rpms / selinux-policy

Clone
Source Code
GIT

Blame mls/domains/program/rshd.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   7e0fa55f06a210c3ff6e09ae70dbfc30bfffc2b0
  2.   mls
  3.   domains
  4.   program
  5.   rshd.te
Blob History Raw
Chris PeBenito 31b7c0 
#DESC RSHD - RSH daemon
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
Chris PeBenito 31b7c0 
# X-Debian-Packages: rsh-server rsh-redone-server
Chris PeBenito 31b7c0 
# Depends: inetd.te
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
#################################
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
# Rules for the rshd_t domain.
Chris PeBenito 31b7c0 
#
Chris PeBenito 31b7c0 
daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`tcpd.te', `
Chris PeBenito 31b7c0 
domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Use sockets inherited from inetd.
Chris PeBenito 31b7c0 
allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Use capabilities.
Chris PeBenito 31b7c0 
allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Use the network.
Chris PeBenito 31b7c0 
can_network_server(rshd_t)
Chris PeBenito 31b7c0 
allow rshd_t rsh_port_t:tcp_socket name_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow rshd_t etc_t:file { getattr read };
Chris PeBenito 31b7c0 
read_locale(rshd_t)
Chris PeBenito 31b7c0 
allow rshd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0 
allow rshd_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0 
allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
Chris PeBenito 31b7c0 
can_kerberos(rshd_t)
Chris PeBenito 31b7c0 
allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
Chris PeBenito 31b7c0 
allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
Chris PeBenito 31b7c0 
ifdef(`rlogind.te', `
Chris PeBenito 31b7c0 
allow rshd_t rlogind_tmp_t:file rw_file_perms;
Chris PeBenito 31b7c0 
')
Chris PeBenito 31b7c0 
allow rshd_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Read the user's .rhosts file.
Chris PeBenito 31b7c0 
allow rshd_t home_type:file  r_file_perms ;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
# Random reasons
Chris PeBenito 31b7c0 
can_getsecurity(rshd_t)
Chris PeBenito 31b7c0 
can_setexec(rshd_t)
Chris PeBenito 31b7c0 
r_dir_file(rshd_t, selinux_config_t)
Chris PeBenito 31b7c0 
r_dir_file(rshd_t, default_context_t)
Chris PeBenito 31b7c0 
read_sysctl(rshd_t);
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
if (use_nfs_home_dirs) {
Chris PeBenito 31b7c0 
r_dir_file(rshd_t, nfs_t)
Chris PeBenito 31b7c0 
}
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
if (use_samba_home_dirs) {
Chris PeBenito 31b7c0 
r_dir_file(rshd_t, cifs_t)
Chris PeBenito 31b7c0 
}
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
allow rshd_t self:process { fork signal setsched setpgid };
Chris PeBenito 31b7c0 
allow rshd_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0 
ifdef(`targeted_policy', `
Chris PeBenito 31b7c0 
unconfined_domain(rshd_t)
Chris PeBenito 31b7c0 
domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
Chris PeBenito 31b7c0 
')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation