[selinux-policy: 424/3172] changes to make inetd work

Thu Oct 7 19:41:24 UTC 2010

commit 80436b9b8f3c0f918250a6a17362317f0af6c283
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jun 27 18:37:33 2005 +0000

    changes to make inetd work

 refpolicy/policy/modules/services/ssh.if        |   49 +++++++++----------
 refpolicy/policy/modules/services/ssh.te        |   34 +++++--------
 refpolicy/policy/modules/system/corecommands.if |   57 +++++++++++++++++++++--
 refpolicy/policy/modules/system/files.if        |   13 +++++
 4 files changed, 101 insertions(+), 52 deletions(-)
---

diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 3a0a884..0369e9d 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -211,7 +211,7 @@ template(`ssh_per_userdomain_template',`
 
 	#allow ssh to access keys stored on removable media
 	# Should we have a boolean around this?
-	allow $1_ssh_t mnt_t:dir search;
+	files_search_mnt($1_ssh_t)
 	r_dir_file($1_ssh_t, removable_t) 
 
 	ifdef(`xdm.te', `
@@ -404,6 +404,10 @@ template(`sshd_program_domain', `
 	auth_rw_login_records($1_t)
 	auth_rw_lastlog($1_t)
 
+	corecmd_read_bin_symlink($1_t)
+	# for sshd subsystems, such as sftp-server.
+	corecmd_getattr_bin_file($1_t)
+
 	domain_wide_inherit_fd($1_t)
 	domain_subj_id_change_exempt($1_t)
 	domain_role_change_exempt($1_t)
@@ -436,43 +440,36 @@ template(`sshd_program_domain', `
 		fs_read_cifs_files($1_t)
 	')
 
+	optional_policy(`inetd.te',`
+		tunable_policy(`run_ssh_inetd',`
+			allow $1_t self:process signal;
+			files_list_pids($1_t)
+		',`
+			corenet_tcp_bind_ssh_port($1_t)
+			init_use_fd($1_t)
+			init_use_script_pty($1_t)
+		')
+	',`
+		# These rules should match the else block
+		# of the run_ssh_inetd tunable directly above
+		corenet_tcp_bind_ssh_port($1_t)
+		init_use_fd($1_t)
+		init_use_script_pty($1_t)
+	')
+
 	optional_policy(`mount.te', `
 		mount_send_nfs_client_request($1_t)
 	')
 
 	ifdef(`TODO',`
 
-	allow $1_t bin_t:dir search;
-	allow $1_t bin_t:lnk_file read;
-
-	# for sshd subsystems, such as sftp-server.
-	allow $1_t bin_t:file getattr;
-
 	# Read /var.
 	allow $1_t var_t:dir getattr;
 
-	allow $1_t { home_root_t home_dir_type }:dir getattr;
+	allow $1_t home_dir_type:dir getattr;
 
 	dontaudit sshd_t userpty_type:chr_file relabelfrom;
 
-	optional_policy(`inetd.te',`
-		if (run_ssh_inetd) {
-			allow $1_t self:process signal;
-			allow $1_t inetd_t:tcp_socket rw_socket_perms;
-			allow $1_t var_run_t:dir getattr;
-			files_search_pids($1_t)
-		} else {
-			corenet_tcp_bind_ssh_port($1_t)
-			init_use_fd($1_t)
-			init_use_script_pty($1_t)
-		}
-	',`
-		# These rules should match the else block
-		# of the run_ssh_inetd conditional directly above
-		corenet_tcp_bind_ssh_port($1_t)
-		init_use_fd($1_t)
-		init_use_script_pty($1_t)
-	')
 	') dnl end TODO
 ')
 
diff --git a/refpolicy/policy/modules/services/ssh.te b/refpolicy/policy/modules/services/ssh.te
index 8e3a1e6..9b25e36 100644
--- a/refpolicy/policy/modules/services/ssh.te
+++ b/refpolicy/policy/modules/services/ssh.te
@@ -23,6 +23,19 @@ role system_r types ssh_keygen_t;
 
 sshd_program_domain(sshd)
 
+optional_policy(`inetd.te',`
+# CJP: commenting this out until typeattribute works in a conditional
+#	tunable_policy(`run_ssh_inetd',`
+		inetd_tcp_service_domain(sshd_t,sshd_exec_t)
+#	',`
+#		init_daemon_domain(sshd_t,sshd_exec_t)
+#	')
+',`
+	# These rules should match the else block
+	# of the run_ssh_inetd tunable directly above
+	init_daemon_domain(sshd_t,sshd_exec_t)
+')
+
 type sshd_exec_t;
 files_file_type(sshd_exec_t)
 
@@ -59,18 +72,6 @@ seutil_read_config(sshd_t)
 # Allow checking users mail at login
 mta_getattr_spool(sshd_t)
 
-optional_policy(`inetd.te',`
-	tunable_policy(`run_ssh_inetd',`
-		inetd_service_domain(sshd_t,sshd_exec_t)
-	',`
-		init_daemon_domain(sshd_t,sshd_exec_t)
-	')
-',`
-	# These rules should match the else block
-	# of the run_ssh_inetd tunable directly above
-	init_daemon_domain(sshd_t,sshd_exec_t)
-')
-
 ifdef(`TODO',`
 tunable_policy(`ssh_sysadm_login',`
 	userdom_spec_domtrans_all_users(sshd_t)
@@ -104,11 +105,6 @@ tunable_policy(`ssh_sysadm_login',`
 	allow userdomain sshd_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
-# this goes to inetd
-tunable_policy(`run_ssh_inetd',`
-	corenet_tcp_bind_ssh_port(inetd_t)
-')
-
 # for when the network connection breaks after running newrole -r sysadm_r
 dontaudit sshd_t sysadm_devpts_t:chr_file setattr;
 
@@ -161,10 +157,6 @@ domain_auto_trans(sysadm_t, sshd_exec_t, sshd_t)
 role_transition sysadm_r sshd_exec_t system_r;
 ')
 
-# so a tunnel can point to another ssh tunnel...
-allow sshd_t kernel_t:tcp_socket recvfrom;
-allow sshd_t kernel_t:tcp_socket recvfrom;
-
 # for port forwarding
 allow userdomain sshd_t:tcp_socket { connectto recvfrom };
 allow sshd_t userdomain:tcp_socket { acceptfrom recvfrom };
diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if
index f5ddc8f..35da2dd 100644
--- a/refpolicy/policy/modules/system/corecommands.if
+++ b/refpolicy/policy/modules/system/corecommands.if
@@ -3,10 +3,12 @@
 ## in /bin, /sbin, /usr/bin, and /usr/sbin.
 ## </summary>
 
-#######################################
-#
-# corecmd_shell_entry_type(domain)
-#
+## <summary>
+##	Make the shell an entrypoint for the specified domain.
+## </summary>
+## <param name="domain">
+##	The domain for which the shell is an entrypoint.
+## </param>
 interface(`corecmd_shell_entry_type',`
 	gen_require(`
 		type shell_exec_t;
@@ -41,6 +43,38 @@ interface(`corecmd_list_bin',`
 	allow $1 bin_t:dir r_dir_perms;
 ')
 
+## <summary>
+##	Get the attributes of files in bin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+interface(`corecmd_getattr_bin_file',`
+	gen_require(`
+		type bin_t;
+		class file getattr;
+	')
+
+	allow $1 bin_t:file getattr;
+')
+
+## <summary>
+##	Read symbolic links in bin directories.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+interface(`corecmd_read_bin_symlink',`
+	gen_require(`
+		type bin_t;
+		class dir search;
+		class lnk_file read;
+	')
+
+	allow $1 bin_t:dir search;
+	allow $1 bin_t:lnk_file read;
+')
+
 ########################################
 #
 # corecmd_exec_bin(domain)
@@ -86,6 +120,19 @@ interface(`corecmd_list_sbin',`
 
 ########################################
 #
+# corecmd_getattr_sbin_file(domain)
+#
+interface(`corecmd_getattr_sbin_file',`
+	gen_require(`
+		type sbin_t;
+		class file getattr;
+	')
+
+	allow $1 sbin_t:file getattr;
+')
+
+########################################
+#
 # corecmd_dontaudit_getattr_sbin_file(domain)
 #
 interface(`corecmd_dontaudit_getattr_sbin_file',`
@@ -94,7 +141,7 @@ interface(`corecmd_dontaudit_getattr_sbin_file',`
 		class file getattr;
 	')
 
-	allow $1 sbin_t:file getattr;
+	dontaudit $1 sbin_t:file getattr;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 1bddf1d..d50918a 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -649,6 +649,19 @@ interface(`files_list_home',`
 
 ########################################
 #
+# files_search_mnt(domain)
+#
+interface(`files_search_mnt',`
+	gen_require(`
+		type mnt_t;
+		class dir search;
+	')
+
+	allow $1 mnt_t:dir search;
+')
+
+########################################
+#
 # files_list_mnt(domain)
 #
 interface(`files_list_mnt',`
