From 4fd5201a59de19c18a5ec23087cd6f10beb8dd0f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 20 Sep 2005 17:11:53 +0000 Subject: [PATCH] add rlogin and telnet --- refpolicy/Changelog | 2 + refpolicy/policy/modules/services/kerberos.if | 17 +++ refpolicy/policy/modules/services/rlogin.fc | 6 + refpolicy/policy/modules/services/rlogin.if | 23 ++++ refpolicy/policy/modules/services/rlogin.te | 111 ++++++++++++++++++ refpolicy/policy/modules/services/tcpd.te | 4 + refpolicy/policy/modules/services/telnet.fc | 4 + refpolicy/policy/modules/services/telnet.if | 1 + refpolicy/policy/modules/services/telnet.te | 102 ++++++++++++++++ refpolicy/policy/modules/system/files.if | 16 +++ 10 files changed, 286 insertions(+) create mode 100644 refpolicy/policy/modules/services/rlogin.fc create mode 100644 refpolicy/policy/modules/services/rlogin.if create mode 100644 refpolicy/policy/modules/services/rlogin.te create mode 100644 refpolicy/policy/modules/services/telnet.fc create mode 100644 refpolicy/policy/modules/services/telnet.if create mode 100644 refpolicy/policy/modules/services/telnet.te diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 89e8073a..dc332171 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -7,9 +7,11 @@ ktalk portmap postgresql + rlogin samba snmp stunnel + telnet tftp vpn zebra diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if index b1b01990..c8c103ac 100644 --- a/refpolicy/policy/modules/services/kerberos.if +++ b/refpolicy/policy/modules/services/kerberos.if @@ -90,3 +90,20 @@ interface(`kerberos_rw_config',` files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; ') + +######################################## +## +## Read the kerberos key table. +## +## +## Domain allowed access. +## +# +interface(`kerberos_read_keytab',` + gen_require(` + type krb5_keytab_t; + ') + + files_search_etc($1) + allow $1 krb5_keytab_t:file r_file_perms; +') diff --git a/refpolicy/policy/modules/services/rlogin.fc b/refpolicy/policy/modules/services/rlogin.fc new file mode 100644 index 00000000..367cafef --- /dev/null +++ b/refpolicy/policy/modules/services/rlogin.fc @@ -0,0 +1,6 @@ + +/usr/kerberos/sbin/klogind -- context_template(system_u:object_r:rlogind_exec_t,s0) + +/usr/lib(64)?/telnetlogin -- context_template(system_u:object_r:rlogind_exec_t,s0) + +/usr/sbin/in\.rlogind -- context_template(system_u:object_r:rlogind_exec_t,s0) diff --git a/refpolicy/policy/modules/services/rlogin.if b/refpolicy/policy/modules/services/rlogin.if new file mode 100644 index 00000000..42f4f848 --- /dev/null +++ b/refpolicy/policy/modules/services/rlogin.if @@ -0,0 +1,23 @@ +## Remote login daemon + +######################################## +## +## Execute rlogind in the rlogin domain. +## +## +## The type of the process performing this action. +## +# +interface(`rlogin_domtrans',` + gen_require(` + type rlogind_t, rlogind_exec_t; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,rlogind_exec_t,rlogind_t) + + allow $1 rlogind_t:fd use; + allow rlogind_t $1:fd use; + allow rlogind_t $1:fifo_file rw_file_perms; + allow rlogind_t $1:process sigchld; +') diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te new file mode 100644 index 00000000..11d14aab --- /dev/null +++ b/refpolicy/policy/modules/services/rlogin.te @@ -0,0 +1,111 @@ + +policy_module(rlogin,1.0) + +######################################## +# +# Declarations +# + +type rlogind_t; +type rlogind_exec_t; +inetd_service_domain(rlogind_t,rlogind_exec_t) +role system_r types rlogind_t; + +type rlogind_devpts_t; #, userpty_type; +term_login_pty(rlogind_devpts_t) + +type rlogind_tmp_t; +files_tmp_file(rlogind_tmp_t) + +type rlogind_var_run_t; +files_pid_file(rlogind_var_run_t) + +######################################## +# +# Local policy +# + +allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override }; +allow rlogind_t self:process signal_perms; +allow rlogind_t self:fifo_file rw_file_perms; +allow rlogind_t self:tcp_socket connected_stream_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow rlogind_t self:capability { setuid setgid }; + +allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr }; + +# for /usr/lib/telnetlogin +can_exec(rlogind_t, rlogind_exec_t) + +allow rlogind_t rlogind_tmp_t:dir create_dir_perms; +allow rlogind_t rlogind_tmp_t:file create_file_perms; +files_create_tmp_files(rlogind_t, rlogind_tmp_t, { file dir }) + +allow rlogind_t rlogind_var_run_t:file create_file_perms; +files_create_pid(rlogind_t,rlogind_var_run_t) + +kernel_read_kernel_sysctl(rlogind_t) +kernel_read_system_state(rlogind_t) +kernel_read_network_state(rlogind_t) + +corenet_tcp_sendrecv_all_if(rlogind_t) +corenet_udp_sendrecv_all_if(rlogind_t) +corenet_raw_sendrecv_all_if(rlogind_t) +corenet_tcp_sendrecv_all_nodes(rlogind_t) +corenet_udp_sendrecv_all_nodes(rlogind_t) +corenet_raw_sendrecv_all_nodes(rlogind_t) +corenet_tcp_sendrecv_all_ports(rlogind_t) +corenet_udp_sendrecv_all_ports(rlogind_t) +corenet_tcp_bind_all_nodes(rlogind_t) +corenet_udp_bind_all_nodes(rlogind_t) + +dev_read_urand(rlogind_t) + +fs_getattr_xattr_fs(rlogind_t) + +auth_domtrans_chk_passwd(rlogind_t) +auth_rw_login_records(rlogind_t) + +files_read_etc_files(rlogind_t) +files_read_etc_runtime_files(rlogind_t) +files_search_home(rlogind_t) +files_search_default(rlogind_t) + +init_rw_script_pid(rlogind_t) + +libs_use_ld_so(rlogind_t) +libs_use_shared_libs(rlogind_t) + +logging_send_syslog_msg(rlogind_t) + +miscfiles_read_localization(rlogind_t) + +seutil_dontaudit_search_config(rlogind_t) + +sysnet_read_config(rlogind_t) + +# cjp: this is egregious +userdom_read_all_user_files(rlogind_t) + +remotelogin_domtrans(rlogind_t) + +optional_policy(`kerberos.te',` + kerberos_read_keytab(rlogind_t) + + # for identd; cjp: this should probably only be inetd_child rules? + kerberos_use(rlogind_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(rlogind_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(rlogind_t) +') + +ifdef(`TODO',` +# Allow krb5 rlogind to use fork and open /dev/tty for use +allow rlogind_t userpty_type:chr_file setattr; +') diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te index 93123ad6..d3f4e1e8 100644 --- a/refpolicy/policy/modules/services/tcpd.te +++ b/refpolicy/policy/modules/services/tcpd.te @@ -59,6 +59,10 @@ optional_policy(`portmap.te',` portmap_udp_sendto(tcpd_t) ') +optional_policy(`rlogin.te',` + rlogin_domtrans(tcpd_t) +') + optional_policy(`rshd.te',` rshd_domtrans(tcpd_t) ') diff --git a/refpolicy/policy/modules/services/telnet.fc b/refpolicy/policy/modules/services/telnet.fc new file mode 100644 index 00000000..30b9e4af --- /dev/null +++ b/refpolicy/policy/modules/services/telnet.fc @@ -0,0 +1,4 @@ + +/usr/sbin/in\.telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0) + +/usr/kerberos/sbin/telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0) diff --git a/refpolicy/policy/modules/services/telnet.if b/refpolicy/policy/modules/services/telnet.if new file mode 100644 index 00000000..58e7ec00 --- /dev/null +++ b/refpolicy/policy/modules/services/telnet.if @@ -0,0 +1 @@ +## Telnet daemon diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te new file mode 100644 index 00000000..007787f7 --- /dev/null +++ b/refpolicy/policy/modules/services/telnet.te @@ -0,0 +1,102 @@ + +policy_module(telnet,1.0) + +######################################## +# +# Declarations +# + +type telnetd_t; +type telnetd_exec_t; +inetd_service_domain(telnetd_t,telnetd_exec_t) +role system_r types telnetd_t; + +type telnetd_devpts_t; #, userpty_type; +term_login_pty(telnetd_devpts_t) + +type telnetd_tmp_t; +files_tmp_file(telnetd_tmp_t) + +type telnetd_var_run_t; +files_pid_file(telnetd_var_run_t) + +######################################## +# +# Local policy +# + +allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; +allow telnetd_t self:process signal_perms; +allow telnetd_t self:fifo_file rw_file_perms; +allow telnetd_t self:tcp_socket connected_stream_socket_perms; +# for identd; cjp: this should probably only be inetd_child rules? +allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow telnetd_t self:capability { setuid setgid }; + +allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr }; + +allow telnetd_t telnetd_tmp_t:dir create_dir_perms; +allow telnetd_t telnetd_tmp_t:file create_file_perms; +files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir }) + +allow telnetd_t telnetd_var_run_t:file create_file_perms; +files_create_pid(telnetd_t,telnetd_var_run_t) + +kernel_read_kernel_sysctl(telnetd_t) +kernel_read_system_state(telnetd_t) +kernel_read_network_state(telnetd_t) + +corenet_tcp_sendrecv_all_if(telnetd_t) +corenet_udp_sendrecv_all_if(telnetd_t) +corenet_raw_sendrecv_all_if(telnetd_t) +corenet_tcp_sendrecv_all_nodes(telnetd_t) +corenet_udp_sendrecv_all_nodes(telnetd_t) +corenet_raw_sendrecv_all_nodes(telnetd_t) +corenet_tcp_sendrecv_all_ports(telnetd_t) +corenet_udp_sendrecv_all_ports(telnetd_t) +corenet_tcp_bind_all_nodes(telnetd_t) +corenet_udp_bind_all_nodes(telnetd_t) + +dev_read_urand(telnetd_t) + +fs_getattr_xattr_fs(telnetd_t) + +auth_rw_login_records(telnetd_t) + +files_read_etc_files(telnetd_t) +files_read_etc_runtime_files(telnetd_t) +# for identd; cjp: this should probably only be inetd_child rules? +files_search_home(telnetd_t) + +init_rw_script_pid(telnetd_t) + +libs_use_ld_so(telnetd_t) +libs_use_shared_libs(telnetd_t) + +logging_send_syslog_msg(telnetd_t) + +miscfiles_read_localization(telnetd_t) + +seutil_dontaudit_search_config(telnetd_t) + +sysnet_read_config(telnetd_t) + +remotelogin_domtrans(telnetd_t) + +# for identd; cjp: this should probably only be inetd_child rules? +optional_policy(`kerberos.te',` + kerberos_use(telnetd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(telnetd_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(telnetd_t) +') + +ifdef(`TODO',` +# Allow krb5 telnetd to use fork and open /dev/tty for use +allow telnetd_t userpty_type:chr_file setattr; +') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 6a8e2147..1b1028c0 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -736,6 +736,22 @@ interface(`files_dontaudit_getattr_default_dir',` dontaudit $1 default_t:dir getattr; ') +######################################## +## +## Search the contents of directories with the default file type. +## +## +## Domain allowed access. +## +# +interface(`files_search_default',` + gen_require(` + type default_t; + ') + + allow $1 default_t:dir search; +') + ######################################## ## ## List contents of directories with the default file type.