[people/stevee/selinux-policy.git] / policy / modules / admin / netutils.te


policy_module(netutils, 1.10.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping, false)

type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t, netutils_exec_t)
role system_r types netutils_t;

type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)

type ping_t;
type ping_exec_t;
init_system_domain(ping_t, ping_exec_t)
role system_r types ping_t;

type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t, traceroute_exec_t)
role system_r types traceroute_t;

########################################
#
# Netutils local policy
#

# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
dontaudit netutils_t self:capability sys_tty_config;
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;

manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

kernel_search_proc(netutils_t)
kernel_read_all_sysctls(netutils_t)

corenet_all_recvfrom_unlabeled(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_generic_if(netutils_t)
corenet_raw_sendrecv_generic_if(netutils_t)
corenet_udp_sendrecv_generic_if(netutils_t)
corenet_tcp_sendrecv_generic_node(netutils_t)
corenet_raw_sendrecv_generic_node(netutils_t)
corenet_udp_sendrecv_generic_node(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)

dev_read_sysfs(netutils_t)

fs_getattr_xattr_fs(netutils_t)

domain_use_interactive_fds(netutils_t)

files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)

init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)

auth_use_nsswitch(netutils_t)

logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

term_dontaudit_use_console(netutils_t)
userdom_use_user_terminals(netutils_t)
userdom_use_all_users_fds(netutils_t)

optional_policy(`
	nis_use_ypbind(netutils_t)
')

optional_policy(`
	vmware_append_log(netutils_t)
')

optional_policy(`
	xen_append_log(netutils_t)
')

########################################
#
# Ping local policy
#

allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;

corenet_all_recvfrom_unlabeled(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_node(ping_t)
corenet_tcp_sendrecv_generic_node(ping_t)
corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)

fs_dontaudit_getattr_xattr_fs(ping_t)

domain_use_interactive_fds(ping_t)

files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)

kernel_read_system_state(ping_t)

auth_use_nsswitch(ping_t)

logging_send_syslog_msg(ping_t)

miscfiles_read_localization(ping_t)

userdom_use_user_terminals(ping_t)

ifdef(`hide_broken_symptoms',`
	init_dontaudit_use_fds(ping_t)

	optional_policy(`
		nagios_dontaudit_rw_pipes(ping_t)
	')
')

optional_policy(`
	munin_append_log(ping_t)
')

optional_policy(`
	pcmcia_use_cardmgr_fds(ping_t)
')

optional_policy(`
	hotplug_use_fds(ping_t)
')

########################################
#
# Traceroute local policy
#

allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)

corenet_all_recvfrom_unlabeled(traceroute_t)
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_generic_if(traceroute_t)
corenet_udp_sendrecv_generic_if(traceroute_t)
corenet_raw_sendrecv_generic_if(traceroute_t)
corenet_tcp_sendrecv_generic_node(traceroute_t)
corenet_udp_sendrecv_generic_node(traceroute_t)
corenet_raw_sendrecv_generic_node(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_generic_node(traceroute_t)
corenet_tcp_bind_generic_node(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_generic_node(traceroute_t)
corenet_udp_bind_traceroute_port(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)

fs_dontaudit_getattr_xattr_fs(traceroute_t)

domain_use_interactive_fds(traceroute_t)

files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)

init_use_fds(traceroute_t)

auth_use_nsswitch(traceroute_t)

logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

userdom_use_user_terminals(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
Commit	Line	Data
4fc91539	1
29af4c13	2	policy_module(netutils, 1.10.0)
4fc91539 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Control users use of ping and traceroute
	12	## </p>
	13	## </desc>
0bfccda4	14	gen_tunable(user_ping, false)
56e1b3d2	15
4fc91539 CP	16	type netutils_t;
4fc91539 CP	17	type netutils_exec_t;
0bfccda4	18	init_system_domain(netutils_t, netutils_exec_t)
4fc91539 CP	19	role system_r types netutils_t;
	20
	21	type netutils_tmp_t;
c9428d33	22	files_tmp_file(netutils_tmp_t)
4fc91539	23
493d6c4a	24	type ping_t;
4fc91539	25	type ping_exec_t;
0bfccda4	26	init_system_domain(ping_t, ping_exec_t)
4fc91539 CP	27	role system_r types ping_t;
4fc91539 CP	28
493d6c4a	29	type traceroute_t;
4fc91539	30	type traceroute_exec_t;
0bfccda4	31	init_system_domain(traceroute_t, traceroute_exec_t)
4fc91539 CP	32	role system_r types traceroute_t;
4fc91539 CP	33
4fc91539 CP	34	########################################
	35	#
	36	# Netutils local policy
	37	#
	38
	39	# Perform network administration operations and have raw access to the network.
	40	allow netutils_t self:capability { net_admin net_raw setuid setgid };
27c570f7	41	dontaudit netutils_t self:capability sys_tty_config;
4fc91539 CP	42	allow netutils_t self:process { sigkill sigstop signull signal };
4fc91539 CP	43	allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
dc67f782 CP	44	allow netutils_t self:packet_socket create_socket_perms;
dc67f782 CP	45	allow netutils_t self:udp_socket create_socket_perms;
2e0a8801	46	allow netutils_t self:tcp_socket create_stream_socket_perms;
44dc1b9c	47	allow netutils_t self:socket create_socket_perms;
4fc91539	48
0bfccda4 CP	49	manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
0bfccda4 CP	50	manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
103fe280	51	files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
4fc91539	52
b24f35d8	53	kernel_search_proc(netutils_t)
a65fd90a	54	kernel_read_all_sysctls(netutils_t)
b24f35d8	55
19006686 CP	56	corenet_all_recvfrom_unlabeled(netutils_t)
19006686 CP	57	corenet_all_recvfrom_netlabel(netutils_t)
668b3093 CP	58	corenet_tcp_sendrecv_generic_if(netutils_t)
	59	corenet_raw_sendrecv_generic_if(netutils_t)
	60	corenet_udp_sendrecv_generic_if(netutils_t)
c1262146 CP	61	corenet_tcp_sendrecv_generic_node(netutils_t)
	62	corenet_raw_sendrecv_generic_node(netutils_t)
	63	corenet_udp_sendrecv_generic_node(netutils_t)
0fd9dc55 CP	64	corenet_tcp_sendrecv_all_ports(netutils_t)
0fd9dc55 CP	65	corenet_udp_sendrecv_all_ports(netutils_t)
0907bda1	66	corenet_tcp_connect_all_ports(netutils_t)
9d0c9b3e	67	corenet_sendrecv_all_client_packets(netutils_t)
123a990b	68	corenet_udp_bind_generic_node(netutils_t)
0fd9dc55	69
9e8f65c8 CP	70	dev_read_sysfs(netutils_t)
9e8f65c8 CP	71
0fd9dc55	72	fs_getattr_xattr_fs(netutils_t)
4fc91539	73
15722ec9	74	domain_use_interactive_fds(netutils_t)
4fc91539	75
8fd36732	76	files_read_etc_files(netutils_t)
4fc91539	77	# for nscd
c9428d33	78	files_dontaudit_search_var(netutils_t)
4fc91539	79
1c1ac67f	80	init_use_fds(netutils_t)
1815bad1	81	init_use_script_ptys(netutils_t)
ab940a4c	82
74993c4d CP	83	auth_use_nsswitch(netutils_t)
74993c4d CP	84
c9428d33	85	logging_send_syslog_msg(netutils_t)
4fc91539 CP	86
	87	miscfiles_read_localization(netutils_t)
	88
44dc1b9c	89	term_dontaudit_use_console(netutils_t)
296273a7	90	userdom_use_user_terminals(netutils_t)
15722ec9	91	userdom_use_all_users_fds(netutils_t)
4fc91539	92
bb7170f6	93	optional_policy(`
ab940a4c CP	94	nis_use_ypbind(netutils_t)
ab940a4c CP	95	')
4fc91539	96
74993c4d CP	97	optional_policy(`
	98	vmware_append_log(netutils_t)
	99	')
	100
d9845ae9 CP	101	optional_policy(`
	102	xen_append_log(netutils_t)
	103	')
	104
4fc91539 CP	105	########################################
	106	#
	107	# Ping local policy
	108	#
	109
8f882ffc	110	allow ping_t self:capability { setuid net_raw };
4fc91539	111	dontaudit ping_t self:capability sys_tty_config;
dc67f782	112	allow ping_t self:tcp_socket create_socket_perms;
4fc91539	113	allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
0e1c461e	114	allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
74993c4d	115	allow ping_t self:netlink_route_socket create_netlink_socket_perms;
4fc91539	116
19006686 CP	117	corenet_all_recvfrom_unlabeled(ping_t)
19006686 CP	118	corenet_all_recvfrom_netlabel(ping_t)
668b3093 CP	119	corenet_tcp_sendrecv_generic_if(ping_t)
668b3093 CP	120	corenet_raw_sendrecv_generic_if(ping_t)
c1262146 CP	121	corenet_raw_sendrecv_generic_node(ping_t)
	122	corenet_tcp_sendrecv_generic_node(ping_t)
	123	corenet_raw_bind_generic_node(ping_t)
0fd9dc55	124	corenet_tcp_sendrecv_all_ports(ping_t)
4fc91539	125
0fd9dc55	126	fs_dontaudit_getattr_xattr_fs(ping_t)
4fc91539	127
15722ec9	128	domain_use_interactive_fds(ping_t)
4fc91539	129
8fd36732	130	files_read_etc_files(ping_t)
c9428d33	131	files_dontaudit_search_var(ping_t)
4fc91539	132
da04234f CP	133	kernel_read_system_state(ping_t)
da04234f CP	134
74993c4d CP	135	auth_use_nsswitch(ping_t)
74993c4d CP	136
c0868a7a CP	137	logging_send_syslog_msg(ping_t)
c0868a7a CP	138
27c570f7 CP	139	miscfiles_read_localization(ping_t)
27c570f7 CP	140
296273a7 CP	141	userdom_use_user_terminals(ping_t)
296273a7 CP	142
cf6a7d89	143	ifdef(`hide_broken_symptoms',`
1c1ac67f	144	init_dontaudit_use_fds(ping_t)
a65fd90a CP	145
	146	optional_policy(`
	147	nagios_dontaudit_rw_pipes(ping_t)
	148	')
cf6a7d89 CP	149	')
cf6a7d89 CP	150
da04234f CP	151	optional_policy(`
	152	munin_append_log(ping_t)
	153	')
	154
bb7170f6	155	optional_policy(`
15722ec9	156	pcmcia_use_cardmgr_fds(ping_t)
cf6a7d89 CP	157	')
cf6a7d89 CP	158
bb7170f6	159	optional_policy(`
1c1ac67f	160	hotplug_use_fds(ping_t)
ebdc3b79 CP	161	')
ebdc3b79 CP	162
4fc91539 CP	163	########################################
	164	#
	165	# Traceroute local policy
	166	#
	167
	168	allow traceroute_t self:capability { net_admin net_raw setuid setgid };
dc67f782 CP	169	allow traceroute_t self:rawip_socket create_socket_perms;
dc67f782 CP	170	allow traceroute_t self:packet_socket create_socket_perms;
8f882ffc	171	allow traceroute_t self:udp_socket create_socket_perms;
4fc91539 CP	172
	173	kernel_read_system_state(traceroute_t)
	174	kernel_read_network_state(traceroute_t)
	175
19006686 CP	176	corenet_all_recvfrom_unlabeled(traceroute_t)
19006686 CP	177	corenet_all_recvfrom_netlabel(traceroute_t)
668b3093 CP	178	corenet_tcp_sendrecv_generic_if(traceroute_t)
	179	corenet_udp_sendrecv_generic_if(traceroute_t)
	180	corenet_raw_sendrecv_generic_if(traceroute_t)
c1262146 CP	181	corenet_tcp_sendrecv_generic_node(traceroute_t)
	182	corenet_udp_sendrecv_generic_node(traceroute_t)
	183	corenet_raw_sendrecv_generic_node(traceroute_t)
0fd9dc55 CP	184	corenet_tcp_sendrecv_all_ports(traceroute_t)
0fd9dc55 CP	185	corenet_udp_sendrecv_all_ports(traceroute_t)
c1262146 CP	186	corenet_udp_bind_generic_node(traceroute_t)
c1262146 CP	187	corenet_tcp_bind_generic_node(traceroute_t)
8f882ffc	188	# traceroute needs this but not tracepath
c1262146	189	corenet_raw_bind_generic_node(traceroute_t)
165b42d2	190	corenet_udp_bind_traceroute_port(traceroute_t)
2705f9a0	191	corenet_tcp_connect_all_ports(traceroute_t)
9d0c9b3e CP	192	corenet_sendrecv_all_client_packets(traceroute_t)
9d0c9b3e CP	193	corenet_sendrecv_traceroute_server_packets(traceroute_t)
4fc91539	194
0fd9dc55	195	fs_dontaudit_getattr_xattr_fs(traceroute_t)
4fc91539	196
15722ec9	197	domain_use_interactive_fds(traceroute_t)
4fc91539	198
8fd36732	199	files_read_etc_files(traceroute_t)
c9428d33	200	files_dontaudit_search_var(traceroute_t)
4fc91539	201
165b42d2 CP	202	init_use_fds(traceroute_t)
165b42d2 CP	203
74993c4d CP	204	auth_use_nsswitch(traceroute_t)
74993c4d CP	205
c9428d33	206	logging_send_syslog_msg(traceroute_t)
4fc91539 CP	207
	208	miscfiles_read_localization(traceroute_t)
	209
296273a7 CP	210	userdom_use_user_terminals(traceroute_t)
296273a7 CP	211
4fc91539	212	#rules needed for nmap
f0c985ca KM	213	dev_read_rand(traceroute_t)
f0c985ca KM	214	dev_read_urand(traceroute_t)
c9428d33	215	files_read_usr_files(traceroute_t)