1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
107 lines
2.7 KiB
Plaintext
107 lines
2.7 KiB
Plaintext
|
|
policy_module(telnet,1.4.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type telnetd_t;
|
|
type telnetd_exec_t;
|
|
inetd_service_domain(telnetd_t,telnetd_exec_t)
|
|
role system_r types telnetd_t;
|
|
|
|
type telnetd_devpts_t; #, userpty_type;
|
|
term_login_pty(telnetd_devpts_t)
|
|
|
|
type telnetd_tmp_t;
|
|
files_tmp_file(telnetd_tmp_t)
|
|
|
|
type telnetd_var_run_t;
|
|
files_pid_file(telnetd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
|
allow telnetd_t self:process signal_perms;
|
|
allow telnetd_t self:fifo_file rw_fifo_file_perms;
|
|
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
|
allow telnetd_t self:udp_socket create_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow telnetd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow telnetd_t self:capability { setuid setgid };
|
|
|
|
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(telnetd_t,telnetd_devpts_t)
|
|
|
|
manage_dirs_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
|
|
manage_files_pattern(telnetd_t,telnetd_tmp_t,telnetd_tmp_t)
|
|
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(telnetd_t,telnetd_var_run_t,telnetd_var_run_t)
|
|
files_pid_filetrans(telnetd_t,telnetd_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(telnetd_t)
|
|
kernel_read_system_state(telnetd_t)
|
|
kernel_read_network_state(telnetd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(telnetd_t)
|
|
corenet_all_recvfrom_netlabel(telnetd_t)
|
|
corenet_tcp_sendrecv_all_if(telnetd_t)
|
|
corenet_udp_sendrecv_all_if(telnetd_t)
|
|
corenet_tcp_sendrecv_all_nodes(telnetd_t)
|
|
corenet_udp_sendrecv_all_nodes(telnetd_t)
|
|
corenet_tcp_sendrecv_all_ports(telnetd_t)
|
|
corenet_udp_sendrecv_all_ports(telnetd_t)
|
|
|
|
dev_read_urand(telnetd_t)
|
|
|
|
fs_getattr_xattr_fs(telnetd_t)
|
|
|
|
auth_rw_login_records(telnetd_t)
|
|
|
|
corecmd_search_bin(telnetd_t)
|
|
|
|
files_read_etc_files(telnetd_t)
|
|
files_read_etc_runtime_files(telnetd_t)
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
files_search_home(telnetd_t)
|
|
|
|
init_rw_utmp(telnetd_t)
|
|
|
|
libs_use_ld_so(telnetd_t)
|
|
libs_use_shared_libs(telnetd_t)
|
|
|
|
logging_send_syslog_msg(telnetd_t)
|
|
|
|
miscfiles_read_localization(telnetd_t)
|
|
|
|
seutil_dontaudit_search_config(telnetd_t)
|
|
|
|
sysnet_read_config(telnetd_t)
|
|
|
|
remotelogin_domtrans(telnetd_t)
|
|
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
optional_policy(`
|
|
kerberos_use(telnetd_t)
|
|
kerberos_read_keytab(telnetd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(telnetd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(telnetd_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
# Allow krb5 telnetd to use fork and open /dev/tty for use
|
|
allow telnetd_t userpty_type:chr_file setattr;
|
|
')
|