[people/stevee/selinux-policy.git] / policy / modules / admin / netutils.te


policy_module(netutils,1.3.1)

########################################
#
# Declarations
#

ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
## </p>
## </desc>
gen_tunable(user_ping,false)
')

type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t;

type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)

type ping_t;
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;

type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;

########################################
#
# Netutils local policy
#

# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

kernel_search_proc(netutils_t)

corenet_non_ipsec_sendrecv(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
corenet_tcp_sendrecv_all_nodes(netutils_t)
corenet_raw_sendrecv_all_nodes(netutils_t)
corenet_udp_sendrecv_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)

fs_getattr_xattr_fs(netutils_t)

domain_use_interactive_fds(netutils_t)

files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)

init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)

libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)

logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

sysnet_read_config(netutils_t)

userdom_use_all_users_fds(netutils_t)

ifdef(`targeted_policy',`
	term_use_generic_ptys(netutils_t)
	term_use_unallocated_ttys(netutils_t)
')

optional_policy(`
	nis_use_ypbind(netutils_t)
')

optional_policy(`
	xen_append_log(netutils_t)
')

########################################
#
# Ping local policy
#

allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };

corenet_non_ipsec_sendrecv(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)

fs_dontaudit_getattr_xattr_fs(ping_t)

domain_use_interactive_fds(ping_t)

files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)

libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)

logging_send_syslog_msg(ping_t)

sysnet_read_config(ping_t)
sysnet_dns_name_resolve(ping_t)

ifdef(`hide_broken_symptoms',`
	init_dontaudit_use_fds(ping_t)
')

ifdef(`targeted_policy',`
	term_use_unallocated_ttys(ping_t)
	term_use_generic_ptys(ping_t)
	term_use_all_user_ttys(ping_t)
	term_use_all_user_ptys(ping_t)
',`
	tunable_policy(`user_ping',`
		term_use_all_user_ttys(ping_t)
		term_use_all_user_ptys(ping_t)
	')
')

optional_policy(`
	nis_use_ypbind(ping_t)
')

optional_policy(`
	nscd_socket_use(ping_t)
')

optional_policy(`
	pcmcia_use_cardmgr_fds(ping_t)
')

optional_policy(`
	hotplug_use_fds(ping_t)
')

########################################
#
# Traceroute local policy
#

allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow traceroute_t self:udp_socket create_socket_perms;

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)

corenet_non_ipsec_sendrecv(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
corenet_tcp_sendrecv_all_nodes(traceroute_t)
corenet_udp_sendrecv_all_nodes(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_all_nodes(traceroute_t)
corenet_udp_bind_traceroute_port(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)

fs_dontaudit_getattr_xattr_fs(traceroute_t)

domain_use_interactive_fds(traceroute_t)

files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)

init_use_fds(traceroute_t)

libs_use_ld_so(traceroute_t)
libs_use_shared_libs(traceroute_t)

logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)

sysnet_read_config(traceroute_t)

ifdef(`targeted_policy',`
	term_use_unallocated_ttys(traceroute_t)
	term_use_generic_ptys(traceroute_t)
',`
	tunable_policy(`user_ping',`
		term_use_all_user_ttys(traceroute_t)
		term_use_all_user_ptys(traceroute_t)
	')
')

optional_policy(`
	nis_use_ypbind(traceroute_t)
')

optional_policy(`
	nscd_socket_use(traceroute_t)
')
Commit	Line	Data
4fc91539	1
56e1b3d2	2	policy_module(netutils,1.3.1)
4fc91539 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	ifdef(`strict_policy',`
	10	## <desc>
	11	## <p>
	12	## Control users use of ping and traceroute
	13	## </p>
	14	## </desc>
	15	gen_tunable(user_ping,false)
	16	')
	17
4fc91539 CP	18	type netutils_t;
4fc91539 CP	19	type netutils_exec_t;
c9428d33	20	init_system_domain(netutils_t,netutils_exec_t)
4fc91539 CP	21	role system_r types netutils_t;
	22
	23	type netutils_tmp_t;
c9428d33	24	files_tmp_file(netutils_tmp_t)
4fc91539	25
493d6c4a	26	type ping_t;
4fc91539	27	type ping_exec_t;
c9428d33	28	init_system_domain(ping_t,ping_exec_t)
4fc91539 CP	29	role system_r types ping_t;
4fc91539 CP	30
493d6c4a	31	type traceroute_t;
4fc91539	32	type traceroute_exec_t;
c9428d33	33	init_system_domain(traceroute_t,traceroute_exec_t)
4fc91539 CP	34	role system_r types traceroute_t;
4fc91539 CP	35
4fc91539 CP	36	########################################
	37	#
	38	# Netutils local policy
	39	#
	40
	41	# Perform network administration operations and have raw access to the network.
	42	allow netutils_t self:capability { net_admin net_raw setuid setgid };
	43	allow netutils_t self:process { sigkill sigstop signull signal };
	44	allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
dc67f782 CP	45	allow netutils_t self:packet_socket create_socket_perms;
dc67f782 CP	46	allow netutils_t self:udp_socket create_socket_perms;
2e0a8801	47	allow netutils_t self:tcp_socket create_stream_socket_perms;
4fc91539	48
c0868a7a CP	49	manage_dirs_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
c0868a7a CP	50	manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
103fe280	51	files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
4fc91539	52
b24f35d8 CP	53	kernel_search_proc(netutils_t)
b24f35d8 CP	54
9d0c9b3e	55	corenet_non_ipsec_sendrecv(netutils_t)
0fd9dc55 CP	56	corenet_tcp_sendrecv_all_if(netutils_t)
	57	corenet_raw_sendrecv_all_if(netutils_t)
	58	corenet_udp_sendrecv_all_if(netutils_t)
	59	corenet_tcp_sendrecv_all_nodes(netutils_t)
	60	corenet_raw_sendrecv_all_nodes(netutils_t)
	61	corenet_udp_sendrecv_all_nodes(netutils_t)
	62	corenet_tcp_sendrecv_all_ports(netutils_t)
	63	corenet_udp_sendrecv_all_ports(netutils_t)
0907bda1	64	corenet_tcp_connect_all_ports(netutils_t)
9d0c9b3e	65	corenet_sendrecv_all_client_packets(netutils_t)
123a990b	66	corenet_udp_bind_generic_node(netutils_t)
0fd9dc55 CP	67
0fd9dc55 CP	68	fs_getattr_xattr_fs(netutils_t)
4fc91539	69
15722ec9	70	domain_use_interactive_fds(netutils_t)
4fc91539	71
8fd36732	72	files_read_etc_files(netutils_t)
4fc91539	73	# for nscd
c9428d33	74	files_dontaudit_search_var(netutils_t)
4fc91539	75
1c1ac67f	76	init_use_fds(netutils_t)
1815bad1	77	init_use_script_ptys(netutils_t)
ab940a4c	78
c9428d33 CP	79	libs_use_ld_so(netutils_t)
c9428d33 CP	80	libs_use_shared_libs(netutils_t)
4fc91539	81
c9428d33	82	logging_send_syslog_msg(netutils_t)
4fc91539 CP	83
	84	miscfiles_read_localization(netutils_t)
	85
d1b9d922 CP	86	sysnet_read_config(netutils_t)
d1b9d922 CP	87
15722ec9	88	userdom_use_all_users_fds(netutils_t)
4fc91539	89
d1b9d922	90	ifdef(`targeted_policy',`
1815bad1 CP	91	term_use_generic_ptys(netutils_t)
1815bad1 CP	92	term_use_unallocated_ttys(netutils_t)
d1b9d922 CP	93	')
d1b9d922 CP	94
bb7170f6	95	optional_policy(`
ab940a4c CP	96	nis_use_ypbind(netutils_t)
ab940a4c CP	97	')
4fc91539	98
d9845ae9 CP	99	optional_policy(`
	100	xen_append_log(netutils_t)
	101	')
	102
4fc91539 CP	103	########################################
	104	#
	105	# Ping local policy
	106	#
	107
8f882ffc	108	allow ping_t self:capability { setuid net_raw };
4fc91539	109	dontaudit ping_t self:capability sys_tty_config;
dc67f782	110	allow ping_t self:tcp_socket create_socket_perms;
4fc91539	111	allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
0e1c461e	112	allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
4fc91539	113
9d0c9b3e	114	corenet_non_ipsec_sendrecv(ping_t)
0fd9dc55	115	corenet_tcp_sendrecv_all_if(ping_t)
0fd9dc55 CP	116	corenet_raw_sendrecv_all_if(ping_t)
	117	corenet_raw_sendrecv_all_nodes(ping_t)
	118	corenet_tcp_sendrecv_all_nodes(ping_t)
0fd9dc55	119	corenet_tcp_sendrecv_all_ports(ping_t)
4fc91539	120
0fd9dc55	121	fs_dontaudit_getattr_xattr_fs(ping_t)
4fc91539	122
15722ec9	123	domain_use_interactive_fds(ping_t)
4fc91539	124
8fd36732	125	files_read_etc_files(ping_t)
c9428d33	126	files_dontaudit_search_var(ping_t)
4fc91539	127
c9428d33 CP	128	libs_use_ld_so(ping_t)
c9428d33 CP	129	libs_use_shared_libs(ping_t)
4fc91539	130
c0868a7a CP	131	logging_send_syslog_msg(ping_t)
c0868a7a CP	132
c9428d33	133	sysnet_read_config(ping_t)
98a8ead4	134	sysnet_dns_name_resolve(ping_t)
4fc91539	135
cf6a7d89	136	ifdef(`hide_broken_symptoms',`
1c1ac67f	137	init_dontaudit_use_fds(ping_t)
cf6a7d89 CP	138	')
	139
	140	ifdef(`targeted_policy',`
1815bad1 CP	141	term_use_unallocated_ttys(ping_t)
1815bad1 CP	142	term_use_generic_ptys(ping_t)
0fd9dc55 CP	143	term_use_all_user_ttys(ping_t)
0fd9dc55 CP	144	term_use_all_user_ptys(ping_t)
cf6a7d89 CP	145	',`
	146	tunable_policy(`user_ping',`
	147	term_use_all_user_ttys(ping_t)
	148	term_use_all_user_ptys(ping_t)
	149	')
3eed1090	150	')
4fc91539	151
bb7170f6	152	optional_policy(`
ab940a4c CP	153	nis_use_ypbind(ping_t)
ab940a4c CP	154	')
4fc91539	155
bb7170f6	156	optional_policy(`
1815bad1	157	nscd_socket_use(ping_t)
493d6c4a CP	158	')
493d6c4a CP	159
bb7170f6	160	optional_policy(`
15722ec9	161	pcmcia_use_cardmgr_fds(ping_t)
cf6a7d89 CP	162	')
cf6a7d89 CP	163
bb7170f6	164	optional_policy(`
1c1ac67f	165	hotplug_use_fds(ping_t)
ebdc3b79 CP	166	')
ebdc3b79 CP	167
4fc91539 CP	168	########################################
	169	#
	170	# Traceroute local policy
	171	#
	172
	173	allow traceroute_t self:capability { net_admin net_raw setuid setgid };
dc67f782 CP	174	allow traceroute_t self:rawip_socket create_socket_perms;
dc67f782 CP	175	allow traceroute_t self:packet_socket create_socket_perms;
4fc91539	176	allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
8f882ffc	177	allow traceroute_t self:udp_socket create_socket_perms;
4fc91539 CP	178
	179	kernel_read_system_state(traceroute_t)
	180	kernel_read_network_state(traceroute_t)
	181
9d0c9b3e	182	corenet_non_ipsec_sendrecv(traceroute_t)
0fd9dc55 CP	183	corenet_tcp_sendrecv_all_if(traceroute_t)
	184	corenet_udp_sendrecv_all_if(traceroute_t)
	185	corenet_raw_sendrecv_all_if(traceroute_t)
0fd9dc55 CP	186	corenet_tcp_sendrecv_all_nodes(traceroute_t)
0fd9dc55 CP	187	corenet_udp_sendrecv_all_nodes(traceroute_t)
9d0c9b3e	188	corenet_raw_sendrecv_all_nodes(traceroute_t)
0fd9dc55 CP	189	corenet_tcp_sendrecv_all_ports(traceroute_t)
	190	corenet_udp_sendrecv_all_ports(traceroute_t)
	191	corenet_udp_bind_all_nodes(traceroute_t)
	192	corenet_tcp_bind_all_nodes(traceroute_t)
8f882ffc DM	193	# traceroute needs this but not tracepath
8f882ffc DM	194	corenet_raw_bind_all_nodes(traceroute_t)
165b42d2	195	corenet_udp_bind_traceroute_port(traceroute_t)
2705f9a0	196	corenet_tcp_connect_all_ports(traceroute_t)
9d0c9b3e CP	197	corenet_sendrecv_all_client_packets(traceroute_t)
9d0c9b3e CP	198	corenet_sendrecv_traceroute_server_packets(traceroute_t)
4fc91539	199
0fd9dc55	200	fs_dontaudit_getattr_xattr_fs(traceroute_t)
4fc91539	201
15722ec9	202	domain_use_interactive_fds(traceroute_t)
4fc91539	203
8fd36732	204	files_read_etc_files(traceroute_t)
c9428d33	205	files_dontaudit_search_var(traceroute_t)
4fc91539	206
165b42d2 CP	207	init_use_fds(traceroute_t)
165b42d2 CP	208
c9428d33 CP	209	libs_use_ld_so(traceroute_t)
c9428d33 CP	210	libs_use_shared_libs(traceroute_t)
4fc91539	211
c9428d33	212	logging_send_syslog_msg(traceroute_t)
4fc91539 CP	213
	214	miscfiles_read_localization(traceroute_t)
	215
	216	#rules needed for nmap
f0c985ca KM	217	dev_read_rand(traceroute_t)
f0c985ca KM	218	dev_read_urand(traceroute_t)
c9428d33	219	files_read_usr_files(traceroute_t)
4fc91539	220
8f882ffc DM	221	sysnet_read_config(traceroute_t)
	222
	223	ifdef(`targeted_policy',`
1815bad1 CP	224	term_use_unallocated_ttys(traceroute_t)
1815bad1 CP	225	term_use_generic_ptys(traceroute_t)
46551033 CP	226	',`
	227	tunable_policy(`user_ping',`
	228	term_use_all_user_ttys(traceroute_t)
	229	term_use_all_user_ptys(traceroute_t)
	230	')
3eed1090	231	')
4fc91539	232
bb7170f6	233	optional_policy(`
ab940a4c CP	234	nis_use_ypbind(traceroute_t)
ab940a4c CP	235	')
4fc91539	236
bb7170f6	237	optional_policy(`
1815bad1	238	nscd_socket_use(traceroute_t)
493d6c4a	239	')