selinux-policy/refpolicy/policy/modules/services/telnet.te
2005-11-01 15:57:15 +00:00

108 lines
2.8 KiB
Plaintext

policy_module(telnet,1.0)
########################################
#
# Declarations
#
type telnetd_t;
type telnetd_exec_t;
inetd_service_domain(telnetd_t,telnetd_exec_t)
role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
term_login_pty(telnetd_devpts_t)
type telnetd_tmp_t;
files_tmp_file(telnetd_tmp_t)
type telnetd_var_run_t;
files_pid_file(telnetd_var_run_t)
########################################
#
# Local policy
#
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
allow telnetd_t self:udp_socket create_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty(telnetd_t,telnetd_devpts_t)
allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
allow telnetd_t telnetd_tmp_t:file create_file_perms;
files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir })
allow telnetd_t telnetd_var_run_t:file create_file_perms;
allow telnetd_t telnetd_var_run_t:dir rw_dir_perms;
files_create_pid(telnetd_t,telnetd_var_run_t)
kernel_read_kernel_sysctl(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
corenet_raw_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
corenet_udp_sendrecv_all_nodes(telnetd_t)
corenet_raw_sendrecv_all_nodes(telnetd_t)
corenet_tcp_sendrecv_all_ports(telnetd_t)
corenet_udp_sendrecv_all_ports(telnetd_t)
corenet_tcp_bind_all_nodes(telnetd_t)
corenet_udp_bind_all_nodes(telnetd_t)
dev_read_urand(telnetd_t)
fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t)
corecmd_search_sbin(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
init_rw_script_pid(telnetd_t)
libs_use_ld_so(telnetd_t)
libs_use_shared_libs(telnetd_t)
logging_send_syslog_msg(telnetd_t)
miscfiles_read_localization(telnetd_t)
seutil_dontaudit_search_config(telnetd_t)
sysnet_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
optional_policy(`kerberos.te',`
kerberos_use(telnetd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(telnetd_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(telnetd_t)
')
ifdef(`TODO',`
# Allow krb5 telnetd to use fork and open /dev/tty for use
allow telnetd_t userpty_type:chr_file setattr;
')