]>
Commit | Line | Data |
---|---|---|
4fc91539 | 1 | |
17ec8c1f | 2 | policy_module(netutils, 1.8.0) |
4fc91539 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Control users use of ping and traceroute | |
12 | ## </p> | |
13 | ## </desc> | |
0bfccda4 | 14 | gen_tunable(user_ping, false) |
56e1b3d2 | 15 | |
4fc91539 CP |
16 | type netutils_t; |
17 | type netutils_exec_t; | |
0bfccda4 | 18 | init_system_domain(netutils_t, netutils_exec_t) |
4fc91539 CP |
19 | role system_r types netutils_t; |
20 | ||
21 | type netutils_tmp_t; | |
c9428d33 | 22 | files_tmp_file(netutils_tmp_t) |
4fc91539 | 23 | |
493d6c4a | 24 | type ping_t; |
4fc91539 | 25 | type ping_exec_t; |
0bfccda4 | 26 | init_system_domain(ping_t, ping_exec_t) |
4fc91539 CP |
27 | role system_r types ping_t; |
28 | ||
493d6c4a | 29 | type traceroute_t; |
4fc91539 | 30 | type traceroute_exec_t; |
0bfccda4 | 31 | init_system_domain(traceroute_t, traceroute_exec_t) |
4fc91539 CP |
32 | role system_r types traceroute_t; |
33 | ||
4fc91539 CP |
34 | ######################################## |
35 | # | |
36 | # Netutils local policy | |
37 | # | |
38 | ||
39 | # Perform network administration operations and have raw access to the network. | |
40 | allow netutils_t self:capability { net_admin net_raw setuid setgid }; | |
27c570f7 | 41 | dontaudit netutils_t self:capability sys_tty_config; |
4fc91539 CP |
42 | allow netutils_t self:process { sigkill sigstop signull signal }; |
43 | allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; | |
dc67f782 CP |
44 | allow netutils_t self:packet_socket create_socket_perms; |
45 | allow netutils_t self:udp_socket create_socket_perms; | |
2e0a8801 | 46 | allow netutils_t self:tcp_socket create_stream_socket_perms; |
4fc91539 | 47 | |
0bfccda4 CP |
48 | manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) |
49 | manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) | |
103fe280 | 50 | files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
4fc91539 | 51 | |
b24f35d8 | 52 | kernel_search_proc(netutils_t) |
74993c4d | 53 | kernel_read_sysctl(netutils_t) |
b24f35d8 | 54 | |
19006686 CP |
55 | corenet_all_recvfrom_unlabeled(netutils_t) |
56 | corenet_all_recvfrom_netlabel(netutils_t) | |
0fd9dc55 CP |
57 | corenet_tcp_sendrecv_all_if(netutils_t) |
58 | corenet_raw_sendrecv_all_if(netutils_t) | |
59 | corenet_udp_sendrecv_all_if(netutils_t) | |
60 | corenet_tcp_sendrecv_all_nodes(netutils_t) | |
61 | corenet_raw_sendrecv_all_nodes(netutils_t) | |
62 | corenet_udp_sendrecv_all_nodes(netutils_t) | |
63 | corenet_tcp_sendrecv_all_ports(netutils_t) | |
64 | corenet_udp_sendrecv_all_ports(netutils_t) | |
0907bda1 | 65 | corenet_tcp_connect_all_ports(netutils_t) |
9d0c9b3e | 66 | corenet_sendrecv_all_client_packets(netutils_t) |
123a990b | 67 | corenet_udp_bind_generic_node(netutils_t) |
0fd9dc55 | 68 | |
9e8f65c8 CP |
69 | dev_read_sysfs(netutils_t) |
70 | ||
0fd9dc55 | 71 | fs_getattr_xattr_fs(netutils_t) |
4fc91539 | 72 | |
15722ec9 | 73 | domain_use_interactive_fds(netutils_t) |
4fc91539 | 74 | |
8fd36732 | 75 | files_read_etc_files(netutils_t) |
4fc91539 | 76 | # for nscd |
c9428d33 | 77 | files_dontaudit_search_var(netutils_t) |
4fc91539 | 78 | |
1c1ac67f | 79 | init_use_fds(netutils_t) |
1815bad1 | 80 | init_use_script_ptys(netutils_t) |
ab940a4c | 81 | |
74993c4d CP |
82 | auth_use_nsswitch(netutils_t) |
83 | ||
c9428d33 | 84 | logging_send_syslog_msg(netutils_t) |
4fc91539 CP |
85 | |
86 | miscfiles_read_localization(netutils_t) | |
87 | ||
296273a7 | 88 | userdom_use_user_terminals(netutils_t) |
15722ec9 | 89 | userdom_use_all_users_fds(netutils_t) |
4fc91539 | 90 | |
bb7170f6 | 91 | optional_policy(` |
ab940a4c CP |
92 | nis_use_ypbind(netutils_t) |
93 | ') | |
4fc91539 | 94 | |
74993c4d CP |
95 | optional_policy(` |
96 | vmware_append_log(netutils_t) | |
97 | ') | |
98 | ||
d9845ae9 CP |
99 | optional_policy(` |
100 | xen_append_log(netutils_t) | |
101 | ') | |
102 | ||
4fc91539 CP |
103 | ######################################## |
104 | # | |
105 | # Ping local policy | |
106 | # | |
107 | ||
8f882ffc | 108 | allow ping_t self:capability { setuid net_raw }; |
4fc91539 | 109 | dontaudit ping_t self:capability sys_tty_config; |
dc67f782 | 110 | allow ping_t self:tcp_socket create_socket_perms; |
4fc91539 | 111 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; |
0e1c461e | 112 | allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; |
74993c4d | 113 | allow ping_t self:netlink_route_socket create_netlink_socket_perms; |
4fc91539 | 114 | |
19006686 CP |
115 | corenet_all_recvfrom_unlabeled(ping_t) |
116 | corenet_all_recvfrom_netlabel(ping_t) | |
0fd9dc55 | 117 | corenet_tcp_sendrecv_all_if(ping_t) |
0fd9dc55 CP |
118 | corenet_raw_sendrecv_all_if(ping_t) |
119 | corenet_raw_sendrecv_all_nodes(ping_t) | |
74993c4d | 120 | corenet_raw_bind_all_nodes(ping_t) |
0fd9dc55 | 121 | corenet_tcp_sendrecv_all_nodes(ping_t) |
0fd9dc55 | 122 | corenet_tcp_sendrecv_all_ports(ping_t) |
4fc91539 | 123 | |
0fd9dc55 | 124 | fs_dontaudit_getattr_xattr_fs(ping_t) |
4fc91539 | 125 | |
15722ec9 | 126 | domain_use_interactive_fds(ping_t) |
4fc91539 | 127 | |
8fd36732 | 128 | files_read_etc_files(ping_t) |
c9428d33 | 129 | files_dontaudit_search_var(ping_t) |
4fc91539 | 130 | |
74993c4d CP |
131 | auth_use_nsswitch(ping_t) |
132 | ||
c0868a7a CP |
133 | logging_send_syslog_msg(ping_t) |
134 | ||
27c570f7 CP |
135 | miscfiles_read_localization(ping_t) |
136 | ||
296273a7 CP |
137 | userdom_use_user_terminals(ping_t) |
138 | ||
cf6a7d89 | 139 | ifdef(`hide_broken_symptoms',` |
1c1ac67f | 140 | init_dontaudit_use_fds(ping_t) |
cf6a7d89 CP |
141 | ') |
142 | ||
350b6ab7 | 143 | tunable_policy(`user_ping',` |
0fd9dc55 CP |
144 | term_use_all_user_ttys(ping_t) |
145 | term_use_all_user_ptys(ping_t) | |
3eed1090 | 146 | ') |
4fc91539 | 147 | |
bb7170f6 | 148 | optional_policy(` |
15722ec9 | 149 | pcmcia_use_cardmgr_fds(ping_t) |
cf6a7d89 CP |
150 | ') |
151 | ||
bb7170f6 | 152 | optional_policy(` |
1c1ac67f | 153 | hotplug_use_fds(ping_t) |
ebdc3b79 CP |
154 | ') |
155 | ||
4fc91539 CP |
156 | ######################################## |
157 | # | |
158 | # Traceroute local policy | |
159 | # | |
160 | ||
161 | allow traceroute_t self:capability { net_admin net_raw setuid setgid }; | |
dc67f782 CP |
162 | allow traceroute_t self:rawip_socket create_socket_perms; |
163 | allow traceroute_t self:packet_socket create_socket_perms; | |
8f882ffc | 164 | allow traceroute_t self:udp_socket create_socket_perms; |
4fc91539 CP |
165 | |
166 | kernel_read_system_state(traceroute_t) | |
167 | kernel_read_network_state(traceroute_t) | |
168 | ||
19006686 CP |
169 | corenet_all_recvfrom_unlabeled(traceroute_t) |
170 | corenet_all_recvfrom_netlabel(traceroute_t) | |
0fd9dc55 CP |
171 | corenet_tcp_sendrecv_all_if(traceroute_t) |
172 | corenet_udp_sendrecv_all_if(traceroute_t) | |
173 | corenet_raw_sendrecv_all_if(traceroute_t) | |
0fd9dc55 CP |
174 | corenet_tcp_sendrecv_all_nodes(traceroute_t) |
175 | corenet_udp_sendrecv_all_nodes(traceroute_t) | |
9d0c9b3e | 176 | corenet_raw_sendrecv_all_nodes(traceroute_t) |
0fd9dc55 CP |
177 | corenet_tcp_sendrecv_all_ports(traceroute_t) |
178 | corenet_udp_sendrecv_all_ports(traceroute_t) | |
179 | corenet_udp_bind_all_nodes(traceroute_t) | |
180 | corenet_tcp_bind_all_nodes(traceroute_t) | |
8f882ffc DM |
181 | # traceroute needs this but not tracepath |
182 | corenet_raw_bind_all_nodes(traceroute_t) | |
165b42d2 | 183 | corenet_udp_bind_traceroute_port(traceroute_t) |
2705f9a0 | 184 | corenet_tcp_connect_all_ports(traceroute_t) |
9d0c9b3e CP |
185 | corenet_sendrecv_all_client_packets(traceroute_t) |
186 | corenet_sendrecv_traceroute_server_packets(traceroute_t) | |
4fc91539 | 187 | |
0fd9dc55 | 188 | fs_dontaudit_getattr_xattr_fs(traceroute_t) |
4fc91539 | 189 | |
15722ec9 | 190 | domain_use_interactive_fds(traceroute_t) |
4fc91539 | 191 | |
8fd36732 | 192 | files_read_etc_files(traceroute_t) |
c9428d33 | 193 | files_dontaudit_search_var(traceroute_t) |
4fc91539 | 194 | |
165b42d2 CP |
195 | init_use_fds(traceroute_t) |
196 | ||
74993c4d CP |
197 | auth_use_nsswitch(traceroute_t) |
198 | ||
c9428d33 | 199 | logging_send_syslog_msg(traceroute_t) |
4fc91539 CP |
200 | |
201 | miscfiles_read_localization(traceroute_t) | |
202 | ||
296273a7 CP |
203 | userdom_use_user_terminals(traceroute_t) |
204 | ||
4fc91539 | 205 | #rules needed for nmap |
f0c985ca KM |
206 | dev_read_rand(traceroute_t) |
207 | dev_read_urand(traceroute_t) | |
c9428d33 | 208 | files_read_usr_files(traceroute_t) |
4fc91539 | 209 | |
350b6ab7 CP |
210 | tunable_policy(`user_ping',` |
211 | term_use_all_user_ttys(traceroute_t) | |
212 | term_use_all_user_ptys(traceroute_t) | |
3eed1090 | 213 | ') |