selinux-refpolicy/strict/domains/program/unused/portslave.te

86 lines
2.5 KiB
Plaintext

#DESC Portslave - Terminal server software
#
# Author: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: portslave
# Depends: pppd.te
#
#################################
#
# Rules for the portslave_t domain.
#
daemon_base_domain(portslave, `, privmail, auth_chkpwd')
type portslave_etc_t, file_type, sysadmfile;
general_domain_access(portslave_t)
domain_auto_trans(init_t, portslave_exec_t, portslave_t)
ifdef(`rlogind.te', `
domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
')
ifdef(`inetd.te', `
domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
allow portslave_t inetd_t:tcp_socket { getattr read write };
')
allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
read_locale(portslave_t)
r_dir_file(portslave_t, portslave_etc_t)
allow portslave_t pppd_etc_t:dir r_dir_perms;
allow portslave_t pppd_etc_rw_t:file { getattr read };
allow portslave_t proc_t:file { getattr read };
allow portslave_t { var_t var_log_t devpts_t }:dir search;
allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
allow portslave_t pppd_secret_t:file r_file_perms;
can_network_server(portslave_t)
allow portslave_t fs_t:filesystem getattr;
ifdef(`radius.te', `
can_udp_send(portslave_t, radiusd_t)
can_udp_send(radiusd_t, portslave_t)
')
# for rlogin etc
can_exec(portslave_t, { bin_t ssh_exec_t })
# net_bind_service for rlogin
allow portslave_t self:capability { net_bind_service sys_tty_config };
# for ssh
allow portslave_t urandom_device_t:chr_file read;
ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
# for pppd
allow portslave_t self:capability { setuid setgid net_admin fsetid };
allow portslave_t ppp_device_t:chr_file rw_file_perms;
# for ~/.ppprc - if it actually exists then you need some policy to read it
allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
# for ctlportslave
dontaudit portslave_t self:capability sys_admin;
file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
can_exec(portslave_t, { etc_t shell_exec_t })
# Run login in local_login_t domain.
#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
allow portslave_t initrc_var_run_t:file rw_file_perms;
# Write to /var/log/wtmp.
allow portslave_t wtmp_t:file rw_file_perms;
# Read and write ttys.
allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
allow portslave_t ttyfile:chr_file rw_file_perms;
lock_domain(portslave)
can_exec(portslave_t, pppd_exec_t)
allow portslave_t { bin_t sbin_t }:dir search;
allow portslave_t bin_t:lnk_file read;