]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/system/sysnetwork.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: bump module versions for release.
[people/stevee/selinux-policy.git] / policy / modules / system / sysnetwork.te
CommitLineData
960373dd 1
17ec8c1f 2policy_module(sysnetwork, 1.9.0)
960373dd 3
0d7ad329
CP		 4########################################
5#
6# Declarations
7#
8
d115b247 9# this is shared between dhcpc and dhcpd:
9bbc757a 10type dhcp_etc_t;
d115b247 11typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
9bbc757a 12files_config_file(dhcp_etc_t)
d115b247
CP		 13
14# this is shared between dhcpc and dhcpd:
15type dhcp_state_t;
8fd36732 16files_type(dhcp_state_t)
d115b247 17
0d7ad329
CP		 18type dhcpc_t;
19type dhcpc_exec_t;
c9428d33 20init_daemon_domain(dhcpc_t,dhcpc_exec_t)
bbd6a621 21role system_r types dhcpc_t;
0d7ad329
CP		 22
23type dhcpc_state_t;
8fd36732 24files_type(dhcpc_state_t)
0d7ad329
CP		 25
26type dhcpc_tmp_t;
c9428d33 27files_tmp_file(dhcpc_tmp_t)
0d7ad329
CP		 28
29type dhcpc_var_run_t;
c9428d33 30files_pid_file(dhcpc_var_run_t)
0d7ad329
CP		 31
32type ifconfig_t;
0d7ad329 33type ifconfig_exec_t;
c9428d33 34init_system_domain(ifconfig_t, ifconfig_exec_t)
bbd6a621 35role system_r types ifconfig_t;
0d7ad329 36
549180e8 37type net_conf_t alias resolv_conf_t;
8fd36732 38files_type(net_conf_t)
0d7ad329
CP		 39
40########################################
41#
42# DHCP client local policy
43#
44allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
45dontaudit dhcpc_t self:capability sys_tty_config;
46# for access("/etc/bashrc", X_OK) on Red Hat
47dontaudit dhcpc_t self:capability { dac_read_search sys_module };
681c9a02
CP		 48allow dhcpc_t self:process signal_perms;
49allow dhcpc_t self:fifo_file rw_file_perms;
50allow dhcpc_t self:tcp_socket create_stream_socket_perms;
7edd02d4
CP		 51allow dhcpc_t self:udp_socket create_socket_perms;
52allow dhcpc_t self:packet_socket create_socket_perms;
2ed4f5ae 53allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
d115b247 54
c0868a7a
CP		 55allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
56read_lnk_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
57exec_files_pattern(dhcpc_t,dhcp_etc_t,dhcp_etc_t)
d115b247 58
c0868a7a
CP		 59manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
60filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
d115b247 61
0d7ad329 62# create pid file
c0868a7a 63manage_files_pattern(dhcpc_t,dhcpc_var_run_t,dhcpc_var_run_t)
1c1ac67f 64files_pid_filetrans(dhcpc_t,dhcpc_var_run_t,file)
0d7ad329 65
0d7ad329
CP		 66# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
67# in /etc created by dhcpcd will be labelled net_conf_t.
c0868a7a 68allow dhcpc_t net_conf_t:file manage_file_perms;
103fe280 69files_etc_filetrans(dhcpc_t,net_conf_t,file)
0d7ad329
CP		 70
71# create temp files
c0868a7a
CP		 72manage_dirs_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t)
73manage_files_pattern(dhcpc_t,dhcpc_tmp_t,dhcpc_tmp_t)
103fe280 74files_tmp_filetrans(dhcpc_t, dhcpc_tmp_t, { file dir })
0d7ad329 75
7edd02d4 76can_exec(dhcpc_t, dhcpc_exec_t)
0d7ad329 77
d115b247 78# transition to ifconfig
c0868a7a 79domtrans_pattern(dhcpc_t, ifconfig_exec_t, ifconfig_t)
d115b247 80
0d7ad329
CP		 81kernel_read_system_state(dhcpc_t)
82kernel_read_network_state(dhcpc_t)
445522dc 83kernel_read_kernel_sysctls(dhcpc_t)
1c1ac67f 84kernel_use_fds(dhcpc_t)
0fd9dc55 85
19006686
CP		 86corenet_all_recvfrom_unlabeled(dhcpc_t)
87corenet_all_recvfrom_netlabel(dhcpc_t)
0fd9dc55
CP		 88corenet_tcp_sendrecv_all_if(dhcpc_t)
89corenet_raw_sendrecv_all_if(dhcpc_t)
90corenet_udp_sendrecv_all_if(dhcpc_t)
91corenet_tcp_sendrecv_all_nodes(dhcpc_t)
92corenet_raw_sendrecv_all_nodes(dhcpc_t)
93corenet_udp_sendrecv_all_nodes(dhcpc_t)
94corenet_tcp_sendrecv_all_ports(dhcpc_t)
95corenet_udp_sendrecv_all_ports(dhcpc_t)
96corenet_tcp_bind_all_nodes(dhcpc_t)
97corenet_udp_bind_all_nodes(dhcpc_t)
98corenet_udp_bind_dhcpc_port(dhcpc_t)
2705f9a0 99corenet_tcp_connect_all_ports(dhcpc_t)
006e9982 100corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
b8373ee1 101corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
0d7ad329 102
d35c621e
CP		 103dev_read_sysfs(dhcpc_t)
104# for SSP:
f0c985ca 105dev_read_urand(dhcpc_t)
0d7ad329 106
0fd9dc55 107fs_getattr_all_fs(dhcpc_t)
ab940a4c 108fs_search_auto_mountpoints(dhcpc_t)
0d7ad329 109
0fd9dc55
CP		 110term_dontaudit_use_all_user_ttys(dhcpc_t)
111term_dontaudit_use_all_user_ptys(dhcpc_t)
1815bad1
CP		 112term_dontaudit_use_unallocated_ttys(dhcpc_t)
113term_dontaudit_use_generic_ptys(dhcpc_t)
0d7ad329 114
c9428d33 115corecmd_exec_bin(dhcpc_t)
c9428d33 116corecmd_exec_shell(dhcpc_t)
0d7ad329 117
15722ec9 118domain_use_interactive_fds(dhcpc_t)
1815bad1 119domain_dontaudit_list_all_domains_state(dhcpc_t)
0d7ad329 120
8fd36732 121files_read_etc_files(dhcpc_t)
c9428d33 122files_read_etc_runtime_files(dhcpc_t)
fd89e19f 123files_search_home(dhcpc_t)
ae9e2716
CP		 124files_search_var_lib(dhcpc_t)
125files_dontaudit_search_locks(dhcpc_t)
0d7ad329 126
68228b33 127init_rw_utmp(dhcpc_t)
0d7ad329 128
c9428d33 129logging_send_syslog_msg(dhcpc_t)
0d7ad329 130
0d7ad329
CP		 131miscfiles_read_localization(dhcpc_t)
132
c9428d33 133modutils_domtrans_insmod(dhcpc_t)
daa0e0b0 134
296273a7
CP		 135userdom_use_user_terminals(dhcpc_t)
136userdom_dontaudit_search_user_home_dirs(dhcpc_t)
ae9e2716 137
d115b247 138ifdef(`distro_redhat', `
8fd36732 139 files_exec_etc_files(dhcpc_t)
d115b247
CP		 140')
141
12cf805e
CP		 142ifdef(`distro_ubuntu',`
143 optional_policy(`
144 unconfined_domain(dhcpc_t)
145 ')
146')
147
bb7170f6 148optional_policy(`
c9428d33 149 consoletype_domtrans(dhcpc_t)
0d7ad329
CP		 150')
151
bb7170f6 152optional_policy(`
6f81e1d3 153 init_dbus_chat_script(dhcpc_t)
1dd86c43 154
296273a7 155 dbus_system_bus_client(dhcpc_t)
1dd86c43 156 dbus_connect_system_bus(dhcpc_t)
1dd86c43 157
bb7170f6 158 optional_policy(`
9fd4b818
CP		 159 networkmanager_dbus_chat(dhcpc_t)
160 ')
1dd86c43
CP		 161')
162
bb7170f6 163optional_policy(`
c9428d33 164 hostname_domtrans(dhcpc_t)
0d7ad329
CP		 165')
166
bb7170f6 167optional_policy(`
1815bad1 168 hotplug_getattr_config_dirs(dhcpc_t)
ae9e2716
CP		 169 hotplug_search_config(dhcpc_t)
170
171 ifdef(`distro_redhat',`
df00b2e2 172 logging_domtrans_syslog(dhcpc_t)
ae9e2716
CP		 173 ')
174')
175
fd89e19f 176# for the dhcp client to run ping to check IP addresses
bb7170f6 177optional_policy(`
fd89e19f 178 netutils_domtrans_ping(dhcpc_t)
33acca55 179 netutils_domtrans(dhcpc_t)
98a8ead4
CP		 180',`
181 allow dhcpc_t self:capability setuid;
182 allow dhcpc_t self:rawip_socket create_socket_perms;
fd89e19f
CP		 183')
184
bb7170f6 185optional_policy(`
ab940a4c 186 nis_use_ypbind(dhcpc_t)
d8636fc9 187 nis_signal_ypbind(dhcpc_t)
725926c5
CP		 188 nis_read_ypbind_pid(dhcpc_t)
189 nis_delete_ypbind_pid(dhcpc_t)
190
ab940a4c 191 # dhclient sometimes starts ypbind
f7547934 192 init_exec_script_files(dhcpc_t)
9bbc757a 193 nis_domtrans_ypbind(dhcpc_t)
ab940a4c
CP		 194')
195
bb7170f6 196optional_policy(`
31908be0 197 nscd_domtrans(dhcpc_t)
689f6ddb 198 nscd_read_pid(dhcpc_t)
1e5c2a41
CP		 199')
200
bb7170f6 201optional_policy(`
ab940a4c 202 # dhclient sometimes starts ntpd
f7547934 203 init_exec_script_files(dhcpc_t)
b11a75a5 204 ntp_domtrans(dhcpc_t)
ab940a4c
CP		 205')
206
bb7170f6 207optional_policy(`
725926c5
CP		 208 pcmcia_stub(dhcpc_t)
209 dev_rw_cardmgr(dhcpc_t)
210')
211
bb7170f6 212optional_policy(`
8fd36732 213 seutil_sigchld_newrole(dhcpc_t)
ae9e2716 214 seutil_dontaudit_search_config(dhcpc_t)
0d7ad329
CP		 215')
216
bb7170f6 217optional_policy(`
c9428d33 218 udev_read_db(dhcpc_t)
0d7ad329
CP		 219')
220
bb7170f6 221optional_policy(`
15722ec9 222 userdom_use_all_users_fds(dhcpc_t)
daa0e0b0
CP		 223')
224
bb7170f6 225optional_policy(`
87eb5c84
CP		 226 kernel_read_xen_state(dhcpc_t)
227 kernel_write_xen_state(dhcpc_t)
a3cf80d8 228 xen_append_log(dhcpc_t)
0e1c461e 229 xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
a3cf80d8
CP		 230')
231
0d7ad329
CP		 232########################################
233#
234# Ifconfig local policy
235#
236
9d3bdc25 237allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
e6a2eaff 238allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
0d7ad329
CP		 239dontaudit ifconfig_t self:capability sys_module;
240
241allow ifconfig_t self:fd use;
c0868a7a
CP		 242allow ifconfig_t self:fifo_file rw_fifo_file_perms;
243allow ifconfig_t self:sock_file read_sock_file_perms;
4614e83f 244allow ifconfig_t self:socket create_socket_perms;
7edd02d4
CP		 245allow ifconfig_t self:unix_dgram_socket create_socket_perms;
246allow ifconfig_t self:unix_stream_socket create_stream_socket_perms;
0d7ad329
CP		 247allow ifconfig_t self:unix_dgram_socket sendto;
248allow ifconfig_t self:unix_stream_socket connectto;
7edd02d4
CP		 249allow ifconfig_t self:shm create_shm_perms;
250allow ifconfig_t self:sem create_sem_perms;
251allow ifconfig_t self:msgq create_msgq_perms;
0d7ad329
CP		 252allow ifconfig_t self:msg { send receive };
253
254# Create UDP sockets, necessary when called from dhcpc
7edd02d4 255allow ifconfig_t self:udp_socket create_socket_perms;
0d7ad329
CP		 256
257# for /sbin/ip
2705f9a0 258allow ifconfig_t self:packet_socket create_socket_perms;
7edd02d4 259allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
46551033 260allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
0d7ad329 261allow ifconfig_t self:tcp_socket { create ioctl };
8fd36732 262files_read_etc_files(ifconfig_t);
0d7ad329 263
1c1ac67f 264kernel_use_fds(ifconfig_t)
0d7ad329
CP		 265kernel_read_system_state(ifconfig_t)
266kernel_read_network_state(ifconfig_t)
77f6e2cd 267kernel_search_network_sysctl(ifconfig_t)
e9935943 268kernel_rw_net_sysctls(ifconfig_t)
0d7ad329 269
5b6ddb98 270corenet_rw_tun_tap_dev(ifconfig_t)
ebdc3b79 271
2705f9a0 272dev_read_sysfs(ifconfig_t)
165b42d2
CP		 273# for IPSEC setup:
274dev_read_urand(ifconfig_t)
2705f9a0 275
0fd9dc55 276fs_getattr_xattr_fs(ifconfig_t)
ab940a4c 277fs_search_auto_mountpoints(ifconfig_t)
0d7ad329 278
0fd9dc55
CP		 279term_dontaudit_use_all_user_ttys(ifconfig_t)
280term_dontaudit_use_all_user_ptys(ifconfig_t)
1e5c2a41 281
15722ec9 282domain_use_interactive_fds(ifconfig_t)
0d7ad329 283
9e04f5c5 284files_dontaudit_read_root_files(ifconfig_t)
0d7ad329 285
1c1ac67f 286init_use_fds(ifconfig_t)
1815bad1 287init_use_script_ptys(ifconfig_t)
8623d5b8 288
1815bad1 289libs_read_lib_files(ifconfig_t)
0d7ad329 290
c9428d33 291logging_send_syslog_msg(ifconfig_t)
0d7ad329
CP		 292
293miscfiles_read_localization(ifconfig_t)
294
33acca55
CP		 295modutils_domtrans_insmod(ifconfig_t)
296
15722ec9 297seutil_use_runinit_fds(ifconfig_t)
8623d5b8 298
296273a7 299userdom_use_user_terminals(ifconfig_t)
15722ec9 300userdom_use_all_users_fds(ifconfig_t)
daa0e0b0 301
12cf805e
CP		 302ifdef(`distro_ubuntu',`
303 optional_policy(`
304 unconfined_domain(ifconfig_t)
305 ')
306')
2a98379a 307
ae9e2716 308ifdef(`hide_broken_symptoms',`
bb7170f6 309 optional_policy(`
50f65034
CP		 310 dev_dontaudit_rw_cardmgr(ifconfig_t)
311 ')
312
bb7170f6 313 optional_policy(`
1815bad1 314 udev_dontaudit_rw_dgram_sockets(ifconfig_t)
50f65034 315 ')
ae9e2716
CP		 316')
317
e0ed765c
CP		 318optional_policy(`
319 ipsec_write_pid(ifconfig_t)
320')
321
bb7170f6 322optional_policy(`
8967bf8b 323 netutils_domtrans(dhcpc_t)
e08118a5
CP		 324')
325
bb7170f6 326optional_policy(`
ab940a4c 327 nis_use_ypbind(ifconfig_t)
0d7ad329
CP		 328')
329
bb7170f6 330optional_policy(`
1c1ac67f 331 ppp_use_fds(ifconfig_t)
8967bf8b 332')
a3cf80d8 333
bb7170f6 334optional_policy(`
87eb5c84
CP		 335 kernel_read_xen_state(ifconfig_t)
336 kernel_write_xen_state(ifconfig_t)
a3cf80d8 337 xen_append_log(ifconfig_t)
0e1c461e 338 xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
a3cf80d8 339')
The IPFire selinux policy.