]>
Commit | Line | Data |
---|---|---|
4fc91539 | 1 | |
3d95ca2d | 2 | policy_module(netutils, 1.9.2) |
4fc91539 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Control users use of ping and traceroute | |
12 | ## </p> | |
13 | ## </desc> | |
0bfccda4 | 14 | gen_tunable(user_ping, false) |
56e1b3d2 | 15 | |
4fc91539 CP |
16 | type netutils_t; |
17 | type netutils_exec_t; | |
0bfccda4 | 18 | init_system_domain(netutils_t, netutils_exec_t) |
4fc91539 CP |
19 | role system_r types netutils_t; |
20 | ||
21 | type netutils_tmp_t; | |
c9428d33 | 22 | files_tmp_file(netutils_tmp_t) |
4fc91539 | 23 | |
493d6c4a | 24 | type ping_t; |
4fc91539 | 25 | type ping_exec_t; |
0bfccda4 | 26 | init_system_domain(ping_t, ping_exec_t) |
4fc91539 CP |
27 | role system_r types ping_t; |
28 | ||
493d6c4a | 29 | type traceroute_t; |
4fc91539 | 30 | type traceroute_exec_t; |
0bfccda4 | 31 | init_system_domain(traceroute_t, traceroute_exec_t) |
4fc91539 CP |
32 | role system_r types traceroute_t; |
33 | ||
4fc91539 CP |
34 | ######################################## |
35 | # | |
36 | # Netutils local policy | |
37 | # | |
38 | ||
39 | # Perform network administration operations and have raw access to the network. | |
40 | allow netutils_t self:capability { net_admin net_raw setuid setgid }; | |
27c570f7 | 41 | dontaudit netutils_t self:capability sys_tty_config; |
4fc91539 CP |
42 | allow netutils_t self:process { sigkill sigstop signull signal }; |
43 | allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; | |
dc67f782 CP |
44 | allow netutils_t self:packet_socket create_socket_perms; |
45 | allow netutils_t self:udp_socket create_socket_perms; | |
2e0a8801 | 46 | allow netutils_t self:tcp_socket create_stream_socket_perms; |
44dc1b9c | 47 | allow netutils_t self:socket create_socket_perms; |
4fc91539 | 48 | |
0bfccda4 CP |
49 | manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) |
50 | manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) | |
103fe280 | 51 | files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
4fc91539 | 52 | |
b24f35d8 | 53 | kernel_search_proc(netutils_t) |
a65fd90a | 54 | kernel_read_all_sysctls(netutils_t) |
b24f35d8 | 55 | |
19006686 CP |
56 | corenet_all_recvfrom_unlabeled(netutils_t) |
57 | corenet_all_recvfrom_netlabel(netutils_t) | |
668b3093 CP |
58 | corenet_tcp_sendrecv_generic_if(netutils_t) |
59 | corenet_raw_sendrecv_generic_if(netutils_t) | |
60 | corenet_udp_sendrecv_generic_if(netutils_t) | |
c1262146 CP |
61 | corenet_tcp_sendrecv_generic_node(netutils_t) |
62 | corenet_raw_sendrecv_generic_node(netutils_t) | |
63 | corenet_udp_sendrecv_generic_node(netutils_t) | |
0fd9dc55 CP |
64 | corenet_tcp_sendrecv_all_ports(netutils_t) |
65 | corenet_udp_sendrecv_all_ports(netutils_t) | |
0907bda1 | 66 | corenet_tcp_connect_all_ports(netutils_t) |
9d0c9b3e | 67 | corenet_sendrecv_all_client_packets(netutils_t) |
123a990b | 68 | corenet_udp_bind_generic_node(netutils_t) |
0fd9dc55 | 69 | |
9e8f65c8 CP |
70 | dev_read_sysfs(netutils_t) |
71 | ||
0fd9dc55 | 72 | fs_getattr_xattr_fs(netutils_t) |
4fc91539 | 73 | |
15722ec9 | 74 | domain_use_interactive_fds(netutils_t) |
4fc91539 | 75 | |
8fd36732 | 76 | files_read_etc_files(netutils_t) |
4fc91539 | 77 | # for nscd |
c9428d33 | 78 | files_dontaudit_search_var(netutils_t) |
4fc91539 | 79 | |
1c1ac67f | 80 | init_use_fds(netutils_t) |
1815bad1 | 81 | init_use_script_ptys(netutils_t) |
ab940a4c | 82 | |
74993c4d CP |
83 | auth_use_nsswitch(netutils_t) |
84 | ||
c9428d33 | 85 | logging_send_syslog_msg(netutils_t) |
4fc91539 CP |
86 | |
87 | miscfiles_read_localization(netutils_t) | |
88 | ||
44dc1b9c | 89 | term_dontaudit_use_console(netutils_t) |
296273a7 | 90 | userdom_use_user_terminals(netutils_t) |
15722ec9 | 91 | userdom_use_all_users_fds(netutils_t) |
4fc91539 | 92 | |
bb7170f6 | 93 | optional_policy(` |
ab940a4c CP |
94 | nis_use_ypbind(netutils_t) |
95 | ') | |
4fc91539 | 96 | |
74993c4d CP |
97 | optional_policy(` |
98 | vmware_append_log(netutils_t) | |
99 | ') | |
100 | ||
d9845ae9 CP |
101 | optional_policy(` |
102 | xen_append_log(netutils_t) | |
103 | ') | |
104 | ||
4fc91539 CP |
105 | ######################################## |
106 | # | |
107 | # Ping local policy | |
108 | # | |
109 | ||
8f882ffc | 110 | allow ping_t self:capability { setuid net_raw }; |
4fc91539 | 111 | dontaudit ping_t self:capability sys_tty_config; |
dc67f782 | 112 | allow ping_t self:tcp_socket create_socket_perms; |
4fc91539 | 113 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; |
0e1c461e | 114 | allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; |
74993c4d | 115 | allow ping_t self:netlink_route_socket create_netlink_socket_perms; |
4fc91539 | 116 | |
19006686 CP |
117 | corenet_all_recvfrom_unlabeled(ping_t) |
118 | corenet_all_recvfrom_netlabel(ping_t) | |
668b3093 CP |
119 | corenet_tcp_sendrecv_generic_if(ping_t) |
120 | corenet_raw_sendrecv_generic_if(ping_t) | |
c1262146 CP |
121 | corenet_raw_sendrecv_generic_node(ping_t) |
122 | corenet_tcp_sendrecv_generic_node(ping_t) | |
123 | corenet_raw_bind_generic_node(ping_t) | |
0fd9dc55 | 124 | corenet_tcp_sendrecv_all_ports(ping_t) |
4fc91539 | 125 | |
0fd9dc55 | 126 | fs_dontaudit_getattr_xattr_fs(ping_t) |
4fc91539 | 127 | |
15722ec9 | 128 | domain_use_interactive_fds(ping_t) |
4fc91539 | 129 | |
8fd36732 | 130 | files_read_etc_files(ping_t) |
c9428d33 | 131 | files_dontaudit_search_var(ping_t) |
4fc91539 | 132 | |
da04234f CP |
133 | kernel_read_system_state(ping_t) |
134 | ||
74993c4d CP |
135 | auth_use_nsswitch(ping_t) |
136 | ||
c0868a7a CP |
137 | logging_send_syslog_msg(ping_t) |
138 | ||
27c570f7 CP |
139 | miscfiles_read_localization(ping_t) |
140 | ||
296273a7 CP |
141 | userdom_use_user_terminals(ping_t) |
142 | ||
cf6a7d89 | 143 | ifdef(`hide_broken_symptoms',` |
1c1ac67f | 144 | init_dontaudit_use_fds(ping_t) |
a65fd90a CP |
145 | |
146 | optional_policy(` | |
147 | nagios_dontaudit_rw_pipes(ping_t) | |
148 | ') | |
cf6a7d89 CP |
149 | ') |
150 | ||
da04234f CP |
151 | optional_policy(` |
152 | munin_append_log(ping_t) | |
153 | ') | |
154 | ||
bb7170f6 | 155 | optional_policy(` |
15722ec9 | 156 | pcmcia_use_cardmgr_fds(ping_t) |
cf6a7d89 CP |
157 | ') |
158 | ||
bb7170f6 | 159 | optional_policy(` |
1c1ac67f | 160 | hotplug_use_fds(ping_t) |
ebdc3b79 CP |
161 | ') |
162 | ||
4fc91539 CP |
163 | ######################################## |
164 | # | |
165 | # Traceroute local policy | |
166 | # | |
167 | ||
168 | allow traceroute_t self:capability { net_admin net_raw setuid setgid }; | |
dc67f782 CP |
169 | allow traceroute_t self:rawip_socket create_socket_perms; |
170 | allow traceroute_t self:packet_socket create_socket_perms; | |
8f882ffc | 171 | allow traceroute_t self:udp_socket create_socket_perms; |
4fc91539 CP |
172 | |
173 | kernel_read_system_state(traceroute_t) | |
174 | kernel_read_network_state(traceroute_t) | |
175 | ||
19006686 CP |
176 | corenet_all_recvfrom_unlabeled(traceroute_t) |
177 | corenet_all_recvfrom_netlabel(traceroute_t) | |
668b3093 CP |
178 | corenet_tcp_sendrecv_generic_if(traceroute_t) |
179 | corenet_udp_sendrecv_generic_if(traceroute_t) | |
180 | corenet_raw_sendrecv_generic_if(traceroute_t) | |
c1262146 CP |
181 | corenet_tcp_sendrecv_generic_node(traceroute_t) |
182 | corenet_udp_sendrecv_generic_node(traceroute_t) | |
183 | corenet_raw_sendrecv_generic_node(traceroute_t) | |
0fd9dc55 CP |
184 | corenet_tcp_sendrecv_all_ports(traceroute_t) |
185 | corenet_udp_sendrecv_all_ports(traceroute_t) | |
c1262146 CP |
186 | corenet_udp_bind_generic_node(traceroute_t) |
187 | corenet_tcp_bind_generic_node(traceroute_t) | |
8f882ffc | 188 | # traceroute needs this but not tracepath |
c1262146 | 189 | corenet_raw_bind_generic_node(traceroute_t) |
165b42d2 | 190 | corenet_udp_bind_traceroute_port(traceroute_t) |
2705f9a0 | 191 | corenet_tcp_connect_all_ports(traceroute_t) |
9d0c9b3e CP |
192 | corenet_sendrecv_all_client_packets(traceroute_t) |
193 | corenet_sendrecv_traceroute_server_packets(traceroute_t) | |
4fc91539 | 194 | |
0fd9dc55 | 195 | fs_dontaudit_getattr_xattr_fs(traceroute_t) |
4fc91539 | 196 | |
15722ec9 | 197 | domain_use_interactive_fds(traceroute_t) |
4fc91539 | 198 | |
8fd36732 | 199 | files_read_etc_files(traceroute_t) |
c9428d33 | 200 | files_dontaudit_search_var(traceroute_t) |
4fc91539 | 201 | |
165b42d2 CP |
202 | init_use_fds(traceroute_t) |
203 | ||
74993c4d CP |
204 | auth_use_nsswitch(traceroute_t) |
205 | ||
c9428d33 | 206 | logging_send_syslog_msg(traceroute_t) |
4fc91539 CP |
207 | |
208 | miscfiles_read_localization(traceroute_t) | |
209 | ||
296273a7 CP |
210 | userdom_use_user_terminals(traceroute_t) |
211 | ||
4fc91539 | 212 | #rules needed for nmap |
f0c985ca KM |
213 | dev_read_rand(traceroute_t) |
214 | dev_read_urand(traceroute_t) | |
c9428d33 | 215 | files_read_usr_files(traceroute_t) |