Blob Blame History Raw
#DESC Fingerd - Finger daemon
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: fingerd cfingerd efingerd ffingerd
#

#################################
#
# Rules for the fingerd_t domain.
#
# fingerd_exec_t is the type of the fingerd executable.
#
daemon_domain(fingerd)

etcdir_domain(fingerd)

allow fingerd_t etc_t:lnk_file read;
allow fingerd_t { etc_t etc_runtime_t }:file { read getattr };

log_domain(fingerd)
system_crond_entry(fingerd_exec_t, fingerd_t)
ifdef(`logrotate.te', `can_exec(fingerd_t, logrotate_exec_t)')

allow fingerd_t fingerd_port_t:tcp_socket name_bind;
ifdef(`inetd.te', `
allow inetd_t fingerd_port_t:tcp_socket name_bind;
# can be run from inetd
domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
')
ifdef(`tcpd.te', `
domain_auto_trans(tcpd_t, fingerd_exec_t, fingerd_t)
')

allow fingerd_t self:capability { setgid setuid };
# for gzip from logrotate
dontaudit fingerd_t self:capability fsetid;

# cfingerd runs shell scripts
allow fingerd_t { bin_t sbin_t }:dir search;
allow fingerd_t bin_t:lnk_file read;
can_exec(fingerd_t, { shell_exec_t bin_t sbin_t })
allow fingerd_t devtty_t:chr_file { read write };

allow fingerd_t { ttyfile ptyfile }:chr_file getattr;

# Use the network.
can_network_server(fingerd_t)
can_ypbind(fingerd_t)

allow fingerd_t self:unix_dgram_socket create_socket_perms;
allow fingerd_t self:unix_stream_socket create_socket_perms;
allow fingerd_t self:fifo_file { read write getattr };

# allow any user domain to connect to the finger server
can_tcp_connect(userdomain, fingerd_t)

# for .finger, .plan. etc
allow fingerd_t { home_root_t user_home_dir_type }:dir search;
# should really have a different type for .plan etc
allow fingerd_t user_home_type:file { getattr read };
# stop it accessing sub-directories, prevents checking a Maildir for new mail,
# have to change this when we create a type for Maildir
dontaudit fingerd_t user_home_t:dir search;

# for mail
allow fingerd_t { var_spool_t mail_spool_t }:dir search;
allow fingerd_t mail_spool_t:file getattr;
allow fingerd_t mail_spool_t:lnk_file read;

# see who is logged in and when users last logged in
allow fingerd_t { initrc_var_run_t lastlog_t }:file { read getattr };
dontaudit fingerd_t initrc_var_run_t:file lock;
allow fingerd_t devpts_t:dir search;
allow fingerd_t ptyfile:chr_file getattr;

allow fingerd_t proc_t:file { read getattr };

# for date command
read_sysctl(fingerd_t)