|
Chris PeBenito |
0fbfa5 |
#DESC Portslave - Terminal server software
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: portslave
|
|
Chris PeBenito |
0fbfa5 |
# Depends: pppd.te
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the portslave_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(portslave, `, privmail, auth_chkpwd')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type portslave_etc_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
general_domain_access(portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(init_t, portslave_exec_t, portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`rlogind.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(rlogind_t, portslave_exec_t, portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`inetd.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(inetd_t, portslave_exec_t, portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t inetd_t:tcp_socket { getattr read write };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t { etc_t etc_runtime_t }:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
read_locale(portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(portslave_t, portslave_etc_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t pppd_etc_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t pppd_etc_rw_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t { var_t var_log_t devpts_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t devtty_t:chr_file { setattr rw_file_perms };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t pppd_secret_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`radius.te', `
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(portslave_t, radiusd_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(radiusd_t, portslave_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
# for rlogin etc
|
|
Chris PeBenito |
0fbfa5 |
can_exec(portslave_t, { bin_t ssh_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
# net_bind_service for rlogin
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t self:capability { net_bind_service sys_tty_config };
|
|
Chris PeBenito |
0fbfa5 |
# for ssh
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t urandom_device_t:chr_file read;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`sshd.te', `can_tcp_connect(portslave_t, sshd_t)')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for pppd
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t self:capability { setuid setgid net_admin fsetid };
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t ppp_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for ~/.ppprc - if it actually exists then you need some policy to read it
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for ctlportslave
|
|
Chris PeBenito |
0fbfa5 |
dontaudit portslave_t self:capability sys_admin;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
file_type_auto_trans(portslave_t, var_run_t, pppd_var_run_t, file)
|
|
Chris PeBenito |
0fbfa5 |
can_exec(portslave_t, { etc_t shell_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Run login in local_login_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#domain_auto_trans(portslave_t, login_exec_t, local_login_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Write to /var/run/utmp.
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t initrc_var_run_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Write to /var/log/wtmp.
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t wtmp_t:file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read and write ttys.
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t tty_device_t:chr_file { setattr rw_file_perms };
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t ttyfile:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(portslave_t, var_lock_t)
|
|
Chris PeBenito |
0fbfa5 |
can_exec(portslave_t, pppd_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow portslave_t bin_t:lnk_file read;
|