568349bd70
The process and capability IPC goes on top of local policy. The process and capability IPC goes on top of local policy. The process and capability IPC goes on top of local policy.
98 lines
2.5 KiB
Plaintext
98 lines
2.5 KiB
Plaintext
policy_module(telnet, 1.10.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type telnetd_t;
|
|
type telnetd_exec_t;
|
|
inetd_service_domain(telnetd_t, telnetd_exec_t)
|
|
|
|
type telnetd_devpts_t; #, userpty_type;
|
|
term_login_pty(telnetd_devpts_t)
|
|
|
|
type telnetd_tmp_t;
|
|
files_tmp_file(telnetd_tmp_t)
|
|
|
|
type telnetd_var_run_t;
|
|
files_pid_file(telnetd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
|
allow telnetd_t self:process signal_perms;
|
|
allow telnetd_t self:fifo_file rw_fifo_file_perms;
|
|
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
|
allow telnetd_t self:udp_socket create_socket_perms;
|
|
# for identd; cjp: this should probably only be inetd_child rules?
|
|
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr };
|
|
term_create_pty(telnetd_t, telnetd_devpts_t)
|
|
|
|
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
|
|
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
|
|
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
|
|
|
|
kernel_read_kernel_sysctls(telnetd_t)
|
|
kernel_read_system_state(telnetd_t)
|
|
kernel_read_network_state(telnetd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(telnetd_t)
|
|
corenet_all_recvfrom_netlabel(telnetd_t)
|
|
corenet_tcp_sendrecv_generic_if(telnetd_t)
|
|
corenet_udp_sendrecv_generic_if(telnetd_t)
|
|
corenet_tcp_sendrecv_generic_node(telnetd_t)
|
|
corenet_udp_sendrecv_generic_node(telnetd_t)
|
|
corenet_tcp_sendrecv_all_ports(telnetd_t)
|
|
corenet_udp_sendrecv_all_ports(telnetd_t)
|
|
|
|
dev_read_urand(telnetd_t)
|
|
|
|
domain_interactive_fd(telnetd_t)
|
|
|
|
fs_getattr_xattr_fs(telnetd_t)
|
|
|
|
auth_rw_login_records(telnetd_t)
|
|
auth_use_nsswitch(telnetd_t)
|
|
|
|
corecmd_search_bin(telnetd_t)
|
|
|
|
files_read_usr_files(telnetd_t)
|
|
files_read_etc_files(telnetd_t)
|
|
files_read_etc_runtime_files(telnetd_t)
|
|
|
|
init_rw_utmp(telnetd_t)
|
|
|
|
logging_send_syslog_msg(telnetd_t)
|
|
|
|
miscfiles_read_localization(telnetd_t)
|
|
|
|
seutil_read_config(telnetd_t)
|
|
|
|
remotelogin_domtrans(telnetd_t)
|
|
|
|
userdom_search_user_home_dirs(telnetd_t)
|
|
userdom_setattr_user_ptys(telnetd_t)
|
|
userdom_manage_user_tmp_files(telnetd_t)
|
|
userdom_tmp_filetrans_user_tmp(telnetd_t, file)
|
|
|
|
optional_policy(`
|
|
kerberos_keytab_template(telnetd, telnetd_t)
|
|
kerberos_manage_host_rcache(telnetd_t)
|
|
')
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_search_nfs(telnetd_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_search_cifs(telnetd_t)
|
|
')
|