[selinux-policy: 670/3172] add rlogin and telnet
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:02:50 UTC 2010
commit 4fd5201a59de19c18a5ec23087cd6f10beb8dd0f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Sep 20 17:11:53 2005 +0000
add rlogin and telnet
refpolicy/Changelog | 2 +
refpolicy/policy/modules/services/kerberos.if | 17 ++++
refpolicy/policy/modules/services/rlogin.fc | 6 ++
refpolicy/policy/modules/services/rlogin.if | 23 +++++
refpolicy/policy/modules/services/rlogin.te | 111 +++++++++++++++++++++++++
refpolicy/policy/modules/services/tcpd.te | 4 +
refpolicy/policy/modules/services/telnet.fc | 4 +
refpolicy/policy/modules/services/telnet.if | 1 +
refpolicy/policy/modules/services/telnet.te | 102 +++++++++++++++++++++++
refpolicy/policy/modules/system/files.if | 16 ++++
10 files changed, 286 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 89e8073..dc33217 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -7,9 +7,11 @@
ktalk
portmap
postgresql
+ rlogin
samba
snmp
stunnel
+ telnet
tftp
vpn
zebra
diff --git a/refpolicy/policy/modules/services/kerberos.if b/refpolicy/policy/modules/services/kerberos.if
index b1b0199..c8c103a 100644
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@@ -90,3 +90,20 @@ interface(`kerberos_rw_config',`
files_search_etc($1)
allow $1 krb5_conf_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Read the kerberos key table.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`kerberos_read_keytab',`
+ gen_require(`
+ type krb5_keytab_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 krb5_keytab_t:file r_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/rlogin.fc b/refpolicy/policy/modules/services/rlogin.fc
new file mode 100644
index 0000000..367cafe
--- /dev/null
+++ b/refpolicy/policy/modules/services/rlogin.fc
@@ -0,0 +1,6 @@
+
+/usr/kerberos/sbin/klogind -- context_template(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/lib(64)?/telnetlogin -- context_template(system_u:object_r:rlogind_exec_t,s0)
+
+/usr/sbin/in\.rlogind -- context_template(system_u:object_r:rlogind_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/rlogin.if b/refpolicy/policy/modules/services/rlogin.if
new file mode 100644
index 0000000..42f4f84
--- /dev/null
+++ b/refpolicy/policy/modules/services/rlogin.if
@@ -0,0 +1,23 @@
+## <summary>Remote login daemon</summary>
+
+########################################
+## <summary>
+## Execute rlogind in the rlogin domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`rlogin_domtrans',`
+ gen_require(`
+ type rlogind_t, rlogind_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,rlogind_exec_t,rlogind_t)
+
+ allow $1 rlogind_t:fd use;
+ allow rlogind_t $1:fd use;
+ allow rlogind_t $1:fifo_file rw_file_perms;
+ allow rlogind_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/rlogin.te b/refpolicy/policy/modules/services/rlogin.te
new file mode 100644
index 0000000..11d14aa
--- /dev/null
+++ b/refpolicy/policy/modules/services/rlogin.te
@@ -0,0 +1,111 @@
+
+policy_module(rlogin,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type rlogind_t;
+type rlogind_exec_t;
+inetd_service_domain(rlogind_t,rlogind_exec_t)
+role system_r types rlogind_t;
+
+type rlogind_devpts_t; #, userpty_type;
+term_login_pty(rlogind_devpts_t)
+
+type rlogind_tmp_t;
+files_tmp_file(rlogind_tmp_t)
+
+type rlogind_var_run_t;
+files_pid_file(rlogind_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rlogind_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow rlogind_t self:process signal_perms;
+allow rlogind_t self:fifo_file rw_file_perms;
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow rlogind_t self:capability { setuid setgid };
+
+allow rlogind_t rlogind_devpts_t:chr_file { rw_file_perms setattr };
+
+# for /usr/lib/telnetlogin
+can_exec(rlogind_t, rlogind_exec_t)
+
+allow rlogind_t rlogind_tmp_t:dir create_dir_perms;
+allow rlogind_t rlogind_tmp_t:file create_file_perms;
+files_create_tmp_files(rlogind_t, rlogind_tmp_t, { file dir })
+
+allow rlogind_t rlogind_var_run_t:file create_file_perms;
+files_create_pid(rlogind_t,rlogind_var_run_t)
+
+kernel_read_kernel_sysctl(rlogind_t)
+kernel_read_system_state(rlogind_t)
+kernel_read_network_state(rlogind_t)
+
+corenet_tcp_sendrecv_all_if(rlogind_t)
+corenet_udp_sendrecv_all_if(rlogind_t)
+corenet_raw_sendrecv_all_if(rlogind_t)
+corenet_tcp_sendrecv_all_nodes(rlogind_t)
+corenet_udp_sendrecv_all_nodes(rlogind_t)
+corenet_raw_sendrecv_all_nodes(rlogind_t)
+corenet_tcp_sendrecv_all_ports(rlogind_t)
+corenet_udp_sendrecv_all_ports(rlogind_t)
+corenet_tcp_bind_all_nodes(rlogind_t)
+corenet_udp_bind_all_nodes(rlogind_t)
+
+dev_read_urand(rlogind_t)
+
+fs_getattr_xattr_fs(rlogind_t)
+
+auth_domtrans_chk_passwd(rlogind_t)
+auth_rw_login_records(rlogind_t)
+
+files_read_etc_files(rlogind_t)
+files_read_etc_runtime_files(rlogind_t)
+files_search_home(rlogind_t)
+files_search_default(rlogind_t)
+
+init_rw_script_pid(rlogind_t)
+
+libs_use_ld_so(rlogind_t)
+libs_use_shared_libs(rlogind_t)
+
+logging_send_syslog_msg(rlogind_t)
+
+miscfiles_read_localization(rlogind_t)
+
+seutil_dontaudit_search_config(rlogind_t)
+
+sysnet_read_config(rlogind_t)
+
+# cjp: this is egregious
+userdom_read_all_user_files(rlogind_t)
+
+remotelogin_domtrans(rlogind_t)
+
+optional_policy(`kerberos.te',`
+ kerberos_read_keytab(rlogind_t)
+
+ # for identd; cjp: this should probably only be inetd_child rules?
+ kerberos_use(rlogind_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(rlogind_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(rlogind_t)
+')
+
+ifdef(`TODO',`
+# Allow krb5 rlogind to use fork and open /dev/tty for use
+allow rlogind_t userpty_type:chr_file setattr;
+')
diff --git a/refpolicy/policy/modules/services/tcpd.te b/refpolicy/policy/modules/services/tcpd.te
index 93123ad..d3f4e1e 100644
--- a/refpolicy/policy/modules/services/tcpd.te
+++ b/refpolicy/policy/modules/services/tcpd.te
@@ -59,6 +59,10 @@ optional_policy(`portmap.te',`
portmap_udp_sendto(tcpd_t)
')
+optional_policy(`rlogin.te',`
+ rlogin_domtrans(tcpd_t)
+')
+
optional_policy(`rshd.te',`
rshd_domtrans(tcpd_t)
')
diff --git a/refpolicy/policy/modules/services/telnet.fc b/refpolicy/policy/modules/services/telnet.fc
new file mode 100644
index 0000000..30b9e4a
--- /dev/null
+++ b/refpolicy/policy/modules/services/telnet.fc
@@ -0,0 +1,4 @@
+
+/usr/sbin/in\.telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)
+
+/usr/kerberos/sbin/telnetd -- context_template(system_u:object_r:telnetd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/telnet.if b/refpolicy/policy/modules/services/telnet.if
new file mode 100644
index 0000000..58e7ec0
--- /dev/null
+++ b/refpolicy/policy/modules/services/telnet.if
@@ -0,0 +1 @@
+## <summary>Telnet daemon</summary>
diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te
new file mode 100644
index 0000000..007787f
--- /dev/null
+++ b/refpolicy/policy/modules/services/telnet.te
@@ -0,0 +1,102 @@
+
+policy_module(telnet,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type telnetd_t;
+type telnetd_exec_t;
+inetd_service_domain(telnetd_t,telnetd_exec_t)
+role system_r types telnetd_t;
+
+type telnetd_devpts_t; #, userpty_type;
+term_login_pty(telnetd_devpts_t)
+
+type telnetd_tmp_t;
+files_tmp_file(telnetd_tmp_t)
+
+type telnetd_var_run_t;
+files_pid_file(telnetd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override };
+allow telnetd_t self:process signal_perms;
+allow telnetd_t self:fifo_file rw_file_perms;
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
+# for identd; cjp: this should probably only be inetd_child rules?
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow telnetd_t self:capability { setuid setgid };
+
+allow telnetd_t telnetd_devpts_t:chr_file { rw_file_perms setattr };
+
+allow telnetd_t telnetd_tmp_t:dir create_dir_perms;
+allow telnetd_t telnetd_tmp_t:file create_file_perms;
+files_create_tmp_files(telnetd_t, telnetd_tmp_t, { file dir })
+
+allow telnetd_t telnetd_var_run_t:file create_file_perms;
+files_create_pid(telnetd_t,telnetd_var_run_t)
+
+kernel_read_kernel_sysctl(telnetd_t)
+kernel_read_system_state(telnetd_t)
+kernel_read_network_state(telnetd_t)
+
+corenet_tcp_sendrecv_all_if(telnetd_t)
+corenet_udp_sendrecv_all_if(telnetd_t)
+corenet_raw_sendrecv_all_if(telnetd_t)
+corenet_tcp_sendrecv_all_nodes(telnetd_t)
+corenet_udp_sendrecv_all_nodes(telnetd_t)
+corenet_raw_sendrecv_all_nodes(telnetd_t)
+corenet_tcp_sendrecv_all_ports(telnetd_t)
+corenet_udp_sendrecv_all_ports(telnetd_t)
+corenet_tcp_bind_all_nodes(telnetd_t)
+corenet_udp_bind_all_nodes(telnetd_t)
+
+dev_read_urand(telnetd_t)
+
+fs_getattr_xattr_fs(telnetd_t)
+
+auth_rw_login_records(telnetd_t)
+
+files_read_etc_files(telnetd_t)
+files_read_etc_runtime_files(telnetd_t)
+# for identd; cjp: this should probably only be inetd_child rules?
+files_search_home(telnetd_t)
+
+init_rw_script_pid(telnetd_t)
+
+libs_use_ld_so(telnetd_t)
+libs_use_shared_libs(telnetd_t)
+
+logging_send_syslog_msg(telnetd_t)
+
+miscfiles_read_localization(telnetd_t)
+
+seutil_dontaudit_search_config(telnetd_t)
+
+sysnet_read_config(telnetd_t)
+
+remotelogin_domtrans(telnetd_t)
+
+# for identd; cjp: this should probably only be inetd_child rules?
+optional_policy(`kerberos.te',`
+ kerberos_use(telnetd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(telnetd_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(telnetd_t)
+')
+
+ifdef(`TODO',`
+# Allow krb5 telnetd to use fork and open /dev/tty for use
+allow telnetd_t userpty_type:chr_file setattr;
+')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 6a8e214..1b1028c 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -738,6 +738,22 @@ interface(`files_dontaudit_getattr_default_dir',`
########################################
## <summary>
+## Search the contents of directories with the default file type.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_search_default',`
+ gen_require(`
+ type default_t;
+ ')
+
+ allow $1 default_t:dir search;
+')
+
+########################################
+## <summary>
## List contents of directories with the default file type.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list