# # Macros for Rssh domains # # Author: Colin Walters <walters@verbum.org> # # # rssh_domain(domain_prefix) # # Define a specific rssh domain. # # The type declaration for the executable type for this program is # provided separately in domains/program/rssh.te. # undefine(`rssh_domain') ifdef(`rssh.te', ` define(`rssh_domain',` type rssh_$1_t, domain, userdomain, privlog, privfd; role rssh_$1_r types rssh_$1_t; allow system_r rssh_$1_r; type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type; type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type; general_domain_access(rssh_$1_t); uses_shlib(rssh_$1_t); base_file_read_access(rssh_$1_t); allow rssh_$1_t var_t:dir r_dir_perms; r_dir_file(rssh_$1_t, etc_t); allow rssh_$1_t etc_runtime_t:file { getattr read }; r_dir_file(rssh_$1_t, locale_t); can_exec(rssh_$1_t, bin_t); allow rssh_$1_t proc_t:dir { getattr search }; allow rssh_$1_t proc_t:lnk_file { getattr read }; r_dir_file(rssh_$1_t, rssh_$1_ro_t); create_dir_file(rssh_$1_t, rssh_$1_rw_t); can_create_pty(rssh_$1, `, userpty_type, user_tty_type') # Use the type when relabeling pty devices. type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t; ifdef(`ssh.te',` allow rssh_$1_t sshd_t:fd use; allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms; allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms; # For reading /home/user/.ssh r_dir_file(sshd_t, rssh_$1_ro_t); domain_trans(sshd_t, rssh_exec_t, rssh_$1_t); ') ') ', ` define(`rssh_domain',`') ')