[people/stevee/selinux-policy.git] / policy / modules / services / rshd.te

policy_module(rshd, 1.7.0)

########################################
#
# Declarations
#
type rshd_t;
type rshd_exec_t;
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
domain_subj_id_change_exemption(rshd_t)
domain_role_change_exemption(rshd_t)
role system_r types rshd_t;

########################################
#
# Local policy
#
allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;

kernel_read_kernel_sysctls(rshd_t)

corenet_all_recvfrom_unlabeled(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_generic_node(rshd_t)
corenet_udp_sendrecv_generic_node(rshd_t)
corenet_tcp_sendrecv_all_ports(rshd_t)
corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_generic_node(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
corenet_tcp_bind_all_rpc_ports(rshd_t)
corenet_tcp_connect_all_ports(rshd_t)
corenet_tcp_connect_all_rpc_ports(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)

dev_read_urand(rshd_t)

selinux_get_fs_mount(rshd_t)
selinux_validate_context(rshd_t)
selinux_compute_access_vector(rshd_t)
selinux_compute_create_context(rshd_t)
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)

corecmd_read_bin_symlinks(rshd_t)

files_list_home(rshd_t)
files_read_etc_files(rshd_t)
files_search_tmp(rshd_t)

auth_login_pgm_domain(rshd_t)
auth_write_login_records(rshd_t)

init_rw_utmp(rshd_t)

logging_send_syslog_msg(rshd_t)
logging_search_logs(rshd_t)

miscfiles_read_localization(rshd_t)

seutil_read_config(rshd_t)
seutil_read_default_contexts(rshd_t)

userdom_search_user_home_content(rshd_t)
userdom_manage_tmp_role(system_r, rshd_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_read_nfs_files(rshd_t)
	fs_read_nfs_symlinks(rshd_t)
')

tunable_policy(`use_samba_home_dirs',`
	fs_read_cifs_files(rshd_t)
	fs_read_cifs_symlinks(rshd_t)
')

optional_policy(`
	kerberos_keytab_template(rshd, rshd_t)
	kerberos_manage_host_rcache(rshd_t)
')

optional_policy(`
	rlogin_read_home_content(rshd_t)
')

optional_policy(`
	tcpd_wrapped_domain(rshd_t, rshd_exec_t)
')

optional_policy(`
	unconfined_shell_domtrans(rshd_t)
	unconfined_signal(rshd_t)
')
Commit	Line	Data
9570b288	1	policy_module(rshd, 1.7.0)
545b0c91 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7	type rshd_t;
	8	type rshd_exec_t;
8242f5a6	9	inetd_tcp_service_domain(rshd_t, rshd_exec_t)
1815bad1 CP	10	domain_subj_id_change_exemption(rshd_t)
1815bad1 CP	11	domain_role_change_exemption(rshd_t)
545b0c91 CP	12	role system_r types rshd_t;
	13
	14	########################################
	15	#
	16	# Local policy
	17	#
01e9e7db	18	allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
545b0c91	19	allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
c0868a7a	20	allow rshd_t self:fifo_file rw_fifo_file_perms;
545b0c91 CP	21	allow rshd_t self:tcp_socket create_stream_socket_perms;
545b0c91 CP	22
445522dc	23	kernel_read_kernel_sysctls(rshd_t)
545b0c91	24
19006686 CP	25	corenet_all_recvfrom_unlabeled(rshd_t)
19006686 CP	26	corenet_all_recvfrom_netlabel(rshd_t)
09741b1f CP	27	corenet_tcp_sendrecv_generic_if(rshd_t)
09741b1f CP	28	corenet_udp_sendrecv_generic_if(rshd_t)
c1262146 CP	29	corenet_tcp_sendrecv_generic_node(rshd_t)
c1262146 CP	30	corenet_udp_sendrecv_generic_node(rshd_t)
545b0c91	31	corenet_tcp_sendrecv_all_ports(rshd_t)
09741b1f	32	corenet_udp_sendrecv_all_ports(rshd_t)
c1262146	33	corenet_tcp_bind_generic_node(rshd_t)
0907bda1	34	corenet_tcp_bind_rsh_port(rshd_t)
01e9e7db CP	35	corenet_tcp_bind_all_rpc_ports(rshd_t)
	36	corenet_tcp_connect_all_ports(rshd_t)
	37	corenet_tcp_connect_all_rpc_ports(rshd_t)
141cffdd	38	corenet_sendrecv_rsh_server_packets(rshd_t)
545b0c91 CP	39
	40	dev_read_urand(rshd_t)
	41
	42	selinux_get_fs_mount(rshd_t)
	43	selinux_validate_context(rshd_t)
	44	selinux_compute_access_vector(rshd_t)
	45	selinux_compute_create_context(rshd_t)
	46	selinux_compute_relabel_context(rshd_t)
	47	selinux_compute_user_contexts(rshd_t)
	48
1815bad1	49	corecmd_read_bin_symlinks(rshd_t)
545b0c91 CP	50
	51	files_list_home(rshd_t)
	52	files_read_etc_files(rshd_t)
	53	files_search_tmp(rshd_t)
	54
01e9e7db CP	55	auth_login_pgm_domain(rshd_t)
	56	auth_write_login_records(rshd_t)
	57
	58	init_rw_utmp(rshd_t)
09e21686	59
09741b1f	60	logging_send_syslog_msg(rshd_t)
01e9e7db	61	logging_search_logs(rshd_t)
545b0c91 CP	62
	63	miscfiles_read_localization(rshd_t)
	64
	65	seutil_read_config(rshd_t)
	66	seutil_read_default_contexts(rshd_t)
	67
296273a7	68	userdom_search_user_home_content(rshd_t)
3eaa9939	69	userdom_manage_tmp_role(system_r, rshd_t)
545b0c91	70
545b0c91 CP	71	tunable_policy(`use_nfs_home_dirs',`
	72	fs_read_nfs_files(rshd_t)
	73	fs_read_nfs_symlinks(rshd_t)
	74	')
	75
	76	tunable_policy(`use_samba_home_dirs',`
725926c5 CP	77	fs_read_cifs_files(rshd_t)
725926c5 CP	78	fs_read_cifs_symlinks(rshd_t)
545b0c91 CP	79	')
545b0c91 CP	80
bb7170f6	81	optional_policy(`
01e9e7db CP	82	kerberos_keytab_template(rshd, rshd_t)
01e9e7db CP	83	kerberos_manage_host_rcache(rshd_t)
545b0c91 CP	84	')
545b0c91 CP	85
45515556 CP	86	optional_policy(`
	87	rlogin_read_home_content(rshd_t)
	88	')
	89
bb7170f6	90	optional_policy(`
0bfccda4	91	tcpd_wrapped_domain(rshd_t, rshd_exec_t)
545b0c91	92	')
350b6ab7 CP	93
	94	optional_policy(`
	95	unconfined_shell_domtrans(rshd_t)
01e9e7db	96	unconfined_signal(rshd_t)
350b6ab7	97	')