568349bd70
The process and capability IPC goes on top of local policy. The process and capability IPC goes on top of local policy. The process and capability IPC goes on top of local policy.
119 lines
3.0 KiB
Plaintext
119 lines
3.0 KiB
Plaintext
policy_module(rlogin, 1.9.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type rlogind_t;
|
|
type rlogind_exec_t;
|
|
inetd_service_domain(rlogind_t, rlogind_exec_t)
|
|
role system_r types rlogind_t;
|
|
|
|
type rlogind_devpts_t; #, userpty_type;
|
|
term_login_pty(rlogind_devpts_t)
|
|
|
|
type rlogind_home_t;
|
|
userdom_user_home_content(rlogind_home_t)
|
|
|
|
type rlogind_tmp_t;
|
|
files_tmp_file(rlogind_tmp_t)
|
|
|
|
type rlogind_var_run_t;
|
|
files_pid_file(rlogind_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
|
allow rlogind_t self:process signal_perms;
|
|
allow rlogind_t self:fifo_file rw_fifo_file_perms;
|
|
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(rlogind_t, rlogind_devpts_t)
|
|
|
|
# for /usr/lib/telnetlogin
|
|
can_exec(rlogind_t, rlogind_exec_t)
|
|
|
|
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
|
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
|
|
|
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
|
|
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(rlogind_t)
|
|
kernel_read_system_state(rlogind_t)
|
|
kernel_read_network_state(rlogind_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(rlogind_t)
|
|
corenet_all_recvfrom_netlabel(rlogind_t)
|
|
corenet_tcp_sendrecv_generic_if(rlogind_t)
|
|
corenet_udp_sendrecv_generic_if(rlogind_t)
|
|
corenet_tcp_sendrecv_generic_node(rlogind_t)
|
|
corenet_udp_sendrecv_generic_node(rlogind_t)
|
|
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
|
corenet_udp_sendrecv_all_ports(rlogind_t)
|
|
|
|
dev_read_urand(rlogind_t)
|
|
|
|
domain_interactive_fd(rlogind_t)
|
|
|
|
fs_getattr_xattr_fs(rlogind_t)
|
|
fs_search_auto_mountpoints(rlogind_t)
|
|
|
|
auth_domtrans_chk_passwd(rlogind_t)
|
|
auth_rw_login_records(rlogind_t)
|
|
auth_use_nsswitch(rlogind_t)
|
|
auth_login_pgm_domain(rlogind_t)
|
|
|
|
files_read_etc_files(rlogind_t)
|
|
files_read_etc_runtime_files(rlogind_t)
|
|
files_search_home(rlogind_t)
|
|
files_search_default(rlogind_t)
|
|
|
|
init_rw_utmp(rlogind_t)
|
|
|
|
logging_send_syslog_msg(rlogind_t)
|
|
|
|
miscfiles_read_localization(rlogind_t)
|
|
|
|
seutil_read_config(rlogind_t)
|
|
|
|
userdom_setattr_user_ptys(rlogind_t)
|
|
# cjp: this is egregious
|
|
userdom_read_user_home_content_files(rlogind_t)
|
|
userdom_search_admin_dir(rlogind_t)
|
|
userdom_manage_user_tmp_files(rlogind_t)
|
|
userdom_tmp_filetrans_user_tmp(rlogind_t, file)
|
|
|
|
remotelogin_domtrans(rlogind_t)
|
|
remotelogin_signal(rlogind_t)
|
|
|
|
rlogin_read_home_content(rlogind_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_list_nfs(rlogind_t)
|
|
fs_read_nfs_files(rlogind_t)
|
|
fs_read_nfs_symlinks(rlogind_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_list_cifs(rlogind_t)
|
|
fs_read_cifs_files(rlogind_t)
|
|
fs_read_cifs_symlinks(rlogind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(rlogind, rlogind_t)
|
|
kerberos_manage_host_rcache(rlogind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
|
|
')
|