Chris PeBenito 0fbfa5
#DESC Portslave - Terminal server software
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: portslave
Chris PeBenito 0fbfa5
# Depends: pppd.te
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the portslave_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_base_domain(portslave, `, privmail, auth_chkpwd')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type portslave_etc_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access(portslave_t)
Chris PeBenito 0fbfa5
domain_auto_trans(init_t, portslave_exec_t, portslave_t)
Chris PeBenito 0fbfa5
ifdef(`rlogind.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`inetd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
Chris PeBenito 0fbfa5
allow portslave_t inetd_t:tcp_socket { getattr read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
Chris PeBenito 0fbfa5
read_locale(portslave_t)
Chris PeBenito 0fbfa5
r_dir_file(portslave_t, portslave_etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t pppd_etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow portslave_t pppd_etc_rw_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t { var_t var_log_t devpts_t }:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow portslave_t pppd_secret_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network_server(portslave_t)
Chris PeBenito 0fbfa5
allow portslave_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
ifdef(`radius.te', `
Chris PeBenito 0fbfa5
can_udp_send(portslave_t, radiusd_t)
Chris PeBenito 0fbfa5
can_udp_send(radiusd_t, portslave_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
# for rlogin etc
Chris PeBenito 0fbfa5
can_exec(portslave_t, { bin_t ssh_exec_t })
Chris PeBenito 0fbfa5
# net_bind_service for rlogin
Chris PeBenito 0fbfa5
allow portslave_t self:capability { net_bind_service sys_tty_config };
Chris PeBenito 0fbfa5
# for ssh
Chris PeBenito 0fbfa5
allow portslave_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for pppd
Chris PeBenito 0fbfa5
allow portslave_t self:capability { setuid setgid net_admin fsetid };
Chris PeBenito 0fbfa5
allow portslave_t ppp_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for ~/.ppprc - if it actually exists then you need some policy to read it
Chris PeBenito 0fbfa5
allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for ctlportslave
Chris PeBenito 0fbfa5
dontaudit portslave_t self:capability sys_admin;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
Chris PeBenito 0fbfa5
can_exec(portslave_t, { etc_t shell_exec_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run login in local_login_t domain.
Chris PeBenito 0fbfa5
#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /var/run/utmp.
Chris PeBenito 0fbfa5
allow portslave_t initrc_var_run_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /var/log/wtmp.
Chris PeBenito 0fbfa5
allow portslave_t wtmp_t:file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read and write ttys.
Chris PeBenito 0fbfa5
allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
allow portslave_t ttyfile:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_create_file(portslave_t, var_lock_t)
Chris PeBenito 0fbfa5
can_exec(portslave_t, pppd_exec_t)
Chris PeBenito 0fbfa5
allow portslave_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow portslave_t bin_t:lnk_file read;