116 lines
2.9 KiB
Plaintext
116 lines
2.9 KiB
Plaintext
|
|
policy_module(rlogin,1.1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type rlogind_t;
|
|
type rlogind_exec_t;
|
|
inetd_service_domain(rlogind_t,rlogind_exec_t)
|
|
role system_r types rlogind_t;
|
|
|
|
type rlogind_devpts_t; #, userpty_type;
|
|
term_login_pty(rlogind_devpts_t)
|
|
|
|
type rlogind_tmp_t;
|
|
files_tmp_file(rlogind_tmp_t)
|
|
|
|
type rlogind_var_run_t;
|
|
files_pid_file(rlogind_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
|
allow rlogind_t self:process signal_perms;
|
|
allow rlogind_t self:fifo_file rw_file_perms;
|
|
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow rlogind_t self:capability { setuid setgid };
|
|
|
|
allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
|
|
term_create_pty(rlogind_t,rlogind_devpts_t)
|
|
|
|
# for /usr/lib/telnetlogin
|
|
can_exec(rlogind_t, rlogind_exec_t)
|
|
|
|
allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
|
|
allow rlogind_t rlogind_tmp_t:file create_file_perms;
|
|
files_filetrans_tmp(rlogind_t, rlogind_tmp_t, { file dir })
|
|
|
|
allow rlogind_t rlogind_var_run_t:file create_file_perms;
|
|
allow rlogind_t rlogind_var_run_t:dir rw_dir_perms;
|
|
files_filetrans_pid(rlogind_t,rlogind_var_run_t)
|
|
|
|
kernel_read_kernel_sysctl(rlogind_t)
|
|
kernel_read_system_state(rlogind_t)
|
|
kernel_read_network_state(rlogind_t)
|
|
|
|
corenet_tcp_sendrecv_all_if(rlogind_t)
|
|
corenet_udp_sendrecv_all_if(rlogind_t)
|
|
corenet_raw_sendrecv_all_if(rlogind_t)
|
|
corenet_tcp_sendrecv_all_nodes(rlogind_t)
|
|
corenet_udp_sendrecv_all_nodes(rlogind_t)
|
|
corenet_raw_sendrecv_all_nodes(rlogind_t)
|
|
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
|
corenet_udp_sendrecv_all_ports(rlogind_t)
|
|
corenet_non_ipsec_sendrecv(rlogind_t)
|
|
corenet_tcp_bind_all_nodes(rlogind_t)
|
|
corenet_udp_bind_all_nodes(rlogind_t)
|
|
|
|
dev_read_urand(rlogind_t)
|
|
|
|
fs_getattr_xattr_fs(rlogind_t)
|
|
|
|
auth_domtrans_chk_passwd(rlogind_t)
|
|
auth_rw_login_records(rlogind_t)
|
|
|
|
files_read_etc_files(rlogind_t)
|
|
files_read_etc_runtime_files(rlogind_t)
|
|
files_search_home(rlogind_t)
|
|
files_search_default(rlogind_t)
|
|
|
|
init_rw_utmp(rlogind_t)
|
|
|
|
libs_use_ld_so(rlogind_t)
|
|
libs_use_shared_libs(rlogind_t)
|
|
|
|
logging_send_syslog_msg(rlogind_t)
|
|
|
|
miscfiles_read_localization(rlogind_t)
|
|
|
|
seutil_dontaudit_search_config(rlogind_t)
|
|
|
|
sysnet_read_config(rlogind_t)
|
|
|
|
userdom_setattr_unpriv_user_pty(rlogind_t)
|
|
# cjp: this is egregious
|
|
userdom_read_all_user_files(rlogind_t)
|
|
|
|
remotelogin_domtrans(rlogind_t)
|
|
|
|
optional_policy(`kerberos',`
|
|
kerberos_read_keytab(rlogind_t)
|
|
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
kerberos_use(rlogind_t)
|
|
')
|
|
|
|
optional_policy(`nis',`
|
|
nis_use_ypbind(rlogind_t)
|
|
')
|
|
|
|
optional_policy(`nscd',`
|
|
nscd_use_socket(rlogind_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
# Allow krb5 rlogind to use fork and open /dev/tty for use
|
|
allow rlogind_t userpty_type:chr_file setattr;
|
|
')
|