#DESC Portslave - Terminal server software # # Author: Russell Coker # X-Debian-Packages: portslave # Depends: pppd.te # ################################# # # Rules for the portslave_t domain. # daemon_base_domain(portslave, `, privmail, auth_chkpwd') type portslave_etc_t, file_type, sysadmfile; general_domain_access(portslave_t) domain_auto_trans(init_t, portslave_exec_t, portslave_t) ifdef(`rlogind.te', ` domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t) ') ifdef(`inetd.te', ` domain_auto_trans(inetd_t, portslave_exec_t, portslave_t) allow portslave_t inetd_t:tcp_socket { getattr read write }; ') allow portslave_t { etc_t etc_runtime_t }:file { read getattr }; read_locale(portslave_t) r_dir_file(portslave_t, portslave_etc_t) allow portslave_t pppd_etc_t:dir r_dir_perms; allow portslave_t pppd_etc_rw_t:file { getattr read }; allow portslave_t proc_t:file { getattr read }; allow portslave_t { var_t var_log_t devpts_t }:dir search; allow portslave_t devtty_t:chr_file { setattr rw_file_perms }; allow portslave_t pppd_secret_t:file r_file_perms; can_network_server(portslave_t) allow portslave_t fs_t:filesystem getattr; ifdef(`radius.te', ` can_udp_send(portslave_t, radiusd_t) can_udp_send(radiusd_t, portslave_t) ') # for rlogin etc can_exec(portslave_t, { bin_t ssh_exec_t }) # net_bind_service for rlogin allow portslave_t self:capability { net_bind_service sys_tty_config }; # for ssh allow portslave_t urandom_device_t:chr_file read; ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)') # for pppd allow portslave_t self:capability { setuid setgid net_admin fsetid }; allow portslave_t ppp_device_t:chr_file rw_file_perms; # for ~/.ppprc - if it actually exists then you need some policy to read it allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search; # for ctlportslave dontaudit portslave_t self:capability sys_admin; file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file) can_exec(portslave_t, { etc_t shell_exec_t }) # Run login in local_login_t domain. #domain_auto_trans(portslave_t, login_exec_t, local_login_t) # Write to /var/run/utmp. allow portslave_t initrc_var_run_t:file rw_file_perms; # Write to /var/log/wtmp. allow portslave_t wtmp_t:file rw_file_perms; # Read and write ttys. allow portslave_t tty_device_t:chr_file { setattr rw_file_perms }; allow portslave_t ttyfile:chr_file rw_file_perms; rw_dir_create_file(portslave_t, var_lock_t) can_exec(portslave_t, pppd_exec_t) allow portslave_t { bin_t sbin_t }:dir search; allow portslave_t bin_t:lnk_file read;