projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 9ff30033 | 1 | |
| cfcf5004 | 2 | policy_module(zebra, 1.7.0) |
| 9ff30033 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| 56e1b3d2 CP |
9 | ## <desc> |
| 10 | ## <p> | |
| 11 | ## Allow zebra daemon to write it configuration files | |
| 12 | ## </p> | |
| 13 | ## </desc> | |
| 14 | # | |
| ce8a5299 | 15 | gen_tunable(allow_zebra_write_config, false) |
| 56e1b3d2 | 16 | |
| 9ff30033 CP |
17 | type zebra_t; |
| 18 | type zebra_exec_t; | |
| ce8a5299 | 19 | init_daemon_domain(zebra_t, zebra_exec_t) |
| 9ff30033 CP |
20 | |
| 21 | type zebra_conf_t; | |
| 22 | files_type(zebra_conf_t) | |
| 23 | ||
| 24 | type zebra_log_t; | |
| 25 | logging_log_file(zebra_log_t) | |
| 26 | ||
| 27 | type zebra_tmp_t; | |
| 28 | files_tmp_file(zebra_tmp_t) | |
| 29 | ||
| 30 | type zebra_var_run_t; | |
| 31 | files_pid_file(zebra_var_run_t) | |
| 32 | ||
| 33 | ######################################## | |
| 34 | # | |
| 35 | # Local policy | |
| 36 | # | |
| 37 | ||
| 141cffdd | 38 | allow zebra_t self:capability { setgid setuid net_admin net_raw }; |
| 9ff30033 | 39 | dontaudit zebra_t self:capability sys_tty_config; |
| 1354ca04 | 40 | allow zebra_t self:process { signal_perms setcap }; |
| 60789e16 | 41 | allow zebra_t self:file { ioctl read write getattr lock append }; |
| 9ff30033 CP |
42 | allow zebra_t self:unix_dgram_socket create_socket_perms; |
| 43 | allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; | |
| 3f41889d | 44 | allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; |
| b0d2243c | 45 | allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; |
| fc6198ce | 46 | allow zebra_t self:udp_socket create_socket_perms; |
| 9ff30033 CP |
47 | allow zebra_t self:rawip_socket create_socket_perms; |
| 48 | ||
| c0868a7a CP |
49 | allow zebra_t zebra_conf_t:dir list_dir_perms; |
| 50 | read_files_pattern(zebra_t,zebra_conf_t,zebra_conf_t) | |
| ce8a5299 | 51 | read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) |
| 9ff30033 | 52 | |
| c0868a7a | 53 | allow zebra_t zebra_log_t:dir setattr; |
| ce8a5299 CP |
54 | manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
| 55 | manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) | |
| 56 | logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) | |
| 9ff30033 CP |
57 | |
| 58 | # /tmp/.bgpd is such a bad idea! | |
| c0868a7a | 59 | allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; |
| 103fe280 | 60 | files_tmp_filetrans(zebra_t,zebra_tmp_t,sock_file) |
| 9ff30033 | 61 | |
| ce8a5299 CP |
62 | manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) |
| 63 | manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t) | |
| 64 | files_pid_filetrans(zebra_t, zebra_var_run_t, { file sock_file }) | |
| 9ff30033 CP |
65 | |
| 66 | kernel_read_system_state(zebra_t) | |
| 445522dc | 67 | kernel_read_kernel_sysctls(zebra_t) |
| 445522dc | 68 | kernel_rw_net_sysctls(zebra_t) |
| 9ff30033 | 69 | |
| 19006686 CP |
70 | corenet_all_recvfrom_unlabeled(zebra_t) |
| 71 | corenet_all_recvfrom_netlabel(zebra_t) | |
| 9ff30033 | 72 | corenet_tcp_sendrecv_all_if(zebra_t) |
| 6942484b | 73 | corenet_udp_sendrecv_all_if(zebra_t) |
| 9ff30033 CP |
74 | corenet_raw_sendrecv_all_if(zebra_t) |
| 75 | corenet_tcp_sendrecv_all_nodes(zebra_t) | |
| 6942484b | 76 | corenet_udp_sendrecv_all_nodes(zebra_t) |
| 9ff30033 CP |
77 | corenet_raw_sendrecv_all_nodes(zebra_t) |
| 78 | corenet_tcp_sendrecv_all_ports(zebra_t) | |
| 6942484b | 79 | corenet_udp_sendrecv_all_ports(zebra_t) |
| 9ff30033 | 80 | corenet_tcp_bind_all_nodes(zebra_t) |
| 6942484b | 81 | corenet_udp_bind_all_nodes(zebra_t) |
| 46551033 | 82 | corenet_tcp_bind_bgp_port(zebra_t) |
| 9ff30033 | 83 | corenet_tcp_bind_zebra_port(zebra_t) |
| 46c69cb2 | 84 | corenet_udp_bind_router_port(zebra_t) |
| 46551033 | 85 | corenet_tcp_connect_bgp_port(zebra_t) |
| 3d03a4f4 CP |
86 | corenet_sendrecv_zebra_server_packets(zebra_t) |
| 87 | corenet_sendrecv_router_server_packets(zebra_t) | |
| 9ff30033 | 88 | |
| 60789e16 CP |
89 | dev_associate_usbfs(zebra_var_run_t) |
| 90 | dev_list_all_dev_nodes(zebra_t) | |
| 9ff30033 | 91 | dev_read_sysfs(zebra_t) |
| 207c4763 | 92 | dev_rw_zero(zebra_t) |
| 9ff30033 CP |
93 | |
| 94 | fs_getattr_all_fs(zebra_t) | |
| 95 | fs_search_auto_mountpoints(zebra_t) | |
| 96 | ||
| 60789e16 | 97 | term_list_ptys(zebra_t) |
| 9ff30033 | 98 | |
| 15722ec9 | 99 | domain_use_interactive_fds(zebra_t) |
| 9ff30033 | 100 | |
| 60789e16 | 101 | files_search_etc(zebra_t) |
| 9ff30033 CP |
102 | files_read_etc_files(zebra_t) |
| 103 | files_read_etc_runtime_files(zebra_t) | |
| 104 | ||
| 9ff30033 CP |
105 | libs_use_ld_so(zebra_t) |
| 106 | libs_use_shared_libs(zebra_t) | |
| 107 | ||
| 108 | logging_send_syslog_msg(zebra_t) | |
| 109 | ||
| 110 | miscfiles_read_localization(zebra_t) | |
| 111 | ||
| 112 | sysnet_read_config(zebra_t) | |
| 113 | ||
| 15722ec9 | 114 | userdom_dontaudit_use_unpriv_user_fds(zebra_t) |
| e9c6cda7 CP |
115 | |
| 116 | sysadm_dontaudit_search_home_dirs(zebra_t) | |
| 9ff30033 | 117 | |
| 46551033 | 118 | tunable_policy(`allow_zebra_write_config',` |
| ce8a5299 | 119 | manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) |
| 46551033 CP |
120 | ') |
| 121 | ||
| bb7170f6 | 122 | optional_policy(` |
| 9ff30033 CP |
123 | nis_use_ypbind(zebra_t) |
| 124 | ') | |
| 125 | ||
| bb7170f6 | 126 | optional_policy(` |
| 1815bad1 | 127 | rpm_read_pipes(zebra_t) |
| 60789e16 CP |
128 | ') |
| 129 | ||
| bb7170f6 | 130 | optional_policy(` |
| 9ff30033 CP |
131 | seutil_sigchld_newrole(zebra_t) |
| 132 | ') | |
| 133 | ||
| bb7170f6 | 134 | optional_policy(` |
| 9ff30033 CP |
135 | udev_read_db(zebra_t) |
| 136 | ') | |
| 350b6ab7 CP |
137 | |
| 138 | optional_policy(` | |
| 139 | unconfined_sigchld(zebra_t) | |
| 140 | ') |