#DESC RSHD - RSH daemon
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: rsh-server rsh-redone-server
# Depends: inetd.te
#
#################################
#
# Rules for the rshd_t domain.
#
type rsh_port_t, port_type, reserved_port_type;
daemon_sub_domain(inetd_t, rshd, `, auth_chkpwd, privuser, privrole')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, rshd_exec_t, rshd_t)
')
# Use sockets inherited from inetd.
allow rshd_t inetd_t:tcp_socket rw_stream_socket_perms;
# Use capabilities.
allow rshd_t self:capability { net_bind_service setuid setgid fowner fsetid chown dac_override};
# Use the network.
can_network_server(rshd_t)
allow rshd_t reserved_port_t:tcp_socket name_bind;
dontaudit rshd_t reserved_port_type:tcp_socket name_bind;
can_ypbind(rshd_t)
allow rshd_t etc_t:file { getattr read };
read_locale(rshd_t)
allow rshd_t self:unix_dgram_socket create_socket_perms;
allow rshd_t self:unix_stream_socket create_stream_socket_perms;
allow rshd_t { home_root_t home_dir_type }:dir { search getattr };
can_kerberos(rshd_t)
allow rshd_t { bin_t sbin_t tmp_t}:dir { search };
allow rshd_t { bin_t sbin_t }:lnk_file r_file_perms;
ifdef(`rlogind.te', `
allow rshd_t rlogind_tmp_t:file rw_file_perms;
')
allow rshd_t urandom_device_t:chr_file { getattr read };
# Read the user's .rhosts file.
allow rshd_t home_type:file r_file_perms ;
# Random reasons
can_getsecurity(rshd_t)
can_setexec(rshd_t)
r_dir_file(rshd_t, selinux_config_t)
r_dir_file(rshd_t, default_context_t)
read_sysctl(rshd_t);
if (use_nfs_home_dirs) {
r_dir_file(rshd_t, nfs_t)
}
if (use_samba_home_dirs) {
r_dir_file(rshd_t, cifs_t)
}
allow rshd_t self:process { fork signal setsched setpgid };
allow rshd_t self:fifo_file rw_file_perms;
ifdef(`targeted_policy', `
unconfined_domain(rshd_t)
domain_auto_trans(rshd_t,shell_exec_t,unconfined_t)
')