|
Chris PeBenito |
0fbfa5 |
#DESC Fingerd - Finger daemon
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the fingerd_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# fingerd_exec_t is the type of the fingerd executable.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(fingerd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
etcdir_domain(fingerd)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t etc_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
log_domain(fingerd)
|
|
Chris PeBenito |
0fbfa5 |
system_crond_entry(fingerd_exec_t, fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`inetd.te', `
|
|
Chris PeBenito |
0fbfa5 |
allow inetd_t fingerd_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
0fbfa5 |
# can be run from inetd
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`tcpd.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t self:capability { setgid setuid };
|
|
Chris PeBenito |
0fbfa5 |
# for gzip from logrotate
|
|
Chris PeBenito |
0fbfa5 |
dontaudit fingerd_t self:capability fsetid;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# cfingerd runs shell scripts
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use the network.
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t self:fifo_file { read write getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow any user domain to connect to the finger server
|
|
Chris PeBenito |
0fbfa5 |
can_tcp_connect(userdomain, fingerd_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for .finger, .plan. etc
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
# should really have a different type for .plan etc
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t user_home_type:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
|
|
Chris PeBenito |
0fbfa5 |
# have to change this when we create a type for Maildir
|
|
Chris PeBenito |
0fbfa5 |
dontaudit fingerd_t user_home_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for mail
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t mail_spool_t:file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t mail_spool_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# see who is logged in and when users last logged in
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit fingerd_t initrc_var_run_t:file lock;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t devpts_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t ptyfile:chr_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow fingerd_t proc_t:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for date command
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(fingerd_t)
|