[people/stevee/selinux-policy.git] / refpolicy / policy / modules / admin / netutils.te


policy_module(netutils,1.1.2)

########################################
#
# Declarations
#

type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t;

type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)

type ping_t;
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;

type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;

########################################
#
# Netutils local policy
#

# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;

allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

kernel_search_proc(netutils_t)

corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
corenet_tcp_sendrecv_all_nodes(netutils_t)
corenet_raw_sendrecv_all_nodes(netutils_t)
corenet_udp_sendrecv_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_non_ipsec_sendrecv(netutils_t)
corenet_tcp_bind_all_nodes(netutils_t)
corenet_udp_bind_all_nodes(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)

fs_getattr_xattr_fs(netutils_t)

domain_use_interactive_fds(netutils_t)

files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)

init_use_fds(netutils_t)
init_use_script_ptys(netutils_t)

libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)

logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

sysnet_read_config(netutils_t)

userdom_use_all_users_fds(netutils_t)

ifdef(`targeted_policy',`
	term_use_generic_ptys(netutils_t)
	term_use_unallocated_ttys(netutils_t)
')

optional_policy(`
	nis_use_ypbind(netutils_t)
')

########################################
#
# Ping local policy
#

allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;

allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };

corenet_tcp_sendrecv_all_if(ping_t)
corenet_udp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_udp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
corenet_udp_sendrecv_all_ports(ping_t)
corenet_non_ipsec_sendrecv(ping_t)
corenet_udp_bind_all_nodes(ping_t)
corenet_tcp_bind_all_nodes(ping_t)

fs_dontaudit_getattr_xattr_fs(ping_t)

domain_use_interactive_fds(ping_t)

files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)

libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)

sysnet_read_config(ping_t)
sysnet_dns_name_resolve(ping_t)

logging_send_syslog_msg(ping_t)

ifdef(`hide_broken_symptoms',`
	init_dontaudit_use_fds(ping_t)
')

ifdef(`targeted_policy',`
	term_use_unallocated_ttys(ping_t)
	term_use_generic_ptys(ping_t)
	term_use_all_user_ttys(ping_t)
	term_use_all_user_ptys(ping_t)
',`
	tunable_policy(`user_ping',`
		term_use_all_user_ttys(ping_t)
		term_use_all_user_ptys(ping_t)
	')
')

optional_policy(`
	nis_use_ypbind(ping_t)
')

optional_policy(`
	nscd_socket_use(ping_t)
')

optional_policy(`
	pcmcia_use_cardmgr_fds(ping_t)
')

optional_policy(`
	hotplug_use_fds(ping_t)
')

########################################
#
# Traceroute local policy
#

allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow traceroute_t self:udp_socket create_socket_perms;

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)

corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_nodes(traceroute_t)
corenet_udp_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_non_ipsec_sendrecv(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_all_nodes(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)

fs_dontaudit_getattr_xattr_fs(traceroute_t)

domain_use_interactive_fds(traceroute_t)

files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)

libs_use_ld_so(traceroute_t)
libs_use_shared_libs(traceroute_t)

logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)

sysnet_read_config(traceroute_t)

ifdef(`targeted_policy',`
	term_use_unallocated_ttys(traceroute_t)
	term_use_generic_ptys(traceroute_t)
')

tunable_policy(`user_ping',`
	term_use_all_user_ttys(traceroute_t)
	term_use_all_user_ptys(traceroute_t)
')

optional_policy(`
	nis_use_ypbind(traceroute_t)
')

optional_policy(`
	nscd_socket_use(traceroute_t)
')
Commit	Line	Data
4fc91539	1
0e1c461e	2	policy_module(netutils,1.1.2)
4fc91539 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type netutils_t;
	10	type netutils_exec_t;
c9428d33	11	init_system_domain(netutils_t,netutils_exec_t)
4fc91539 CP	12	role system_r types netutils_t;
	13
	14	type netutils_tmp_t;
c9428d33	15	files_tmp_file(netutils_tmp_t)
4fc91539	16
493d6c4a	17	type ping_t;
4fc91539	18	type ping_exec_t;
c9428d33	19	init_system_domain(ping_t,ping_exec_t)
4fc91539 CP	20	role system_r types ping_t;
4fc91539 CP	21
493d6c4a	22	type traceroute_t;
4fc91539	23	type traceroute_exec_t;
c9428d33	24	init_system_domain(traceroute_t,traceroute_exec_t)
4fc91539 CP	25	role system_r types traceroute_t;
4fc91539 CP	26
4fc91539 CP	27	########################################
	28	#
	29	# Netutils local policy
	30	#
	31
	32	# Perform network administration operations and have raw access to the network.
	33	allow netutils_t self:capability { net_admin net_raw setuid setgid };
	34	allow netutils_t self:process { sigkill sigstop signull signal };
	35	allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
dc67f782 CP	36	allow netutils_t self:packet_socket create_socket_perms;
dc67f782 CP	37	allow netutils_t self:udp_socket create_socket_perms;
2e0a8801	38	allow netutils_t self:tcp_socket create_stream_socket_perms;
4fc91539	39
dc67f782 CP	40	allow netutils_t netutils_tmp_t:dir create_dir_perms;
dc67f782 CP	41	allow netutils_t netutils_tmp_t:file create_file_perms;
103fe280	42	files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
4fc91539	43
b24f35d8 CP	44	kernel_search_proc(netutils_t)
b24f35d8 CP	45
0fd9dc55 CP	46	corenet_tcp_sendrecv_all_if(netutils_t)
	47	corenet_raw_sendrecv_all_if(netutils_t)
	48	corenet_udp_sendrecv_all_if(netutils_t)
	49	corenet_tcp_sendrecv_all_nodes(netutils_t)
	50	corenet_raw_sendrecv_all_nodes(netutils_t)
	51	corenet_udp_sendrecv_all_nodes(netutils_t)
	52	corenet_tcp_sendrecv_all_ports(netutils_t)
	53	corenet_udp_sendrecv_all_ports(netutils_t)
bd70373d	54	corenet_non_ipsec_sendrecv(netutils_t)
0fd9dc55 CP	55	corenet_tcp_bind_all_nodes(netutils_t)
0fd9dc55 CP	56	corenet_udp_bind_all_nodes(netutils_t)
0907bda1	57	corenet_tcp_connect_all_ports(netutils_t)
0fd9dc55 CP	58
0fd9dc55 CP	59	fs_getattr_xattr_fs(netutils_t)
4fc91539	60
15722ec9	61	domain_use_interactive_fds(netutils_t)
4fc91539	62
8fd36732	63	files_read_etc_files(netutils_t)
4fc91539	64	# for nscd
c9428d33	65	files_dontaudit_search_var(netutils_t)
4fc91539	66
1c1ac67f	67	init_use_fds(netutils_t)
1815bad1	68	init_use_script_ptys(netutils_t)
ab940a4c	69
c9428d33 CP	70	libs_use_ld_so(netutils_t)
c9428d33 CP	71	libs_use_shared_libs(netutils_t)
4fc91539	72
c9428d33	73	logging_send_syslog_msg(netutils_t)
4fc91539 CP	74
	75	miscfiles_read_localization(netutils_t)
	76
d1b9d922 CP	77	sysnet_read_config(netutils_t)
d1b9d922 CP	78
15722ec9	79	userdom_use_all_users_fds(netutils_t)
4fc91539	80
d1b9d922	81	ifdef(`targeted_policy',`
1815bad1 CP	82	term_use_generic_ptys(netutils_t)
1815bad1 CP	83	term_use_unallocated_ttys(netutils_t)
d1b9d922 CP	84	')
d1b9d922 CP	85
bb7170f6	86	optional_policy(`
ab940a4c CP	87	nis_use_ypbind(netutils_t)
ab940a4c CP	88	')
4fc91539	89
4fc91539 CP	90	########################################
	91	#
	92	# Ping local policy
	93	#
	94
8f882ffc	95	allow ping_t self:capability { setuid net_raw };
4fc91539 CP	96	dontaudit ping_t self:capability sys_tty_config;
4fc91539 CP	97
dc67f782 CP	98	allow ping_t self:tcp_socket create_socket_perms;
dc67f782 CP	99	allow ping_t self:udp_socket create_socket_perms;
4fc91539	100	allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
0e1c461e	101	allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
4fc91539	102
0fd9dc55 CP	103	corenet_tcp_sendrecv_all_if(ping_t)
	104	corenet_udp_sendrecv_all_if(ping_t)
	105	corenet_raw_sendrecv_all_if(ping_t)
	106	corenet_raw_sendrecv_all_nodes(ping_t)
	107	corenet_tcp_sendrecv_all_nodes(ping_t)
	108	corenet_udp_sendrecv_all_nodes(ping_t)
	109	corenet_tcp_sendrecv_all_ports(ping_t)
	110	corenet_udp_sendrecv_all_ports(ping_t)
bd70373d	111	corenet_non_ipsec_sendrecv(ping_t)
0fd9dc55 CP	112	corenet_udp_bind_all_nodes(ping_t)
0fd9dc55 CP	113	corenet_tcp_bind_all_nodes(ping_t)
4fc91539	114
0fd9dc55	115	fs_dontaudit_getattr_xattr_fs(ping_t)
4fc91539	116
15722ec9	117	domain_use_interactive_fds(ping_t)
4fc91539	118
8fd36732	119	files_read_etc_files(ping_t)
c9428d33	120	files_dontaudit_search_var(ping_t)
4fc91539	121
c9428d33 CP	122	libs_use_ld_so(ping_t)
c9428d33 CP	123	libs_use_shared_libs(ping_t)
4fc91539	124
c9428d33	125	sysnet_read_config(ping_t)
98a8ead4	126	sysnet_dns_name_resolve(ping_t)
4fc91539	127
c9428d33	128	logging_send_syslog_msg(ping_t)
4fc91539	129
cf6a7d89	130	ifdef(`hide_broken_symptoms',`
1c1ac67f	131	init_dontaudit_use_fds(ping_t)
cf6a7d89 CP	132	')
	133
	134	ifdef(`targeted_policy',`
1815bad1 CP	135	term_use_unallocated_ttys(ping_t)
1815bad1 CP	136	term_use_generic_ptys(ping_t)
0fd9dc55 CP	137	term_use_all_user_ttys(ping_t)
0fd9dc55 CP	138	term_use_all_user_ptys(ping_t)
cf6a7d89 CP	139	',`
	140	tunable_policy(`user_ping',`
	141	term_use_all_user_ttys(ping_t)
	142	term_use_all_user_ptys(ping_t)
	143	')
3eed1090	144	')
4fc91539	145
bb7170f6	146	optional_policy(`
ab940a4c CP	147	nis_use_ypbind(ping_t)
ab940a4c CP	148	')
4fc91539	149
bb7170f6	150	optional_policy(`
1815bad1	151	nscd_socket_use(ping_t)
493d6c4a CP	152	')
493d6c4a CP	153
bb7170f6	154	optional_policy(`
15722ec9	155	pcmcia_use_cardmgr_fds(ping_t)
cf6a7d89 CP	156	')
cf6a7d89 CP	157
bb7170f6	158	optional_policy(`
1c1ac67f	159	hotplug_use_fds(ping_t)
ebdc3b79 CP	160	')
ebdc3b79 CP	161
4fc91539 CP	162	########################################
	163	#
	164	# Traceroute local policy
	165	#
	166
	167	allow traceroute_t self:capability { net_admin net_raw setuid setgid };
dc67f782 CP	168	allow traceroute_t self:rawip_socket create_socket_perms;
dc67f782 CP	169	allow traceroute_t self:packet_socket create_socket_perms;
4fc91539	170	allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
8f882ffc	171	allow traceroute_t self:udp_socket create_socket_perms;
4fc91539 CP	172
	173	kernel_read_system_state(traceroute_t)
	174	kernel_read_network_state(traceroute_t)
	175
0fd9dc55 CP	176	corenet_tcp_sendrecv_all_if(traceroute_t)
	177	corenet_udp_sendrecv_all_if(traceroute_t)
	178	corenet_raw_sendrecv_all_if(traceroute_t)
	179	corenet_raw_sendrecv_all_nodes(traceroute_t)
	180	corenet_tcp_sendrecv_all_nodes(traceroute_t)
	181	corenet_udp_sendrecv_all_nodes(traceroute_t)
	182	corenet_tcp_sendrecv_all_ports(traceroute_t)
	183	corenet_udp_sendrecv_all_ports(traceroute_t)
bd70373d	184	corenet_non_ipsec_sendrecv(traceroute_t)
0fd9dc55 CP	185	corenet_udp_bind_all_nodes(traceroute_t)
0fd9dc55 CP	186	corenet_tcp_bind_all_nodes(traceroute_t)
8f882ffc DM	187	# traceroute needs this but not tracepath
8f882ffc DM	188	corenet_raw_bind_all_nodes(traceroute_t)
2705f9a0	189	corenet_tcp_connect_all_ports(traceroute_t)
4fc91539	190
0fd9dc55	191	fs_dontaudit_getattr_xattr_fs(traceroute_t)
4fc91539	192
15722ec9	193	domain_use_interactive_fds(traceroute_t)
4fc91539	194
8fd36732	195	files_read_etc_files(traceroute_t)
c9428d33	196	files_dontaudit_search_var(traceroute_t)
4fc91539	197
c9428d33 CP	198	libs_use_ld_so(traceroute_t)
c9428d33 CP	199	libs_use_shared_libs(traceroute_t)
4fc91539	200
c9428d33	201	logging_send_syslog_msg(traceroute_t)
4fc91539 CP	202
	203	miscfiles_read_localization(traceroute_t)
	204
	205	#rules needed for nmap
f0c985ca KM	206	dev_read_rand(traceroute_t)
f0c985ca KM	207	dev_read_urand(traceroute_t)
c9428d33	208	files_read_usr_files(traceroute_t)
4fc91539	209
8f882ffc DM	210	sysnet_read_config(traceroute_t)
	211
	212	ifdef(`targeted_policy',`
1815bad1 CP	213	term_use_unallocated_ttys(traceroute_t)
1815bad1 CP	214	term_use_generic_ptys(traceroute_t)
8f882ffc DM	215	')
8f882ffc DM	216
3eed1090	217	tunable_policy(`user_ping',`
0fd9dc55 CP	218	term_use_all_user_ttys(traceroute_t)
0fd9dc55 CP	219	term_use_all_user_ptys(traceroute_t)
3eed1090	220	')
4fc91539	221
bb7170f6	222	optional_policy(`
ab940a4c CP	223	nis_use_ypbind(traceroute_t)
ab940a4c CP	224	')
4fc91539	225
bb7170f6	226	optional_policy(`
1815bad1	227	nscd_socket_use(traceroute_t)
493d6c4a	228	')