]>
Commit | Line | Data |
---|---|---|
4fc91539 | 1 | |
56e1b3d2 | 2 | policy_module(netutils,1.3.1) |
4fc91539 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ifdef(`strict_policy',` |
10 | ## <desc> | |
11 | ## <p> | |
12 | ## Control users use of ping and traceroute | |
13 | ## </p> | |
14 | ## </desc> | |
15 | gen_tunable(user_ping,false) | |
16 | ') | |
17 | ||
4fc91539 CP |
18 | type netutils_t; |
19 | type netutils_exec_t; | |
c9428d33 | 20 | init_system_domain(netutils_t,netutils_exec_t) |
4fc91539 CP |
21 | role system_r types netutils_t; |
22 | ||
23 | type netutils_tmp_t; | |
c9428d33 | 24 | files_tmp_file(netutils_tmp_t) |
4fc91539 | 25 | |
493d6c4a | 26 | type ping_t; |
4fc91539 | 27 | type ping_exec_t; |
c9428d33 | 28 | init_system_domain(ping_t,ping_exec_t) |
4fc91539 CP |
29 | role system_r types ping_t; |
30 | ||
493d6c4a | 31 | type traceroute_t; |
4fc91539 | 32 | type traceroute_exec_t; |
c9428d33 | 33 | init_system_domain(traceroute_t,traceroute_exec_t) |
4fc91539 CP |
34 | role system_r types traceroute_t; |
35 | ||
4fc91539 CP |
36 | ######################################## |
37 | # | |
38 | # Netutils local policy | |
39 | # | |
40 | ||
41 | # Perform network administration operations and have raw access to the network. | |
42 | allow netutils_t self:capability { net_admin net_raw setuid setgid }; | |
43 | allow netutils_t self:process { sigkill sigstop signull signal }; | |
44 | allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; | |
dc67f782 CP |
45 | allow netutils_t self:packet_socket create_socket_perms; |
46 | allow netutils_t self:udp_socket create_socket_perms; | |
2e0a8801 | 47 | allow netutils_t self:tcp_socket create_stream_socket_perms; |
4fc91539 | 48 | |
c0868a7a CP |
49 | manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t) |
50 | manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t) | |
103fe280 | 51 | files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
4fc91539 | 52 | |
b24f35d8 CP |
53 | kernel_search_proc(netutils_t) |
54 | ||
9d0c9b3e | 55 | corenet_non_ipsec_sendrecv(netutils_t) |
0fd9dc55 CP |
56 | corenet_tcp_sendrecv_all_if(netutils_t) |
57 | corenet_raw_sendrecv_all_if(netutils_t) | |
58 | corenet_udp_sendrecv_all_if(netutils_t) | |
59 | corenet_tcp_sendrecv_all_nodes(netutils_t) | |
60 | corenet_raw_sendrecv_all_nodes(netutils_t) | |
61 | corenet_udp_sendrecv_all_nodes(netutils_t) | |
62 | corenet_tcp_sendrecv_all_ports(netutils_t) | |
63 | corenet_udp_sendrecv_all_ports(netutils_t) | |
0907bda1 | 64 | corenet_tcp_connect_all_ports(netutils_t) |
9d0c9b3e | 65 | corenet_sendrecv_all_client_packets(netutils_t) |
123a990b | 66 | corenet_udp_bind_generic_node(netutils_t) |
0fd9dc55 CP |
67 | |
68 | fs_getattr_xattr_fs(netutils_t) | |
4fc91539 | 69 | |
15722ec9 | 70 | domain_use_interactive_fds(netutils_t) |
4fc91539 | 71 | |
8fd36732 | 72 | files_read_etc_files(netutils_t) |
4fc91539 | 73 | # for nscd |
c9428d33 | 74 | files_dontaudit_search_var(netutils_t) |
4fc91539 | 75 | |
1c1ac67f | 76 | init_use_fds(netutils_t) |
1815bad1 | 77 | init_use_script_ptys(netutils_t) |
ab940a4c | 78 | |
c9428d33 CP |
79 | libs_use_ld_so(netutils_t) |
80 | libs_use_shared_libs(netutils_t) | |
4fc91539 | 81 | |
c9428d33 | 82 | logging_send_syslog_msg(netutils_t) |
4fc91539 CP |
83 | |
84 | miscfiles_read_localization(netutils_t) | |
85 | ||
d1b9d922 CP |
86 | sysnet_read_config(netutils_t) |
87 | ||
15722ec9 | 88 | userdom_use_all_users_fds(netutils_t) |
4fc91539 | 89 | |
d1b9d922 | 90 | ifdef(`targeted_policy',` |
1815bad1 CP |
91 | term_use_generic_ptys(netutils_t) |
92 | term_use_unallocated_ttys(netutils_t) | |
d1b9d922 CP |
93 | ') |
94 | ||
bb7170f6 | 95 | optional_policy(` |
ab940a4c CP |
96 | nis_use_ypbind(netutils_t) |
97 | ') | |
4fc91539 | 98 | |
d9845ae9 CP |
99 | optional_policy(` |
100 | xen_append_log(netutils_t) | |
101 | ') | |
102 | ||
4fc91539 CP |
103 | ######################################## |
104 | # | |
105 | # Ping local policy | |
106 | # | |
107 | ||
8f882ffc | 108 | allow ping_t self:capability { setuid net_raw }; |
4fc91539 | 109 | dontaudit ping_t self:capability sys_tty_config; |
dc67f782 | 110 | allow ping_t self:tcp_socket create_socket_perms; |
4fc91539 | 111 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; |
0e1c461e | 112 | allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; |
4fc91539 | 113 | |
9d0c9b3e | 114 | corenet_non_ipsec_sendrecv(ping_t) |
0fd9dc55 | 115 | corenet_tcp_sendrecv_all_if(ping_t) |
0fd9dc55 CP |
116 | corenet_raw_sendrecv_all_if(ping_t) |
117 | corenet_raw_sendrecv_all_nodes(ping_t) | |
118 | corenet_tcp_sendrecv_all_nodes(ping_t) | |
0fd9dc55 | 119 | corenet_tcp_sendrecv_all_ports(ping_t) |
4fc91539 | 120 | |
0fd9dc55 | 121 | fs_dontaudit_getattr_xattr_fs(ping_t) |
4fc91539 | 122 | |
15722ec9 | 123 | domain_use_interactive_fds(ping_t) |
4fc91539 | 124 | |
8fd36732 | 125 | files_read_etc_files(ping_t) |
c9428d33 | 126 | files_dontaudit_search_var(ping_t) |
4fc91539 | 127 | |
c9428d33 CP |
128 | libs_use_ld_so(ping_t) |
129 | libs_use_shared_libs(ping_t) | |
4fc91539 | 130 | |
c0868a7a CP |
131 | logging_send_syslog_msg(ping_t) |
132 | ||
c9428d33 | 133 | sysnet_read_config(ping_t) |
98a8ead4 | 134 | sysnet_dns_name_resolve(ping_t) |
4fc91539 | 135 | |
cf6a7d89 | 136 | ifdef(`hide_broken_symptoms',` |
1c1ac67f | 137 | init_dontaudit_use_fds(ping_t) |
cf6a7d89 CP |
138 | ') |
139 | ||
140 | ifdef(`targeted_policy',` | |
1815bad1 CP |
141 | term_use_unallocated_ttys(ping_t) |
142 | term_use_generic_ptys(ping_t) | |
0fd9dc55 CP |
143 | term_use_all_user_ttys(ping_t) |
144 | term_use_all_user_ptys(ping_t) | |
cf6a7d89 CP |
145 | ',` |
146 | tunable_policy(`user_ping',` | |
147 | term_use_all_user_ttys(ping_t) | |
148 | term_use_all_user_ptys(ping_t) | |
149 | ') | |
3eed1090 | 150 | ') |
4fc91539 | 151 | |
bb7170f6 | 152 | optional_policy(` |
ab940a4c CP |
153 | nis_use_ypbind(ping_t) |
154 | ') | |
4fc91539 | 155 | |
bb7170f6 | 156 | optional_policy(` |
1815bad1 | 157 | nscd_socket_use(ping_t) |
493d6c4a CP |
158 | ') |
159 | ||
bb7170f6 | 160 | optional_policy(` |
15722ec9 | 161 | pcmcia_use_cardmgr_fds(ping_t) |
cf6a7d89 CP |
162 | ') |
163 | ||
bb7170f6 | 164 | optional_policy(` |
1c1ac67f | 165 | hotplug_use_fds(ping_t) |
ebdc3b79 CP |
166 | ') |
167 | ||
4fc91539 CP |
168 | ######################################## |
169 | # | |
170 | # Traceroute local policy | |
171 | # | |
172 | ||
173 | allow traceroute_t self:capability { net_admin net_raw setuid setgid }; | |
dc67f782 CP |
174 | allow traceroute_t self:rawip_socket create_socket_perms; |
175 | allow traceroute_t self:packet_socket create_socket_perms; | |
4fc91539 | 176 | allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; |
8f882ffc | 177 | allow traceroute_t self:udp_socket create_socket_perms; |
4fc91539 CP |
178 | |
179 | kernel_read_system_state(traceroute_t) | |
180 | kernel_read_network_state(traceroute_t) | |
181 | ||
9d0c9b3e | 182 | corenet_non_ipsec_sendrecv(traceroute_t) |
0fd9dc55 CP |
183 | corenet_tcp_sendrecv_all_if(traceroute_t) |
184 | corenet_udp_sendrecv_all_if(traceroute_t) | |
185 | corenet_raw_sendrecv_all_if(traceroute_t) | |
0fd9dc55 CP |
186 | corenet_tcp_sendrecv_all_nodes(traceroute_t) |
187 | corenet_udp_sendrecv_all_nodes(traceroute_t) | |
9d0c9b3e | 188 | corenet_raw_sendrecv_all_nodes(traceroute_t) |
0fd9dc55 CP |
189 | corenet_tcp_sendrecv_all_ports(traceroute_t) |
190 | corenet_udp_sendrecv_all_ports(traceroute_t) | |
191 | corenet_udp_bind_all_nodes(traceroute_t) | |
192 | corenet_tcp_bind_all_nodes(traceroute_t) | |
8f882ffc DM |
193 | # traceroute needs this but not tracepath |
194 | corenet_raw_bind_all_nodes(traceroute_t) | |
165b42d2 | 195 | corenet_udp_bind_traceroute_port(traceroute_t) |
2705f9a0 | 196 | corenet_tcp_connect_all_ports(traceroute_t) |
9d0c9b3e CP |
197 | corenet_sendrecv_all_client_packets(traceroute_t) |
198 | corenet_sendrecv_traceroute_server_packets(traceroute_t) | |
4fc91539 | 199 | |
0fd9dc55 | 200 | fs_dontaudit_getattr_xattr_fs(traceroute_t) |
4fc91539 | 201 | |
15722ec9 | 202 | domain_use_interactive_fds(traceroute_t) |
4fc91539 | 203 | |
8fd36732 | 204 | files_read_etc_files(traceroute_t) |
c9428d33 | 205 | files_dontaudit_search_var(traceroute_t) |
4fc91539 | 206 | |
165b42d2 CP |
207 | init_use_fds(traceroute_t) |
208 | ||
c9428d33 CP |
209 | libs_use_ld_so(traceroute_t) |
210 | libs_use_shared_libs(traceroute_t) | |
4fc91539 | 211 | |
c9428d33 | 212 | logging_send_syslog_msg(traceroute_t) |
4fc91539 CP |
213 | |
214 | miscfiles_read_localization(traceroute_t) | |
215 | ||
216 | #rules needed for nmap | |
f0c985ca KM |
217 | dev_read_rand(traceroute_t) |
218 | dev_read_urand(traceroute_t) | |
c9428d33 | 219 | files_read_usr_files(traceroute_t) |
4fc91539 | 220 | |
8f882ffc DM |
221 | sysnet_read_config(traceroute_t) |
222 | ||
223 | ifdef(`targeted_policy',` | |
1815bad1 CP |
224 | term_use_unallocated_ttys(traceroute_t) |
225 | term_use_generic_ptys(traceroute_t) | |
46551033 CP |
226 | ',` |
227 | tunable_policy(`user_ping',` | |
228 | term_use_all_user_ttys(traceroute_t) | |
229 | term_use_all_user_ptys(traceroute_t) | |
230 | ') | |
3eed1090 | 231 | ') |
4fc91539 | 232 | |
bb7170f6 | 233 | optional_policy(` |
ab940a4c CP |
234 | nis_use_ypbind(traceroute_t) |
235 | ') | |
4fc91539 | 236 | |
bb7170f6 | 237 | optional_policy(` |
1815bad1 | 238 | nscd_socket_use(traceroute_t) |
493d6c4a | 239 | ') |