]>
Commit | Line | Data |
---|---|---|
960373dd | 1 | |
17ec8c1f | 2 | policy_module(sysnetwork, 1.9.0) |
960373dd | 3 | |
0d7ad329 CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
d115b247 | 9 | # this is shared between dhcpc and dhcpd: |
9bbc757a | 10 | type dhcp_etc_t; |
d115b247 | 11 | typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; |
9bbc757a | 12 | files_config_file(dhcp_etc_t) |
d115b247 CP |
13 | |
14 | # this is shared between dhcpc and dhcpd: | |
15 | type dhcp_state_t; | |
8fd36732 | 16 | files_type(dhcp_state_t) |
d115b247 | 17 | |
0d7ad329 CP |
18 | type dhcpc_t; |
19 | type dhcpc_exec_t; | |
c9428d33 | 20 | init_daemon_domain(dhcpc_t,dhcpc_exec_t) |
bbd6a621 | 21 | role system_r types dhcpc_t; |
0d7ad329 CP |
22 | |
23 | type dhcpc_state_t; | |
8fd36732 | 24 | files_type(dhcpc_state_t) |
0d7ad329 CP |
25 | |
26 | type dhcpc_tmp_t; | |
c9428d33 | 27 | files_tmp_file(dhcpc_tmp_t) |
0d7ad329 CP |
28 | |
29 | type dhcpc_var_run_t; | |
c9428d33 | 30 | files_pid_file(dhcpc_var_run_t) |
0d7ad329 CP |
31 | |
32 | type ifconfig_t; | |
0d7ad329 | 33 | type ifconfig_exec_t; |
c9428d33 | 34 | init_system_domain(ifconfig_t, ifconfig_exec_t) |
bbd6a621 | 35 | role system_r types ifconfig_t; |
0d7ad329 | 36 | |
549180e8 | 37 | type net_conf_t alias resolv_conf_t; |
8fd36732 | 38 | files_type(net_conf_t) |
0d7ad329 CP |
39 | |
40 | ######################################## | |
41 | # | |
42 | # DHCP client local policy | |
43 | # | |
44 | allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config }; | |
45 | dontaudit dhcpc_t self:capability sys_tty_config; | |
46 | # for access("/etc/bashrc", X_OK) on Red Hat | |
47 | dontaudit dhcpc_t self:capability { dac_read_search sys_module }; | |
681c9a02 CP |
48 | allow dhcpc_t self:process signal_perms; |
49 | allow dhcpc_t self:fifo_file rw_file_perms; | |
50 | allow dhcpc_t self:tcp_socket create_stream_socket_perms; | |
7edd02d4 CP |
51 | allow dhcpc_t self:udp_socket create_socket_perms; |
52 | allow dhcpc_t self:packet_socket create_socket_perms; | |
2ed4f5ae | 53 | allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; |
d115b247 | 54 | |
c0868a7a CP |
55 | allow dhcpc_t dhcp_etc_t:dir list_dir_perms; |
56 | read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) | |
57 | exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t) | |
d115b247 | 58 | |
c0868a7a CP |
59 | manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t) |
60 | filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file) | |
d115b247 | 61 | |
0d7ad329 | 62 | # create pid file |
c0868a7a | 63 | manage_files_pattern(dhcpc_t,dhcpc_var_run_t,dhcpc_var_run_t) |
1c1ac67f | 64 | files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file) |
0d7ad329 | 65 | |
0d7ad329 CP |
66 | # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files |
67 | # in /etc created by dhcpcd will be labelled net_conf_t. | |
c0868a7a | 68 | allow dhcpc_t net_conf_t:file manage_file_perms; |
103fe280 | 69 | files_etc_filetrans(dhcpc_t,net_conf_t,file) |
0d7ad329 CP |
70 | |
71 | # create temp files | |
c0868a7a CP |
72 | manage_dirs_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) |
73 | manage_files_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t) | |
103fe280 | 74 | files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir }) |
0d7ad329 | 75 | |
7edd02d4 | 76 | can_exec(dhcpc_t, dhcpc_exec_t) |
0d7ad329 | 77 | |
d115b247 | 78 | # transition to ifconfig |
c0868a7a | 79 | domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t) |
d115b247 | 80 | |
0d7ad329 CP |
81 | kernel_read_system_state(dhcpc_t) |
82 | kernel_read_network_state(dhcpc_t) | |
445522dc | 83 | kernel_read_kernel_sysctls(dhcpc_t) |
1c1ac67f | 84 | kernel_use_fds(dhcpc_t) |
0fd9dc55 | 85 | |
19006686 CP |
86 | corenet_all_recvfrom_unlabeled(dhcpc_t) |
87 | corenet_all_recvfrom_netlabel(dhcpc_t) | |
0fd9dc55 CP |
88 | corenet_tcp_sendrecv_all_if(dhcpc_t) |
89 | corenet_raw_sendrecv_all_if(dhcpc_t) | |
90 | corenet_udp_sendrecv_all_if(dhcpc_t) | |
91 | corenet_tcp_sendrecv_all_nodes(dhcpc_t) | |
92 | corenet_raw_sendrecv_all_nodes(dhcpc_t) | |
93 | corenet_udp_sendrecv_all_nodes(dhcpc_t) | |
94 | corenet_tcp_sendrecv_all_ports(dhcpc_t) | |
95 | corenet_udp_sendrecv_all_ports(dhcpc_t) | |
96 | corenet_tcp_bind_all_nodes(dhcpc_t) | |
97 | corenet_udp_bind_all_nodes(dhcpc_t) | |
98 | corenet_udp_bind_dhcpc_port(dhcpc_t) | |
2705f9a0 | 99 | corenet_tcp_connect_all_ports(dhcpc_t) |
006e9982 | 100 | corenet_sendrecv_dhcpd_client_packets(dhcpc_t) |
b8373ee1 | 101 | corenet_sendrecv_dhcpc_server_packets(dhcpc_t) |
0d7ad329 | 102 | |
d35c621e CP |
103 | dev_read_sysfs(dhcpc_t) |
104 | # for SSP: | |
f0c985ca | 105 | dev_read_urand(dhcpc_t) |
0d7ad329 | 106 | |
0fd9dc55 | 107 | fs_getattr_all_fs(dhcpc_t) |
ab940a4c | 108 | fs_search_auto_mountpoints(dhcpc_t) |
0d7ad329 | 109 | |
0fd9dc55 CP |
110 | term_dontaudit_use_all_user_ttys(dhcpc_t) |
111 | term_dontaudit_use_all_user_ptys(dhcpc_t) | |
1815bad1 CP |
112 | term_dontaudit_use_unallocated_ttys(dhcpc_t) |
113 | term_dontaudit_use_generic_ptys(dhcpc_t) | |
0d7ad329 | 114 | |
c9428d33 | 115 | corecmd_exec_bin(dhcpc_t) |
c9428d33 | 116 | corecmd_exec_shell(dhcpc_t) |
0d7ad329 | 117 | |
15722ec9 | 118 | domain_use_interactive_fds(dhcpc_t) |
1815bad1 | 119 | domain_dontaudit_list_all_domains_state(dhcpc_t) |
0d7ad329 | 120 | |
8fd36732 | 121 | files_read_etc_files(dhcpc_t) |
c9428d33 | 122 | files_read_etc_runtime_files(dhcpc_t) |
fd89e19f | 123 | files_search_home(dhcpc_t) |
ae9e2716 CP |
124 | files_search_var_lib(dhcpc_t) |
125 | files_dontaudit_search_locks(dhcpc_t) | |
0d7ad329 | 126 | |
68228b33 | 127 | init_rw_utmp(dhcpc_t) |
0d7ad329 | 128 | |
c9428d33 | 129 | logging_send_syslog_msg(dhcpc_t) |
0d7ad329 | 130 | |
0d7ad329 CP |
131 | miscfiles_read_localization(dhcpc_t) |
132 | ||
c9428d33 | 133 | modutils_domtrans_insmod(dhcpc_t) |
daa0e0b0 | 134 | |
296273a7 CP |
135 | userdom_use_user_terminals(dhcpc_t) |
136 | userdom_dontaudit_search_user_home_dirs(dhcpc_t) | |
ae9e2716 | 137 | |
d115b247 | 138 | ifdef(`distro_redhat', ` |
8fd36732 | 139 | files_exec_etc_files(dhcpc_t) |
d115b247 CP |
140 | ') |
141 | ||
12cf805e CP |
142 | ifdef(`distro_ubuntu',` |
143 | optional_policy(` | |
144 | unconfined_domain(dhcpc_t) | |
145 | ') | |
146 | ') | |
147 | ||
bb7170f6 | 148 | optional_policy(` |
c9428d33 | 149 | consoletype_domtrans(dhcpc_t) |
0d7ad329 CP |
150 | ') |
151 | ||
bb7170f6 | 152 | optional_policy(` |
6f81e1d3 | 153 | init_dbus_chat_script(dhcpc_t) |
1dd86c43 | 154 | |
296273a7 | 155 | dbus_system_bus_client(dhcpc_t) |
1dd86c43 | 156 | dbus_connect_system_bus(dhcpc_t) |
1dd86c43 | 157 | |
bb7170f6 | 158 | optional_policy(` |
9fd4b818 CP |
159 | networkmanager_dbus_chat(dhcpc_t) |
160 | ') | |
1dd86c43 CP |
161 | ') |
162 | ||
bb7170f6 | 163 | optional_policy(` |
c9428d33 | 164 | hostname_domtrans(dhcpc_t) |
0d7ad329 CP |
165 | ') |
166 | ||
bb7170f6 | 167 | optional_policy(` |
1815bad1 | 168 | hotplug_getattr_config_dirs(dhcpc_t) |
ae9e2716 CP |
169 | hotplug_search_config(dhcpc_t) |
170 | ||
171 | ifdef(`distro_redhat',` | |
df00b2e2 | 172 | logging_domtrans_syslog(dhcpc_t) |
ae9e2716 CP |
173 | ') |
174 | ') | |
175 | ||
fd89e19f | 176 | # for the dhcp client to run ping to check IP addresses |
bb7170f6 | 177 | optional_policy(` |
fd89e19f | 178 | netutils_domtrans_ping(dhcpc_t) |
33acca55 | 179 | netutils_domtrans(dhcpc_t) |
98a8ead4 CP |
180 | ',` |
181 | allow dhcpc_t self:capability setuid; | |
182 | allow dhcpc_t self:rawip_socket create_socket_perms; | |
fd89e19f CP |
183 | ') |
184 | ||
bb7170f6 | 185 | optional_policy(` |
ab940a4c | 186 | nis_use_ypbind(dhcpc_t) |
d8636fc9 | 187 | nis_signal_ypbind(dhcpc_t) |
725926c5 CP |
188 | nis_read_ypbind_pid(dhcpc_t) |
189 | nis_delete_ypbind_pid(dhcpc_t) | |
190 | ||
ab940a4c | 191 | # dhclient sometimes starts ypbind |
f7547934 | 192 | init_exec_script_files(dhcpc_t) |
9bbc757a | 193 | nis_domtrans_ypbind(dhcpc_t) |
ab940a4c CP |
194 | ') |
195 | ||
bb7170f6 | 196 | optional_policy(` |
31908be0 | 197 | nscd_domtrans(dhcpc_t) |
689f6ddb | 198 | nscd_read_pid(dhcpc_t) |
1e5c2a41 CP |
199 | ') |
200 | ||
bb7170f6 | 201 | optional_policy(` |
ab940a4c | 202 | # dhclient sometimes starts ntpd |
f7547934 | 203 | init_exec_script_files(dhcpc_t) |
b11a75a5 | 204 | ntp_domtrans(dhcpc_t) |
ab940a4c CP |
205 | ') |
206 | ||
bb7170f6 | 207 | optional_policy(` |
725926c5 CP |
208 | pcmcia_stub(dhcpc_t) |
209 | dev_rw_cardmgr(dhcpc_t) | |
210 | ') | |
211 | ||
bb7170f6 | 212 | optional_policy(` |
8fd36732 | 213 | seutil_sigchld_newrole(dhcpc_t) |
ae9e2716 | 214 | seutil_dontaudit_search_config(dhcpc_t) |
0d7ad329 CP |
215 | ') |
216 | ||
bb7170f6 | 217 | optional_policy(` |
c9428d33 | 218 | udev_read_db(dhcpc_t) |
0d7ad329 CP |
219 | ') |
220 | ||
bb7170f6 | 221 | optional_policy(` |
15722ec9 | 222 | userdom_use_all_users_fds(dhcpc_t) |
daa0e0b0 CP |
223 | ') |
224 | ||
bb7170f6 | 225 | optional_policy(` |
87eb5c84 CP |
226 | kernel_read_xen_state(dhcpc_t) |
227 | kernel_write_xen_state(dhcpc_t) | |
a3cf80d8 | 228 | xen_append_log(dhcpc_t) |
0e1c461e | 229 | xen_dontaudit_rw_unix_stream_sockets(dhcpc_t) |
a3cf80d8 CP |
230 | ') |
231 | ||
0d7ad329 CP |
232 | ######################################## |
233 | # | |
234 | # Ifconfig local policy | |
235 | # | |
236 | ||
9d3bdc25 | 237 | allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; |
e6a2eaff | 238 | allow ifconfig_t self:capability { net_raw net_admin sys_tty_config }; |
0d7ad329 CP |
239 | dontaudit ifconfig_t self:capability sys_module; |
240 | ||
241 | allow ifconfig_t self:fd use; | |
c0868a7a CP |
242 | allow ifconfig_t self:fifo_file rw_fifo_file_perms; |
243 | allow ifconfig_t self:sock_file read_sock_file_perms; | |
4614e83f | 244 | allow ifconfig_t self:socket create_socket_perms; |
7edd02d4 CP |
245 | allow ifconfig_t self:unix_dgram_socket create_socket_perms; |
246 | allow ifconfig_t self:unix_stream_socket create_stream_socket_perms; | |
0d7ad329 CP |
247 | allow ifconfig_t self:unix_dgram_socket sendto; |
248 | allow ifconfig_t self:unix_stream_socket connectto; | |
7edd02d4 CP |
249 | allow ifconfig_t self:shm create_shm_perms; |
250 | allow ifconfig_t self:sem create_sem_perms; | |
251 | allow ifconfig_t self:msgq create_msgq_perms; | |
0d7ad329 CP |
252 | allow ifconfig_t self:msg { send receive }; |
253 | ||
254 | # Create UDP sockets, necessary when called from dhcpc | |
7edd02d4 | 255 | allow ifconfig_t self:udp_socket create_socket_perms; |
0d7ad329 CP |
256 | |
257 | # for /sbin/ip | |
2705f9a0 | 258 | allow ifconfig_t self:packet_socket create_socket_perms; |
7edd02d4 | 259 | allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; |
46551033 | 260 | allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; |
0d7ad329 | 261 | allow ifconfig_t self:tcp_socket { create ioctl }; |
8fd36732 | 262 | files_read_etc_files(ifconfig_t); |
0d7ad329 | 263 | |
1c1ac67f | 264 | kernel_use_fds(ifconfig_t) |
0d7ad329 CP |
265 | kernel_read_system_state(ifconfig_t) |
266 | kernel_read_network_state(ifconfig_t) | |
77f6e2cd | 267 | kernel_search_network_sysctl(ifconfig_t) |
e9935943 | 268 | kernel_rw_net_sysctls(ifconfig_t) |
0d7ad329 | 269 | |
5b6ddb98 | 270 | corenet_rw_tun_tap_dev(ifconfig_t) |
ebdc3b79 | 271 | |
2705f9a0 | 272 | dev_read_sysfs(ifconfig_t) |
165b42d2 CP |
273 | # for IPSEC setup: |
274 | dev_read_urand(ifconfig_t) | |
2705f9a0 | 275 | |
0fd9dc55 | 276 | fs_getattr_xattr_fs(ifconfig_t) |
ab940a4c | 277 | fs_search_auto_mountpoints(ifconfig_t) |
0d7ad329 | 278 | |
0fd9dc55 CP |
279 | term_dontaudit_use_all_user_ttys(ifconfig_t) |
280 | term_dontaudit_use_all_user_ptys(ifconfig_t) | |
1e5c2a41 | 281 | |
15722ec9 | 282 | domain_use_interactive_fds(ifconfig_t) |
0d7ad329 | 283 | |
9e04f5c5 | 284 | files_dontaudit_read_root_files(ifconfig_t) |
0d7ad329 | 285 | |
1c1ac67f | 286 | init_use_fds(ifconfig_t) |
1815bad1 | 287 | init_use_script_ptys(ifconfig_t) |
8623d5b8 | 288 | |
1815bad1 | 289 | libs_read_lib_files(ifconfig_t) |
0d7ad329 | 290 | |
c9428d33 | 291 | logging_send_syslog_msg(ifconfig_t) |
0d7ad329 CP |
292 | |
293 | miscfiles_read_localization(ifconfig_t) | |
294 | ||
33acca55 CP |
295 | modutils_domtrans_insmod(ifconfig_t) |
296 | ||
15722ec9 | 297 | seutil_use_runinit_fds(ifconfig_t) |
8623d5b8 | 298 | |
296273a7 | 299 | userdom_use_user_terminals(ifconfig_t) |
15722ec9 | 300 | userdom_use_all_users_fds(ifconfig_t) |
daa0e0b0 | 301 | |
12cf805e CP |
302 | ifdef(`distro_ubuntu',` |
303 | optional_policy(` | |
304 | unconfined_domain(ifconfig_t) | |
305 | ') | |
306 | ') | |
2a98379a | 307 | |
ae9e2716 | 308 | ifdef(`hide_broken_symptoms',` |
bb7170f6 | 309 | optional_policy(` |
50f65034 CP |
310 | dev_dontaudit_rw_cardmgr(ifconfig_t) |
311 | ') | |
312 | ||
bb7170f6 | 313 | optional_policy(` |
1815bad1 | 314 | udev_dontaudit_rw_dgram_sockets(ifconfig_t) |
50f65034 | 315 | ') |
ae9e2716 CP |
316 | ') |
317 | ||
e0ed765c CP |
318 | optional_policy(` |
319 | ipsec_write_pid(ifconfig_t) | |
320 | ') | |
321 | ||
bb7170f6 | 322 | optional_policy(` |
8967bf8b | 323 | netutils_domtrans(dhcpc_t) |
e08118a5 CP |
324 | ') |
325 | ||
bb7170f6 | 326 | optional_policy(` |
ab940a4c | 327 | nis_use_ypbind(ifconfig_t) |
0d7ad329 CP |
328 | ') |
329 | ||
bb7170f6 | 330 | optional_policy(` |
1c1ac67f | 331 | ppp_use_fds(ifconfig_t) |
8967bf8b | 332 | ') |
a3cf80d8 | 333 | |
bb7170f6 | 334 | optional_policy(` |
87eb5c84 CP |
335 | kernel_read_xen_state(ifconfig_t) |
336 | kernel_write_xen_state(ifconfig_t) | |
a3cf80d8 | 337 | xen_append_log(ifconfig_t) |
0e1c461e | 338 | xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) |
a3cf80d8 | 339 | ') |