selinux-policy/policy/modules/services/rlogin.te
Dominick Grift 7d1f5642b0 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-24 12:44:39 +02:00

119 lines
3.0 KiB
Plaintext

policy_module(rlogin, 1.9.0)
########################################
#
# Declarations
#
type rlogind_t;
type rlogind_exec_t;
inetd_service_domain(rlogind_t, rlogind_exec_t)
role system_r types rlogind_t;
type rlogind_devpts_t; #, userpty_type;
term_login_pty(rlogind_devpts_t)
type rlogind_home_t;
userdom_user_home_content(rlogind_home_t)
type rlogind_tmp_t;
files_tmp_file(rlogind_tmp_t)
type rlogind_var_run_t;
files_pid_file(rlogind_var_run_t)
########################################
#
# Local policy
#
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rlogind_t, rlogind_devpts_t)
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
corenet_all_recvfrom_unlabeled(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_generic_if(rlogind_t)
corenet_udp_sendrecv_generic_if(rlogind_t)
corenet_tcp_sendrecv_generic_node(rlogind_t)
corenet_udp_sendrecv_generic_node(rlogind_t)
corenet_tcp_sendrecv_all_ports(rlogind_t)
corenet_udp_sendrecv_all_ports(rlogind_t)
dev_read_urand(rlogind_t)
domain_interactive_fd(rlogind_t)
fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
auth_use_nsswitch(rlogind_t)
auth_login_pgm_domain(rlogind_t)
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
files_search_home(rlogind_t)
files_search_default(rlogind_t)
init_rw_utmp(rlogind_t)
logging_send_syslog_msg(rlogind_t)
miscfiles_read_localization(rlogind_t)
seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
userdom_search_admin_dir(rlogind_t)
userdom_manage_user_tmp_files(rlogind_t)
userdom_tmp_filetrans_user_tmp(rlogind_t, file)
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
rlogin_read_home_content(rlogind_t)
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(rlogind_t)
fs_read_nfs_files(rlogind_t)
fs_read_nfs_symlinks(rlogind_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(rlogind_t)
fs_read_cifs_files(rlogind_t)
fs_read_cifs_symlinks(rlogind_t)
')
optional_policy(`
kerberos_keytab_template(rlogind, rlogind_t)
kerberos_manage_host_rcache(rlogind_t)
')
optional_policy(`
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')