101 lines
2.6 KiB
Plaintext
101 lines
2.6 KiB
Plaintext
|
|
policy_module(telnet, 1.7.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type telnetd_t;
|
|
type telnetd_exec_t;
|
|
inetd_service_domain(telnetd_t, telnetd_exec_t)
|
|
role system_r types telnetd_t;
|
|
|
|
type telnetd_devpts_t; #, userpty_type;
|
|
term_login_pty(telnetd_devpts_t)
|
|
|
|
type telnetd_tmp_t;
|
|
files_tmp_file(telnetd_tmp_t)
|
|
|
|
type telnetd_var_run_t;
|
|
files_pid_file(telnetd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
|
allow telnetd_t self:process signal_perms;
|
|
allow telnetd_t self:fifo_file rw_fifo_file_perms;
|
|
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
|
allow telnetd_t self:udp_socket create_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow telnetd_t self:capability { setuid setgid };
|
|
|
|
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(telnetd_t, telnetd_devpts_t)
|
|
|
|
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
|
|
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(telnetd_t)
|
|
kernel_read_system_state(telnetd_t)
|
|
kernel_read_network_state(telnetd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(telnetd_t)
|
|
corenet_all_recvfrom_netlabel(telnetd_t)
|
|
corenet_tcp_sendrecv_all_if(telnetd_t)
|
|
corenet_udp_sendrecv_all_if(telnetd_t)
|
|
corenet_tcp_sendrecv_all_nodes(telnetd_t)
|
|
corenet_udp_sendrecv_all_nodes(telnetd_t)
|
|
corenet_tcp_sendrecv_all_ports(telnetd_t)
|
|
corenet_udp_sendrecv_all_ports(telnetd_t)
|
|
|
|
dev_read_urand(telnetd_t)
|
|
|
|
domain_interactive_fd(telnetd_t)
|
|
|
|
fs_getattr_xattr_fs(telnetd_t)
|
|
|
|
auth_rw_login_records(telnetd_t)
|
|
auth_use_nsswitch(telnetd_t)
|
|
|
|
corecmd_search_bin(telnetd_t)
|
|
|
|
files_read_usr_files(telnetd_t)
|
|
files_read_etc_files(telnetd_t)
|
|
files_read_etc_runtime_files(telnetd_t)
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
files_search_home(telnetd_t)
|
|
|
|
init_rw_utmp(telnetd_t)
|
|
|
|
logging_send_syslog_msg(telnetd_t)
|
|
|
|
miscfiles_read_localization(telnetd_t)
|
|
|
|
seutil_read_config(telnetd_t)
|
|
|
|
remotelogin_domtrans(telnetd_t)
|
|
|
|
userdom_search_user_home_dirs(telnetd_t)
|
|
|
|
optional_policy(`
|
|
kerberos_use(telnetd_t)
|
|
kerberos_read_keytab(telnetd_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_search_nfs(telnetd_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_search_cifs(telnetd_t)
|
|
')
|