Chris PeBenito 0fbfa5
#DESC Fingerd - Finger daemon
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the fingerd_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# fingerd_exec_t is the type of the fingerd executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_domain(fingerd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
etcdir_domain(fingerd)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
log_domain(fingerd)
Chris PeBenito 0fbfa5
system_crond_entry(fingerd_exec_t, fingerd_t)
Chris PeBenito 0fbfa5
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t fingerd_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
ifdef(`inetd.te', `
Chris PeBenito 0fbfa5
allow inetd_t fingerd_port_t:tcp_socket name_bind;
Chris PeBenito 0fbfa5
# can be run from inetd
Chris PeBenito 0fbfa5
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
Chris PeBenito 0fbfa5
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`tcpd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t self:capability { setgid setuid };
Chris PeBenito 0fbfa5
# for gzip from logrotate
Chris PeBenito 0fbfa5
dontaudit fingerd_t self:capability fsetid;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# cfingerd runs shell scripts
Chris PeBenito 0fbfa5
allow fingerd_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow fingerd_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
Chris PeBenito 0fbfa5
allow fingerd_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t { ttyfile ptyfile }:chr_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use the network.
Chris PeBenito 0fbfa5
can_network_server(fingerd_t)
Chris PeBenito 0fbfa5
can_ypbind(fingerd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow fingerd_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow fingerd_t self:fifo_file { read write getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow any user domain to connect to the finger server
Chris PeBenito 0fbfa5
can_tcp_connect(userdomain, fingerd_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for .finger, .plan. etc
Chris PeBenito 0fbfa5
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
Chris PeBenito 0fbfa5
# should really have a different type for .plan etc
Chris PeBenito 0fbfa5
allow fingerd_t user_home_type:file { getattr read };
Chris PeBenito 0fbfa5
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
Chris PeBenito 0fbfa5
# have to change this when we create a type for Maildir
Chris PeBenito 0fbfa5
dontaudit fingerd_t user_home_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for mail
Chris PeBenito 0fbfa5
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
Chris PeBenito 0fbfa5
allow fingerd_t mail_spool_t:file getattr;
Chris PeBenito 0fbfa5
allow fingerd_t mail_spool_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# see who is logged in and when users last logged in
Chris PeBenito 0fbfa5
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
Chris PeBenito 0fbfa5
dontaudit fingerd_t initrc_var_run_t:file lock;
Chris PeBenito 0fbfa5
allow fingerd_t devpts_t:dir search;
Chris PeBenito 0fbfa5
allow fingerd_t ptyfile:chr_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fingerd_t proc_t:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for date command
Chris PeBenito 0fbfa5
read_sysctl(fingerd_t)