#

# Macros for Rssh domains

#

# Author: Colin Walters <walters@verbum.org>

#

#

# rssh_domain(domain_prefix)

#

# Define a specific rssh domain.

#

# The type declaration for the executable type for this program is

# provided separately in domains/program/rssh.te. 

#

undefine(`rssh_domain')

ifdef(`rssh.te', `

define(`rssh_domain',`

type rssh_$1_t, domain, userdomain, privlog, privfd;

role rssh_$1_r types rssh_$1_t;

allow system_r rssh_$1_r;

type rssh_$1_rw_t, file_type, sysadmfile, $1_file_type;

type rssh_$1_ro_t, file_type, sysadmfile, $1_file_type;

general_domain_access(rssh_$1_t);

uses_shlib(rssh_$1_t);

base_file_read_access(rssh_$1_t);

allow rssh_$1_t var_t:dir r_dir_perms;

r_dir_file(rssh_$1_t, etc_t);

allow rssh_$1_t etc_runtime_t:file { getattr read };

r_dir_file(rssh_$1_t, locale_t);

can_exec(rssh_$1_t, bin_t);

allow rssh_$1_t proc_t:dir { getattr search };

allow rssh_$1_t proc_t:lnk_file { getattr read };

r_dir_file(rssh_$1_t, rssh_$1_ro_t);

create_dir_file(rssh_$1_t, rssh_$1_rw_t);

can_create_pty(rssh_$1, `, userpty_type, user_tty_type')

# Use the type when relabeling pty devices.

type_change rssh_$1_t server_pty:chr_file rssh_$1_devpts_t;

ifdef(`ssh.te',`

allow rssh_$1_t sshd_t:fd use;

allow rssh_$1_t sshd_t:tcp_socket rw_stream_socket_perms;

allow rssh_$1_t sshd_t:unix_stream_socket rw_stream_socket_perms;

# For reading /home/user/.ssh

r_dir_file(sshd_t, rssh_$1_ro_t);

domain_trans(sshd_t, rssh_exec_t, rssh_$1_t);

')

')

', `

define(`rssh_domain',`')

')