Blob Blame History Raw
#DESC RSHD - RSH daemon
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: rsh-server rsh-redone-server
# Depends: inetd.te
#

#################################
#
# Rules for the rshd_t domain.
#
type rsh_port_t, port_type, reserved_port_type;
daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')

ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
')

# Use sockets inherited from inetd.
allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;

# Use capabilities.
allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};

# Use the network.
can_network_server(rshd_t)
allow rshd_t reserved_port_t:tcp_socket name_bind;
dontaudit rshd_t reserved_port_type:tcp_socket name_bind;

can_ypbind(rshd_t)

allow rshd_t etc_t:file { getattr read };
read_locale(rshd_t)
allow rshd_t self:unix_dgram_socket create_socket_perms;
allow rshd_t self:unix_stream_socket create_stream_socket_perms;
allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
can_kerberos(rshd_t)
allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
ifdef(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms;
')
allow rshd_t urandom_device_t:chr_file { getattr read };

# Read the user's .rhosts file.
allow rshd_t home_type:file  r_file_perms ;

# Random reasons
can_getsecurity(rshd_t)
can_setexec(rshd_t)
r_dir_file(rshd_t, selinux_config_t)
r_dir_file(rshd_t, default_context_t)
read_sysctl(rshd_t);

if (use_nfs_home_dirs) {
r_dir_file(rshd_t, nfs_t)
}

if (use_samba_home_dirs) {
r_dir_file(rshd_t, cifs_t)
}

allow rshd_t self:process { fork signal setsched setpgid };
allow rshd_t self:fifo_file rw_file_perms;

ifdef(`targeted_policy', `
unconfined_domain(rshd_t)
domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
')