
||
|
# for ctlportslave
|
||
|
dontaudit portslave_t self:capability sys_admin;
|
||
|
|
||
|
file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
|
||
|
can_exec(portslave_t, { etc_t shell_exec_t })
|
||
|
|
||
|
# Run login in local_login_t domain.
|
||
|
#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
|
||
|
|
||
|
# Write to /var/run/utmp.
|
||
|
allow portslave_t initrc_var_run_t:file rw_file_perms;
|
||
|
|
||
|
# Write to /var/log/wtmp.
|
||
|
allow portslave_t wtmp_t:file rw_file_perms;
|
||
|
|
||
|
# Read and write ttys.
|
||
|
allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
|
||
|
allow portslave_t ttyfile:chr_file rw_file_perms;
|
||
|
|
||
|
|
||
|
lock_domain(portslave)
|
||
|
can_exec(portslave_t, pppd_exec_t)
|
||
|
allow portslave_t { bin_t sbin_t }:dir search;
|
||
|
allow portslave_t bin_t:lnk_file read;
|