From 2b2d87d128ea23adfd3a6d4e26a433651ba15104 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Oct 25 2012 10:44:13 +0000 Subject: Changes to the rshd policy module Module clean up Remove many duplicate rules due to auth_login_pgm_domain Signed-off-by: Dominick Grift --- diff --git a/rshd.fc b/rshd.fc index 6a4db03..9ad0d58 100644 --- a/rshd.fc +++ b/rshd.fc @@ -1,4 +1,3 @@ - /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff --git a/rshd.if b/rshd.if index 2e87d76..7ad29c0 100644 --- a/rshd.if +++ b/rshd.if @@ -2,7 +2,7 @@ ######################################## ## -## Domain transition to rshd. +## Execute rshd in the rshd domain. ## ## ## @@ -15,7 +15,6 @@ interface(`rshd_domtrans',` type rshd_exec_t, rshd_t; ') - files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, rshd_exec_t, rshd_t) ') diff --git a/rshd.te b/rshd.te index 0b405d1..f842825 100644 --- a/rshd.te +++ b/rshd.te @@ -1,22 +1,22 @@ -policy_module(rshd, 1.7.0) +policy_module(rshd, 1.7.1) ######################################## # # Declarations # + type rshd_t; type rshd_exec_t; +auth_login_pgm_domain(rshd_t) inetd_tcp_service_domain(rshd_t, rshd_exec_t) -domain_subj_id_change_exemption(rshd_t) -domain_role_change_exemption(rshd_t) -role system_r types rshd_t; ######################################## # # Local policy # + allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override }; -allow rshd_t self:process { signal_perms fork setsched setpgid setexec }; +allow rshd_t self:process { signal_perms setsched setpgid setexec }; allow rshd_t self:fifo_file rw_fifo_file_perms; allow rshd_t self:tcp_socket create_stream_socket_perms; @@ -25,48 +25,24 @@ kernel_read_kernel_sysctls(rshd_t) corenet_all_recvfrom_unlabeled(rshd_t) corenet_all_recvfrom_netlabel(rshd_t) corenet_tcp_sendrecv_generic_if(rshd_t) -corenet_udp_sendrecv_generic_if(rshd_t) corenet_tcp_sendrecv_generic_node(rshd_t) -corenet_udp_sendrecv_generic_node(rshd_t) corenet_tcp_sendrecv_all_ports(rshd_t) -corenet_udp_sendrecv_all_ports(rshd_t) corenet_tcp_bind_generic_node(rshd_t) + +corenet_sendrecv_all_server_packets(rshd_t) corenet_tcp_bind_rsh_port(rshd_t) corenet_tcp_bind_all_rpc_ports(rshd_t) corenet_tcp_connect_all_ports(rshd_t) corenet_tcp_connect_all_rpc_ports(rshd_t) -corenet_sendrecv_rsh_server_packets(rshd_t) - -dev_read_urand(rshd_t) - -selinux_get_fs_mount(rshd_t) -selinux_validate_context(rshd_t) -selinux_compute_access_vector(rshd_t) -selinux_compute_create_context(rshd_t) -selinux_compute_relabel_context(rshd_t) -selinux_compute_user_contexts(rshd_t) corecmd_read_bin_symlinks(rshd_t) files_list_home(rshd_t) -files_read_etc_files(rshd_t) -files_search_tmp(rshd_t) -auth_login_pgm_domain(rshd_t) -auth_write_login_records(rshd_t) - -init_rw_utmp(rshd_t) - -logging_send_syslog_msg(rshd_t) logging_search_logs(rshd_t) miscfiles_read_localization(rshd_t) -seutil_read_config(rshd_t) -seutil_read_default_contexts(rshd_t) - -userdom_search_user_home_content(rshd_t) - tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(rshd_t) fs_read_nfs_symlinks(rshd_t) @@ -80,6 +56,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` kerberos_keytab_template(rshd, rshd_t) kerberos_manage_host_rcache(rshd_t) + kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0") ') optional_policy(`