mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-01-11 09:39:25 +00:00
add rlogin and telnet
This commit is contained in:
parent
343cd041e5
commit
4fd5201a59
@ -7,9 +7,11 @@
|
||||
ktalk
|
||||
portmap
|
||||
postgresql
|
||||
rlogin
|
||||
samba
|
||||
snmp
|
||||
stunnel
|
||||
telnet
|
||||
tftp
|
||||
vpn
|
||||
zebra
|
||||
|
@ -90,3 +90,20 @@ interface(`kerberos_rw_config',`
|
||||
files_search_etc($1)
|
||||
allow $1 krb5_conf_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the kerberos key table.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`kerberos_read_keytab',`
|
||||
gen_require(`
|
||||
type krb5_keytab_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 krb5_keytab_t:file r_file_perms;
|
||||
')
|
||||
|
6
refpolicy/policy/modules/services/rlogin.fc
Normal file
6
refpolicy/policy/modules/services/rlogin.fc
Normal file
@ -0,0 +1,6 @@
|
||||
|
||||
/usr/kerberos/sbin/klogind -- context_template(system_u:object_r:rlogind_exec_t,s0)
|
||||
|
||||
/usr/lib(64)?/telnetlogin -- context_template(system_u:object_r:rlogind_exec_t,s0)
|
||||
|
||||
/usr/sbin/in\.rlogind -- context_template(system_u:object_r:rlogind_exec_t,s0)
|
23
refpolicy/policy/modules/services/rlogin.if
Normal file
23
refpolicy/policy/modules/services/rlogin.if
Normal file
@ -0,0 +1,23 @@
|
||||
## <summary>Remote login daemon</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute rlogind in the rlogin domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rlogin_domtrans',`
|
||||
gen_require(`
|
||||
type rlogind_t, rlogind_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,rlogind_exec_t,rlogind_t)
|
||||
|
||||
allow $1 rlogind_t:fd use;
|
||||
allow rlogind_t $1:fd use;
|
||||
allow rlogind_t $1:fifo_file rw_file_perms;
|
||||
allow rlogind_t $1:process sigchld;
|
||||
')
|
111
refpolicy/policy/modules/services/rlogin.te
Normal file
111
refpolicy/policy/modules/services/rlogin.te
Normal file
@ -0,0 +1,111 @@
|
||||
|
||||
policy_module(rlogin,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type rlogind_t;
|
||||
type rlogind_exec_t;
|
||||
inetd_service_domain(rlogind_t,rlogind_exec_t)
|
||||
role system_r types rlogind_t;
|
||||
|
||||
type rlogind_devpts_t; #, userpty_type;
|
||||
term_login_pty(rlogind_devpts_t)
|
||||
|
||||
type rlogind_tmp_t;
|
||||
files_tmp_file(rlogind_tmp_t)
|
||||
|
||||
type rlogind_var_run_t;
|
||||
files_pid_file(rlogind_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
||||
allow rlogind_t self:process signal_perms;
|
||||
allow rlogind_t self:fifo_file rw_file_perms;
|
||||
allow rlogind_t self:tcp_socket connected_stream_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow rlogind_t self:capability { setuid setgid };
|
||||
|
||||
allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
|
||||
|
||||
# for /usr/lib/telnetlogin
|
||||
can_exec(rlogind_t, rlogind_exec_t)
|
||||
|
||||
allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
|
||||
allow rlogind_t rlogind_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(rlogind_t, rlogind_tmp_t, { file dir })
|
||||
|
||||
allow rlogind_t rlogind_var_run_t:file create_file_perms;
|
||||
files_create_pid(rlogind_t,rlogind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(rlogind_t)
|
||||
kernel_read_system_state(rlogind_t)
|
||||
kernel_read_network_state(rlogind_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(rlogind_t)
|
||||
corenet_udp_sendrecv_all_if(rlogind_t)
|
||||
corenet_raw_sendrecv_all_if(rlogind_t)
|
||||
corenet_tcp_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_udp_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_raw_sendrecv_all_nodes(rlogind_t)
|
||||
corenet_tcp_sendrecv_all_ports(rlogind_t)
|
||||
corenet_udp_sendrecv_all_ports(rlogind_t)
|
||||
corenet_tcp_bind_all_nodes(rlogind_t)
|
||||
corenet_udp_bind_all_nodes(rlogind_t)
|
||||
|
||||
dev_read_urand(rlogind_t)
|
||||
|
||||
fs_getattr_xattr_fs(rlogind_t)
|
||||
|
||||
auth_domtrans_chk_passwd(rlogind_t)
|
||||
auth_rw_login_records(rlogind_t)
|
||||
|
||||
files_read_etc_files(rlogind_t)
|
||||
files_read_etc_runtime_files(rlogind_t)
|
||||
files_search_home(rlogind_t)
|
||||
files_search_default(rlogind_t)
|
||||
|
||||
init_rw_script_pid(rlogind_t)
|
||||
|
||||
libs_use_ld_so(rlogind_t)
|
||||
libs_use_shared_libs(rlogind_t)
|
||||
|
||||
logging_send_syslog_msg(rlogind_t)
|
||||
|
||||
miscfiles_read_localization(rlogind_t)
|
||||
|
||||
seutil_dontaudit_search_config(rlogind_t)
|
||||
|
||||
sysnet_read_config(rlogind_t)
|
||||
|
||||
# cjp: this is egregious
|
||||
userdom_read_all_user_files(rlogind_t)
|
||||
|
||||
remotelogin_domtrans(rlogind_t)
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_read_keytab(rlogind_t)
|
||||
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
kerberos_use(rlogind_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(rlogind_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(rlogind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Allow krb5 rlogind to use fork and open /dev/tty for use
|
||||
allow rlogind_t userpty_type:chr_file setattr;
|
||||
')
|
@ -59,6 +59,10 @@ optional_policy(`portmap.te',`
|
||||
portmap_udp_sendto(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rlogin.te',`
|
||||
rlogin_domtrans(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`rshd.te',`
|
||||
rshd_domtrans(tcpd_t)
|
||||
')
|
||||
|
4
refpolicy/policy/modules/services/telnet.fc
Normal file
4
refpolicy/policy/modules/services/telnet.fc
Normal file
@ -0,0 +1,4 @@
|
||||
|
||||
/usr/sbin/in\.telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)
|
||||
|
||||
/usr/kerberos/sbin/telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)
|
1
refpolicy/policy/modules/services/telnet.if
Normal file
1
refpolicy/policy/modules/services/telnet.if
Normal file
@ -0,0 +1 @@
|
||||
## <summary>Telnet daemon</summary>
|
102
refpolicy/policy/modules/services/telnet.te
Normal file
102
refpolicy/policy/modules/services/telnet.te
Normal file
@ -0,0 +1,102 @@
|
||||
|
||||
policy_module(telnet,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type telnetd_t;
|
||||
type telnetd_exec_t;
|
||||
inetd_service_domain(telnetd_t,telnetd_exec_t)
|
||||
role system_r types telnetd_t;
|
||||
|
||||
type telnetd_devpts_t; #, userpty_type;
|
||||
term_login_pty(telnetd_devpts_t)
|
||||
|
||||
type telnetd_tmp_t;
|
||||
files_tmp_file(telnetd_tmp_t)
|
||||
|
||||
type telnetd_var_run_t;
|
||||
files_pid_file(telnetd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
|
||||
allow telnetd_t self:process signal_perms;
|
||||
allow telnetd_t self:fifo_file rw_file_perms;
|
||||
allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
allow telnetd_t self:capability { setuid setgid };
|
||||
|
||||
allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
|
||||
|
||||
allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
|
||||
allow telnetd_t telnetd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir })
|
||||
|
||||
allow telnetd_t telnetd_var_run_t:file create_file_perms;
|
||||
files_create_pid(telnetd_t,telnetd_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(telnetd_t)
|
||||
kernel_read_system_state(telnetd_t)
|
||||
kernel_read_network_state(telnetd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(telnetd_t)
|
||||
corenet_udp_sendrecv_all_if(telnetd_t)
|
||||
corenet_raw_sendrecv_all_if(telnetd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(telnetd_t)
|
||||
corenet_udp_sendrecv_all_nodes(telnetd_t)
|
||||
corenet_raw_sendrecv_all_nodes(telnetd_t)
|
||||
corenet_tcp_sendrecv_all_ports(telnetd_t)
|
||||
corenet_udp_sendrecv_all_ports(telnetd_t)
|
||||
corenet_tcp_bind_all_nodes(telnetd_t)
|
||||
corenet_udp_bind_all_nodes(telnetd_t)
|
||||
|
||||
dev_read_urand(telnetd_t)
|
||||
|
||||
fs_getattr_xattr_fs(telnetd_t)
|
||||
|
||||
auth_rw_login_records(telnetd_t)
|
||||
|
||||
files_read_etc_files(telnetd_t)
|
||||
files_read_etc_runtime_files(telnetd_t)
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
files_search_home(telnetd_t)
|
||||
|
||||
init_rw_script_pid(telnetd_t)
|
||||
|
||||
libs_use_ld_so(telnetd_t)
|
||||
libs_use_shared_libs(telnetd_t)
|
||||
|
||||
logging_send_syslog_msg(telnetd_t)
|
||||
|
||||
miscfiles_read_localization(telnetd_t)
|
||||
|
||||
seutil_dontaudit_search_config(telnetd_t)
|
||||
|
||||
sysnet_read_config(telnetd_t)
|
||||
|
||||
remotelogin_domtrans(telnetd_t)
|
||||
|
||||
# for identd; cjp: this should probably only be inetd_child rules?
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use(telnetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(telnetd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(telnetd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Allow krb5 telnetd to use fork and open /dev/tty for use
|
||||
allow telnetd_t userpty_type:chr_file setattr;
|
||||
')
|
@ -736,6 +736,22 @@ interface(`files_dontaudit_getattr_default_dir',`
|
||||
dontaudit $1 default_t:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of directories with the default file type.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_default',`
|
||||
gen_require(`
|
||||
type default_t;
|
||||
')
|
||||
|
||||
allow $1 default_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List contents of directories with the default file type.
|
||||
|
Loading…
Reference in New Issue
Block a user