type rlogind_t, domain, privlog, auth;
type rlogind_exec_t, file_type, sysadmfile, exec_type;
type rlogind_tmp_t, file_type, sysadmfile, tmpfile;
file_type_auto_trans(rlogind_t, tmp_t, rlogind_tmp_t)
# Inherit and use descriptors from inetd.
allow rlogind_t inetd_t:fd inherit_fd_perms;
# Use sockets inherited from inetd.
allow rlogind_t inetd_t:tcp_socket rw_stream_socket_perms;
# Use capabilities.
allow rlogind_t rlogind_t:capability { net_bind_service setuid setgid fowner fsetid chown dac_override };
# Perform socket ioctl.
allow rlogind_t kernel_t:system net_io_control;
# Use the network.
can_network(rlogind_t)
# Run login in remote_login_t.
domain_auto_trans(rlogind_t, login_exec_t, remote_login_t)
# Send SIGCHLD to inetd on death.
allow rlogind_t inetd_t:process sigchld;
# Create ptys.
can_create_pty(rlogind)
# Modify /var/run/utmp.
allow rlogind_t initrc_var_run_t:file rw_file_perms;
# Modify /var/log/wtmp.
allow rlogind_t wtmp_t:file rw_file_perms;
# Read /etc/auth/shadow.
allow rlogind_t etc_auth_t:dir r_dir_perms;
allow rlogind_t etc_auth_t:file r_file_perms;