add rlogin and telnet

This commit is contained in:
Chris PeBenito 2005-09-20 17:11:53 +00:00
parent 343cd041e5
commit 4fd5201a59
10 changed files with 286 additions and 0 deletions

View File

@ -7,9 +7,11 @@
ktalk ktalk
portmap portmap
postgresql postgresql
rlogin
samba samba
snmp snmp
stunnel stunnel
telnet
tftp tftp
vpn vpn
zebra zebra

View File

@ -90,3 +90,20 @@ interface(`kerberos_rw_config',`
files_search_etc($1) files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms; allow $1 krb5_conf_t:file rw_file_perms;
') ')
########################################
## <summary>
## Read the kerberos key table.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`kerberos_read_keytab',`
gen_require(`
type krb5_keytab_t;
')
files_search_etc($1)
allow $1 krb5_keytab_t:file r_file_perms;
')

View File

@ -0,0 +1,6 @@
/usr/kerberos/sbin/klogind -- context_template(system_u:object_r:rlogind_exec_t,s0)
/usr/lib(64)?/telnetlogin -- context_template(system_u:object_r:rlogind_exec_t,s0)
/usr/sbin/in\.rlogind -- context_template(system_u:object_r:rlogind_exec_t,s0)

View File

@ -0,0 +1,23 @@
## <summary>Remote login daemon</summary>
########################################
## <summary>
## Execute rlogind in the rlogin domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rlogin_domtrans',`
gen_require(`
type rlogind_t, rlogind_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,rlogind_exec_t,rlogind_t)
allow $1 rlogind_t:fd use;
allow rlogind_t $1:fd use;
allow rlogind_t $1:fifo_file rw_file_perms;
allow rlogind_t $1:process sigchld;
')

View File

@ -0,0 +1,111 @@
policy_module(rlogin,1.0)
########################################
#
# Declarations
#
type rlogind_t;
type rlogind_exec_t;
inetd_service_domain(rlogind_t,rlogind_exec_t)
role system_r types rlogind_t;
type rlogind_devpts_t; #, userpty_type;
term_login_pty(rlogind_devpts_t)
type rlogind_tmp_t;
files_tmp_file(rlogind_tmp_t)
type rlogind_var_run_t;
files_pid_file(rlogind_var_run_t)
########################################
#
# Local policy
#
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_file_perms;
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow rlogind_t self:capability { setuid setgid };
allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
# for /usr/lib/telnetlogin
can_exec(rlogind_t, rlogind_exec_t)
allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
allow rlogind_t rlogind_tmp_t:file create_file_perms;
files_create_tmp_files(rlogind_t, rlogind_tmp_t, { file dir })
allow rlogind_t rlogind_var_run_t:file create_file_perms;
files_create_pid(rlogind_t,rlogind_var_run_t)
kernel_read_kernel_sysctl(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
corenet_raw_sendrecv_all_if(rlogind_t)
corenet_tcp_sendrecv_all_nodes(rlogind_t)
corenet_udp_sendrecv_all_nodes(rlogind_t)
corenet_raw_sendrecv_all_nodes(rlogind_t)
corenet_tcp_sendrecv_all_ports(rlogind_t)
corenet_udp_sendrecv_all_ports(rlogind_t)
corenet_tcp_bind_all_nodes(rlogind_t)
corenet_udp_bind_all_nodes(rlogind_t)
dev_read_urand(rlogind_t)
fs_getattr_xattr_fs(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
auth_rw_login_records(rlogind_t)
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
files_search_home(rlogind_t)
files_search_default(rlogind_t)
init_rw_script_pid(rlogind_t)
libs_use_ld_so(rlogind_t)
libs_use_shared_libs(rlogind_t)
logging_send_syslog_msg(rlogind_t)
miscfiles_read_localization(rlogind_t)
seutil_dontaudit_search_config(rlogind_t)
sysnet_read_config(rlogind_t)
# cjp: this is egregious
userdom_read_all_user_files(rlogind_t)
remotelogin_domtrans(rlogind_t)
optional_policy(`kerberos.te',`
kerberos_read_keytab(rlogind_t)
# for identd; cjp: this should probably only be inetd_child rules?
kerberos_use(rlogind_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(rlogind_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(rlogind_t)
')
ifdef(`TODO',`
# Allow krb5 rlogind to use fork and open /dev/tty for use
allow rlogind_t userpty_type:chr_file setattr;
')

View File

@ -59,6 +59,10 @@ optional_policy(`portmap.te',`
portmap_udp_sendto(tcpd_t) portmap_udp_sendto(tcpd_t)
') ')
optional_policy(`rlogin.te',`
rlogin_domtrans(tcpd_t)
')
optional_policy(`rshd.te',` optional_policy(`rshd.te',`
rshd_domtrans(tcpd_t) rshd_domtrans(tcpd_t)
') ')

View File

@ -0,0 +1,4 @@
/usr/sbin/in\.telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)
/usr/kerberos/sbin/telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)

View File

@ -0,0 +1 @@
## <summary>Telnet daemon</summary>

View File

@ -0,0 +1,102 @@
policy_module(telnet,1.0)
########################################
#
# Declarations
#
type telnetd_t;
type telnetd_exec_t;
inetd_service_domain(telnetd_t,telnetd_exec_t)
role system_r types telnetd_t;
type telnetd_devpts_t; #, userpty_type;
term_login_pty(telnetd_devpts_t)
type telnetd_tmp_t;
files_tmp_file(telnetd_tmp_t)
type telnetd_var_run_t;
files_pid_file(telnetd_var_run_t)
########################################
#
# Local policy
#
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_file_perms;
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
# for identd; cjp: this should probably only be inetd_child rules?
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow telnetd_t self:capability { setuid setgid };
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
allow telnetd_t telnetd_tmp_t:file create_file_perms;
files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir })
allow telnetd_t telnetd_var_run_t:file create_file_perms;
files_create_pid(telnetd_t,telnetd_var_run_t)
kernel_read_kernel_sysctl(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
corenet_raw_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
corenet_udp_sendrecv_all_nodes(telnetd_t)
corenet_raw_sendrecv_all_nodes(telnetd_t)
corenet_tcp_sendrecv_all_ports(telnetd_t)
corenet_udp_sendrecv_all_ports(telnetd_t)
corenet_tcp_bind_all_nodes(telnetd_t)
corenet_udp_bind_all_nodes(telnetd_t)
dev_read_urand(telnetd_t)
fs_getattr_xattr_fs(telnetd_t)
auth_rw_login_records(telnetd_t)
files_read_etc_files(telnetd_t)
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
init_rw_script_pid(telnetd_t)
libs_use_ld_so(telnetd_t)
libs_use_shared_libs(telnetd_t)
logging_send_syslog_msg(telnetd_t)
miscfiles_read_localization(telnetd_t)
seutil_dontaudit_search_config(telnetd_t)
sysnet_read_config(telnetd_t)
remotelogin_domtrans(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
optional_policy(`kerberos.te',`
kerberos_use(telnetd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(telnetd_t)
')
optional_policy(`nscd.te',`
nscd_use_socket(telnetd_t)
')
ifdef(`TODO',`
# Allow krb5 telnetd to use fork and open /dev/tty for use
allow telnetd_t userpty_type:chr_file setattr;
')

View File

@ -736,6 +736,22 @@ interface(`files_dontaudit_getattr_default_dir',`
dontaudit $1 default_t:dir getattr; dontaudit $1 default_t:dir getattr;
') ')
########################################
## <summary>
## Search the contents of directories with the default file type.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`files_search_default',`
gen_require(`
type default_t;
')
allow $1 default_t:dir search;
')
######################################## ########################################
## <summary> ## <summary>
## List contents of directories with the default file type. ## List contents of directories with the default file type.