diff options
Diffstat (limited to 'policy/modules/apps/rssh.te')
-rw-r--r-- | policy/modules/apps/rssh.te | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te new file mode 100644 index 000000000..91a89f657 --- /dev/null +++ b/policy/modules/apps/rssh.te @@ -0,0 +1,99 @@ +policy_module(rssh, 2.3.0) + +######################################## +# +# Declarations +# + +attribute_role rssh_roles; +roleattribute system_r rssh_roles; + +type rssh_t; +type rssh_exec_t; +typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t }; +typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t }; +userdom_user_application_domain(rssh_t, rssh_exec_t) +domain_user_exemption_target(rssh_t) +domain_interactive_fd(rssh_t) +role rssh_roles types rssh_t; + +type rssh_chroot_helper_t; +type rssh_chroot_helper_exec_t; +init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t) + +type rssh_devpts_t; +typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t }; +typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t }; +term_user_pty(rssh_t, rssh_devpts_t) +ubac_constrained(rssh_devpts_t) + +type rssh_ro_t; # customizable +typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t }; +typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t }; +userdom_user_home_content(rssh_ro_t) + +type rssh_rw_t; # customizable +typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t }; +typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t }; +userdom_user_home_content(rssh_rw_t) + +############################## +# +# Local policy +# + +allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; +allow rssh_t self:fd use; +allow rssh_t self:fifo_file rw_fifo_file_perms; +allow rssh_t self:unix_dgram_socket sendto; +allow rssh_t self:unix_stream_socket { accept connectto listen }; + +allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(rssh_t, rssh_devpts_t) + +allow rssh_t rssh_ro_t:dir list_dir_perms; +read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t) + +manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t) +manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t) + +kernel_read_system_state(rssh_t) +kernel_read_kernel_sysctls(rssh_t) + +files_read_etc_files(rssh_t) +files_read_etc_runtime_files(rssh_t) +files_list_home(rssh_t) +files_read_usr_files(rssh_t) +files_list_var(rssh_t) + +fs_search_auto_mountpoints(rssh_t) + +logging_send_syslog_msg(rssh_t) + +miscfiles_read_localization(rssh_t) + +rssh_domtrans_chroot_helper(rssh_t) + +ssh_rw_tcp_sockets(rssh_t) +ssh_rw_stream_sockets(rssh_t) + +optional_policy(` + nis_use_ypbind(rssh_t) +') + +######################################## +# +# Chroot helper local policy +# + +allow rssh_chroot_helper_t self:capability { setuid sys_chroot }; +allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms; +allow rssh_chroot_helper_t self:unix_stream_socket { accept listen }; + +domain_use_interactive_fds(rssh_chroot_helper_t) + +auth_use_nsswitch(rssh_chroot_helper_t) + +logging_send_syslog_msg(rssh_chroot_helper_t) + +miscfiles_read_localization(rssh_chroot_helper_t) |