Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/apps/rssh.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/apps/rssh.te')
-rw-r--r--policy/modules/apps/rssh.te99
1 files changed, 99 insertions, 0 deletions
diff --git a/policy/modules/apps/rssh.te b/policy/modules/apps/rssh.te
new file mode 100644
index 000000000..91a89f657
--- /dev/null
+++ b/policy/modules/apps/rssh.te
@@ -0,0 +1,99 @@
+policy_module(rssh, 2.3.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role rssh_roles;
+roleattribute system_r rssh_roles;
+
+type rssh_t;
+type rssh_exec_t;
+typealias rssh_t alias { user_rssh_t staff_rssh_t sysadm_rssh_t };
+typealias rssh_t alias { auditadm_rssh_t secadm_rssh_t };
+userdom_user_application_domain(rssh_t, rssh_exec_t)
+domain_user_exemption_target(rssh_t)
+domain_interactive_fd(rssh_t)
+role rssh_roles types rssh_t;
+
+type rssh_chroot_helper_t;
+type rssh_chroot_helper_exec_t;
+init_system_domain(rssh_chroot_helper_t, rssh_chroot_helper_exec_t)
+
+type rssh_devpts_t;
+typealias rssh_devpts_t alias { user_rssh_devpts_t staff_rssh_devpts_t sysadm_rssh_devpts_t };
+typealias rssh_devpts_t alias { auditadm_rssh_devpts_t secadm_rssh_devpts_t };
+term_user_pty(rssh_t, rssh_devpts_t)
+ubac_constrained(rssh_devpts_t)
+
+type rssh_ro_t; # customizable
+typealias rssh_ro_t alias { user_rssh_ro_t staff_rssh_ro_t sysadm_rssh_ro_t };
+typealias rssh_ro_t alias { auditadm_rssh_ro_t secadm_rssh_ro_t };
+userdom_user_home_content(rssh_ro_t)
+
+type rssh_rw_t; # customizable
+typealias rssh_rw_t alias { user_rssh_rw_t staff_rssh_rw_t sysadm_rssh_rw_t };
+typealias rssh_rw_t alias { auditadm_rssh_rw_t secadm_rssh_rw_t };
+userdom_user_home_content(rssh_rw_t)
+
+##############################
+#
+# Local policy
+#
+
+allow rssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
+allow rssh_t self:fd use;
+allow rssh_t self:fifo_file rw_fifo_file_perms;
+allow rssh_t self:unix_dgram_socket sendto;
+allow rssh_t self:unix_stream_socket { accept connectto listen };
+
+allow rssh_t rssh_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+term_create_pty(rssh_t, rssh_devpts_t)
+
+allow rssh_t rssh_ro_t:dir list_dir_perms;
+read_files_pattern(rssh_t, rssh_ro_t, rssh_ro_t)
+
+manage_dirs_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+
+kernel_read_system_state(rssh_t)
+kernel_read_kernel_sysctls(rssh_t)
+
+files_read_etc_files(rssh_t)
+files_read_etc_runtime_files(rssh_t)
+files_list_home(rssh_t)
+files_read_usr_files(rssh_t)
+files_list_var(rssh_t)
+
+fs_search_auto_mountpoints(rssh_t)
+
+logging_send_syslog_msg(rssh_t)
+
+miscfiles_read_localization(rssh_t)
+
+rssh_domtrans_chroot_helper(rssh_t)
+
+ssh_rw_tcp_sockets(rssh_t)
+ssh_rw_stream_sockets(rssh_t)
+
+optional_policy(`
+ nis_use_ypbind(rssh_t)
+')
+
+########################################
+#
+# Chroot helper local policy
+#
+
+allow rssh_chroot_helper_t self:capability { setuid sys_chroot };
+allow rssh_chroot_helper_t self:fifo_file rw_fifo_file_perms;
+allow rssh_chroot_helper_t self:unix_stream_socket { accept listen };
+
+domain_use_interactive_fds(rssh_chroot_helper_t)
+
+auth_use_nsswitch(rssh_chroot_helper_t)
+
+logging_send_syslog_msg(rssh_chroot_helper_t)
+
+miscfiles_read_localization(rssh_chroot_helper_t)