selinux-refpolicy/policy/modules/apps/rssh.te

policy_module(rssh, 2.4.0)

########################################
#
# Declarations
#

attribute_role rssh_roles;
roleattribute system_r rssh_roles;

type rssh_t;
type rssh_exec_t;
userdom_user_application_domain(rssh_t, rssh_exec_t)
domain_user_exemption_target(rssh_t)
domain_interactive_fd(rssh_t)
role rssh_roles types rssh_t;

type rssh_chroot_helper_t;
type rssh_chroot_helper_exec_t;
init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)

type rssh_devpts_t;
term_user_pty(rssh_t, rssh_devpts_t)
ubac_constrained(rssh_devpts_t)

type rssh_ro_t; # customizable
userdom_user_home_content(rssh_ro_t)

type rssh_rw_t; # customizable
userdom_user_home_content(rssh_rw_t)

##############################
#
# Local policy
#

allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow rssh_t self:fd use;
allow rssh_t self:fifo_file rw_fifo_file_perms;
allow rssh_t self:unix_dgram_socket sendto;
allow rssh_t self:unix_stream_socket { accept connectto listen };

allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
term_create_pty(rssh_t, rssh_devpts_t)

allow rssh_t rssh_ro_t:dir list_dir_perms;
read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)

manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)

kernel_read_system_state(rssh_t)
kernel_read_kernel_sysctls(rssh_t)

files_read_etc_files(rssh_t)
files_read_etc_runtime_files(rssh_t)
files_list_home(rssh_t)
files_read_usr_files(rssh_t)
files_list_var(rssh_t)

fs_search_auto_mountpoints(rssh_t)

logging_send_syslog_msg(rssh_t)

miscfiles_read_localization(rssh_t)

rssh_domtrans_chroot_helper(rssh_t)

ssh_rw_tcp_sockets(rssh_t)
ssh_rw_stream_sockets(rssh_t)

optional_policy(`
	nis_use_ypbind(rssh_t)
')

########################################
#
# Chroot helper local policy
#

allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };

domain_use_interactive_fds(rssh_chroot_helper_t)

auth_use_nsswitch(rssh_chroot_helper_t)

logging_send_syslog_msg(rssh_chroot_helper_t)

miscfiles_read_localization(rssh_chroot_helper_t)
Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2020-02-29 21:54:39 +00:00			`policy_module(rssh, 2.4.0)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute_role rssh_roles;`
			`roleattribute system_r rssh_roles;`

			`type rssh_t;`
			`type rssh_exec_t;`
			`userdom_user_application_domain(rssh_t, rssh_exec_t)`
			`domain_user_exemption_target(rssh_t)`
			`domain_interactive_fd(rssh_t)`
			`role rssh_roles types rssh_t;`

			`type rssh_chroot_helper_t;`
			`type rssh_chroot_helper_exec_t;`
			`init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)`

			`type rssh_devpts_t;`
			`term_user_pty(rssh_t, rssh_devpts_t)`
			`ubac_constrained(rssh_devpts_t)`

			`type rssh_ro_t; # customizable`
			`userdom_user_home_content(rssh_ro_t)`

			`type rssh_rw_t; # customizable`
			`userdom_user_home_content(rssh_rw_t)`

			`##############################`
			`#`
			`# Local policy`
			`#`

			`allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };`
			`allow rssh_t self:fd use;`
			`allow rssh_t self:fifo_file rw_fifo_file_perms;`
			`allow rssh_t self:unix_dgram_socket sendto;`
			`allow rssh_t self:unix_stream_socket { accept connectto listen };`

			`allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };`
			`term_create_pty(rssh_t, rssh_devpts_t)`

			`allow rssh_t rssh_ro_t:dir list_dir_perms;`
			`read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)`

			`manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)`
			`manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)`

			`kernel_read_system_state(rssh_t)`
			`kernel_read_kernel_sysctls(rssh_t)`

			`files_read_etc_files(rssh_t)`
			`files_read_etc_runtime_files(rssh_t)`
			`files_list_home(rssh_t)`
			`files_read_usr_files(rssh_t)`
			`files_list_var(rssh_t)`

			`fs_search_auto_mountpoints(rssh_t)`

			`logging_send_syslog_msg(rssh_t)`

			`miscfiles_read_localization(rssh_t)`

			`rssh_domtrans_chroot_helper(rssh_t)`

			`ssh_rw_tcp_sockets(rssh_t)`
			`ssh_rw_stream_sockets(rssh_t)`

			optional_policy(`
			`nis_use_ypbind(rssh_t)`
			`')`

			`########################################`
			`#`
			`# Chroot helper local policy`
			`#`

			`allow rssh_chroot_helper_t self:capability { setuid sys_chroot };`
			`allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;`
			`allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };`

			`domain_use_interactive_fds(rssh_chroot_helper_t)`

			`auth_use_nsswitch(rssh_chroot_helper_t)`

			`logging_send_syslog_msg(rssh_chroot_helper_t)`

			`miscfiles_read_localization(rssh_chroot_helper_t)`