Created
November 4, 2021 19:04
-
-
Save bacher09/76da34fad65adf2f660acf4b2e7da0ee to your computer and use it in GitHub Desktop.
Teleport SELinux policy for fedora 34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/usr/local/bin/teleport -- gen_context(system_u:object_r:teleport_exec_t,s0) | |
/var/lib/teleport(/.*)? gen_context(system_u:object_r:teleport_var_lib_t,s0) | |
/var/run/teleport.pid -- gen_context(system_u:object_r:teleport_var_run_t,s0) | |
/run/teleport.pid -- gen_context(system_u:object_r:teleport_var_run_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
policy_module(teleport, 1.0.0) | |
require { | |
type user_t; | |
type staff_t; | |
} | |
######################################## | |
# | |
# Declarations | |
# | |
type teleport_t; | |
type teleport_exec_t; | |
type teleport_port_t; | |
type teleport_var_lib_t; | |
type teleport_var_run_t; | |
type teleport_devpts_t; | |
type teleport_tmp_t; | |
attribute_role teleport_roles; | |
init_daemon_domain(teleport_t, teleport_exec_t) | |
files_type(teleport_var_lib_t) | |
files_pid_file(teleport_var_run_t) | |
corenet_reserved_port(teleport_port_t) | |
typealias teleport_devpts_t alias { user_teleport_devpts_t staff_teleport_devpts_t sysadm_teleport_devpts_t }; | |
typealias teleport_devpts_t alias { auditadm_teleport_devpts_t secadm_teleport_devpts_t }; | |
role teleport_roles types teleport_t; | |
files_tmp_file(teleport_tmp_t) | |
######################################## | |
# | |
# teleport local policy | |
# | |
allow teleport_t self:capability { setgid fsetid setuid dac_override dac_read_search chown }; | |
allow teleport_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit setexec }; | |
allow teleport_t self:fd use; | |
allow teleport_t teleport_exec_t:file execute_no_trans; | |
allow teleport_t self:fifo_file rw_fifo_file_perms; | |
allow teleport_t self:unix_stream_socket create_stream_socket_perms; | |
allow teleport_t self:unix_dgram_socket create_stream_socket_perms; | |
manage_dirs_pattern(teleport_t, teleport_var_lib_t, teleport_var_lib_t) | |
manage_files_pattern(teleport_t, teleport_var_lib_t, teleport_var_lib_t) | |
manage_lnk_files_pattern(teleport_t, teleport_var_lib_t, teleport_var_lib_t) | |
files_var_lib_filetrans(teleport_t, teleport_var_lib_t, { dir file lnk_file }) | |
manage_dirs_pattern(teleport_t, teleport_var_run_t, teleport_var_run_t) | |
manage_files_pattern(teleport_t, teleport_var_run_t, teleport_var_run_t) | |
manage_lnk_files_pattern(teleport_t, teleport_var_run_t, teleport_var_run_t) | |
files_pid_filetrans(teleport_t, teleport_var_run_t, { dir file lnk_file }) | |
domain_use_interactive_fds(teleport_t) | |
files_read_etc_files(teleport_t) | |
auth_use_nsswitch(teleport_t) | |
miscfiles_read_localization(teleport_t) | |
sysnet_dns_name_resolve(teleport_t) | |
allow teleport_t teleport_port_t:tcp_socket {name_bind name_connect}; | |
corenet_all_recvfrom_unlabeled(teleport_t) | |
corenet_all_recvfrom_netlabel(teleport_t) | |
corenet_tcp_sendrecv_generic_if(teleport_t) | |
corenet_udp_sendrecv_generic_if(teleport_t) | |
corenet_tcp_sendrecv_generic_node(teleport_t) | |
corenet_udp_sendrecv_generic_node(teleport_t) | |
corenet_udp_bind_generic_node(teleport_t) | |
allow teleport_t self:tcp_socket create_stream_socket_perms; | |
allow teleport_t self:udp_socket create_socket_perms; | |
allow teleport_t self:netlink_route_socket r_netlink_socket_perms; | |
dev_read_sysfs(teleport_t) | |
kernel_dgram_send(teleport_t) | |
kernel_read_net_sysctls(teleport_t) | |
kernel_search_network_sysctl(teleport_t) | |
logging_stream_connect_syslog(teleport_t) | |
term_login_pty(teleport_devpts_t) | |
term_user_pty(teleport_t, teleport_devpts_t) | |
ubac_constrained(teleport_devpts_t) | |
allow teleport_t teleport_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; | |
term_create_pty(teleport_t, teleport_devpts_t) | |
userdom_read_user_home_content_files(teleport_t) | |
userdom_read_user_home_content_symlinks(teleport_t) | |
userdom_spec_domtrans_unpriv_users(teleport_t) | |
userdom_dyntransition_unpriv_users(teleport_t) | |
userdom_signal_unpriv_users(teleport_t) | |
userdom_use_inherited_user_terminals(teleport_t) | |
tunable_policy(`ssh_sysadm_login',` | |
# Relabel and access ptys created by sshd | |
# ioctl is necessary for logout() processing for utmp entry and for w to | |
# display the tty. | |
# some versions of sshd on the new SE Linux require setattr | |
userdom_signal_all_users(teleport_t) | |
userdom_spec_domtrans_all_users(teleport_t) | |
userdom_dyntransition_admin_users(teleport_t) | |
') | |
#auth_exec_login_program(teleport_t) | |
auth_run_chk_passwd(teleport_t, teleport_roles) | |
auth_rw_lastlog(teleport_t) | |
auth_rw_faillog(teleport_t) | |
auth_write_login_records(teleport_t) | |
init_rw_utmp(teleport_t) | |
files_list_tmp(teleport_t) | |
manage_dirs_pattern(teleport_t, teleport_tmp_t, teleport_tmp_t) | |
manage_files_pattern(teleport_t, teleport_tmp_t, teleport_tmp_t) | |
manage_sock_files_pattern(teleport_t, teleport_tmp_t, teleport_tmp_t) | |
files_tmp_filetrans(teleport_t, teleport_tmp_t, { file dir }) | |
optional_policy(` | |
unconfined_shell_domtrans(teleport_t) | |
') | |
optional_policy(` | |
systemd_dbus_chat_logind(teleport_t) | |
') | |
auth_login_pgm_domain(teleport_t) | |
logging_send_syslog_msg(teleport_t) | |
# do this for every SELinux user | |
allow user_t teleport_devpts_t:chr_file rw_term_perms; | |
allow staff_t teleport_devpts_t:chr_file rw_term_perms; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment