1 |
commit: 47fb04e16c0a7b1a95108789c090c1583186b046 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 11:39:05 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:51:21 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47fb04e1 |
7 |
|
8 |
Changes to the telnet policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/telnet.fc | 1 - |
16 |
policy/modules/contrib/telnet.te | 40 +++++++++++++++---------------------- |
17 |
2 files changed, 16 insertions(+), 25 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/telnet.fc b/policy/modules/contrib/telnet.fc |
20 |
index e8ca056..3d7d07a 100644 |
21 |
--- a/policy/modules/contrib/telnet.fc |
22 |
+++ b/policy/modules/contrib/telnet.fc |
23 |
@@ -1,4 +1,3 @@ |
24 |
- |
25 |
/usr/sbin/in\.telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) |
26 |
|
27 |
/usr/kerberos/sbin/telnetd -- gen_context(system_u:object_r:telnetd_exec_t,s0) |
28 |
|
29 |
diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te |
30 |
index be429b3..324488d 100644 |
31 |
--- a/policy/modules/contrib/telnet.te |
32 |
+++ b/policy/modules/contrib/telnet.te |
33 |
@@ -1,4 +1,4 @@ |
34 |
-policy_module(telnet, 1.10.1) |
35 |
+policy_module(telnet, 1.10.2) |
36 |
|
37 |
######################################## |
38 |
# |
39 |
@@ -7,11 +7,9 @@ policy_module(telnet, 1.10.1) |
40 |
|
41 |
type telnetd_t; |
42 |
type telnetd_exec_t; |
43 |
-init_daemon_domain(telnetd_t, telnetd_exec_t) |
44 |
+inetd_service_domain(telnetd, telnetd_exec_t) |
45 |
|
46 |
-role system_r types telnetd_t; |
47 |
- |
48 |
-type telnetd_devpts_t; #, userpty_type; |
49 |
+type telnetd_devpts_t; |
50 |
term_login_pty(telnetd_devpts_t) |
51 |
|
52 |
type telnetd_tmp_t; |
53 |
@@ -25,16 +23,11 @@ files_pid_file(telnetd_var_run_t) |
54 |
# Local policy |
55 |
# |
56 |
|
57 |
-allow telnetd_t self:capability { fsetid chown fowner sys_tty_config dac_override }; |
58 |
+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override }; |
59 |
allow telnetd_t self:process signal_perms; |
60 |
allow telnetd_t self:fifo_file rw_fifo_file_perms; |
61 |
-allow telnetd_t self:tcp_socket connected_stream_socket_perms; |
62 |
-allow telnetd_t self:udp_socket create_socket_perms; |
63 |
-# for identd; cjp: this should probably only be inetd_child rules? |
64 |
-allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; |
65 |
-allow telnetd_t self:capability { setuid setgid }; |
66 |
|
67 |
-allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr }; |
68 |
+allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; |
69 |
term_create_pty(telnetd_t, telnetd_devpts_t) |
70 |
|
71 |
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t) |
72 |
@@ -57,23 +50,21 @@ corenet_udp_sendrecv_generic_node(telnetd_t) |
73 |
corenet_tcp_sendrecv_all_ports(telnetd_t) |
74 |
corenet_udp_sendrecv_all_ports(telnetd_t) |
75 |
|
76 |
+corecmd_search_bin(telnetd_t) |
77 |
+ |
78 |
dev_read_urand(telnetd_t) |
79 |
|
80 |
domain_interactive_fd(telnetd_t) |
81 |
|
82 |
+files_read_usr_files(telnetd_t) |
83 |
+files_read_etc_runtime_files(telnetd_t) |
84 |
+files_search_home(telnetd_t) |
85 |
+ |
86 |
fs_getattr_xattr_fs(telnetd_t) |
87 |
|
88 |
auth_rw_login_records(telnetd_t) |
89 |
auth_use_nsswitch(telnetd_t) |
90 |
|
91 |
-corecmd_search_bin(telnetd_t) |
92 |
- |
93 |
-files_read_usr_files(telnetd_t) |
94 |
-files_read_etc_files(telnetd_t) |
95 |
-files_read_etc_runtime_files(telnetd_t) |
96 |
-# for identd; cjp: this should probably only be inetd_child rules? |
97 |
-files_search_home(telnetd_t) |
98 |
- |
99 |
init_rw_utmp(telnetd_t) |
100 |
|
101 |
logging_send_syslog_msg(telnetd_t) |
102 |
@@ -85,10 +76,6 @@ seutil_read_config(telnetd_t) |
103 |
userdom_search_user_home_dirs(telnetd_t) |
104 |
userdom_setattr_user_ptys(telnetd_t) |
105 |
|
106 |
-optional_policy(` |
107 |
- remotelogin_domtrans(telnetd_t) |
108 |
-') |
109 |
- |
110 |
tunable_policy(`use_nfs_home_dirs',` |
111 |
fs_search_nfs(telnetd_t) |
112 |
') |
113 |
@@ -103,5 +90,10 @@ optional_policy(` |
114 |
|
115 |
optional_policy(` |
116 |
kerberos_keytab_template(telnetd, telnetd_t) |
117 |
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0") |
118 |
kerberos_manage_host_rcache(telnetd_t) |
119 |
') |
120 |
+ |
121 |
+optional_policy(` |
122 |
+ remotelogin_domtrans(telnetd_t) |
123 |
+') |