]>
Commit | Line | Data |
---|---|---|
4fc91539 | 1 | |
0e1c461e | 2 | policy_module(netutils,1.1.2) |
4fc91539 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type netutils_t; | |
10 | type netutils_exec_t; | |
c9428d33 | 11 | init_system_domain(netutils_t,netutils_exec_t) |
4fc91539 CP |
12 | role system_r types netutils_t; |
13 | ||
14 | type netutils_tmp_t; | |
c9428d33 | 15 | files_tmp_file(netutils_tmp_t) |
4fc91539 | 16 | |
493d6c4a | 17 | type ping_t; |
4fc91539 | 18 | type ping_exec_t; |
c9428d33 | 19 | init_system_domain(ping_t,ping_exec_t) |
4fc91539 CP |
20 | role system_r types ping_t; |
21 | ||
493d6c4a | 22 | type traceroute_t; |
4fc91539 | 23 | type traceroute_exec_t; |
c9428d33 | 24 | init_system_domain(traceroute_t,traceroute_exec_t) |
4fc91539 CP |
25 | role system_r types traceroute_t; |
26 | ||
4fc91539 CP |
27 | ######################################## |
28 | # | |
29 | # Netutils local policy | |
30 | # | |
31 | ||
32 | # Perform network administration operations and have raw access to the network. | |
33 | allow netutils_t self:capability { net_admin net_raw setuid setgid }; | |
34 | allow netutils_t self:process { sigkill sigstop signull signal }; | |
35 | allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; | |
dc67f782 CP |
36 | allow netutils_t self:packet_socket create_socket_perms; |
37 | allow netutils_t self:udp_socket create_socket_perms; | |
2e0a8801 | 38 | allow netutils_t self:tcp_socket create_stream_socket_perms; |
4fc91539 | 39 | |
dc67f782 CP |
40 | allow netutils_t netutils_tmp_t:dir create_dir_perms; |
41 | allow netutils_t netutils_tmp_t:file create_file_perms; | |
103fe280 | 42 | files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) |
4fc91539 | 43 | |
b24f35d8 CP |
44 | kernel_search_proc(netutils_t) |
45 | ||
0fd9dc55 CP |
46 | corenet_tcp_sendrecv_all_if(netutils_t) |
47 | corenet_raw_sendrecv_all_if(netutils_t) | |
48 | corenet_udp_sendrecv_all_if(netutils_t) | |
49 | corenet_tcp_sendrecv_all_nodes(netutils_t) | |
50 | corenet_raw_sendrecv_all_nodes(netutils_t) | |
51 | corenet_udp_sendrecv_all_nodes(netutils_t) | |
52 | corenet_tcp_sendrecv_all_ports(netutils_t) | |
53 | corenet_udp_sendrecv_all_ports(netutils_t) | |
bd70373d | 54 | corenet_non_ipsec_sendrecv(netutils_t) |
0fd9dc55 CP |
55 | corenet_tcp_bind_all_nodes(netutils_t) |
56 | corenet_udp_bind_all_nodes(netutils_t) | |
0907bda1 | 57 | corenet_tcp_connect_all_ports(netutils_t) |
0fd9dc55 CP |
58 | |
59 | fs_getattr_xattr_fs(netutils_t) | |
4fc91539 | 60 | |
15722ec9 | 61 | domain_use_interactive_fds(netutils_t) |
4fc91539 | 62 | |
8fd36732 | 63 | files_read_etc_files(netutils_t) |
4fc91539 | 64 | # for nscd |
c9428d33 | 65 | files_dontaudit_search_var(netutils_t) |
4fc91539 | 66 | |
1c1ac67f | 67 | init_use_fds(netutils_t) |
1815bad1 | 68 | init_use_script_ptys(netutils_t) |
ab940a4c | 69 | |
c9428d33 CP |
70 | libs_use_ld_so(netutils_t) |
71 | libs_use_shared_libs(netutils_t) | |
4fc91539 | 72 | |
c9428d33 | 73 | logging_send_syslog_msg(netutils_t) |
4fc91539 CP |
74 | |
75 | miscfiles_read_localization(netutils_t) | |
76 | ||
d1b9d922 CP |
77 | sysnet_read_config(netutils_t) |
78 | ||
15722ec9 | 79 | userdom_use_all_users_fds(netutils_t) |
4fc91539 | 80 | |
d1b9d922 | 81 | ifdef(`targeted_policy',` |
1815bad1 CP |
82 | term_use_generic_ptys(netutils_t) |
83 | term_use_unallocated_ttys(netutils_t) | |
d1b9d922 CP |
84 | ') |
85 | ||
bb7170f6 | 86 | optional_policy(` |
ab940a4c CP |
87 | nis_use_ypbind(netutils_t) |
88 | ') | |
4fc91539 | 89 | |
4fc91539 CP |
90 | ######################################## |
91 | # | |
92 | # Ping local policy | |
93 | # | |
94 | ||
8f882ffc | 95 | allow ping_t self:capability { setuid net_raw }; |
4fc91539 CP |
96 | dontaudit ping_t self:capability sys_tty_config; |
97 | ||
dc67f782 CP |
98 | allow ping_t self:tcp_socket create_socket_perms; |
99 | allow ping_t self:udp_socket create_socket_perms; | |
4fc91539 | 100 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; |
0e1c461e | 101 | allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; |
4fc91539 | 102 | |
0fd9dc55 CP |
103 | corenet_tcp_sendrecv_all_if(ping_t) |
104 | corenet_udp_sendrecv_all_if(ping_t) | |
105 | corenet_raw_sendrecv_all_if(ping_t) | |
106 | corenet_raw_sendrecv_all_nodes(ping_t) | |
107 | corenet_tcp_sendrecv_all_nodes(ping_t) | |
108 | corenet_udp_sendrecv_all_nodes(ping_t) | |
109 | corenet_tcp_sendrecv_all_ports(ping_t) | |
110 | corenet_udp_sendrecv_all_ports(ping_t) | |
bd70373d | 111 | corenet_non_ipsec_sendrecv(ping_t) |
0fd9dc55 CP |
112 | corenet_udp_bind_all_nodes(ping_t) |
113 | corenet_tcp_bind_all_nodes(ping_t) | |
4fc91539 | 114 | |
0fd9dc55 | 115 | fs_dontaudit_getattr_xattr_fs(ping_t) |
4fc91539 | 116 | |
15722ec9 | 117 | domain_use_interactive_fds(ping_t) |
4fc91539 | 118 | |
8fd36732 | 119 | files_read_etc_files(ping_t) |
c9428d33 | 120 | files_dontaudit_search_var(ping_t) |
4fc91539 | 121 | |
c9428d33 CP |
122 | libs_use_ld_so(ping_t) |
123 | libs_use_shared_libs(ping_t) | |
4fc91539 | 124 | |
c9428d33 | 125 | sysnet_read_config(ping_t) |
98a8ead4 | 126 | sysnet_dns_name_resolve(ping_t) |
4fc91539 | 127 | |
c9428d33 | 128 | logging_send_syslog_msg(ping_t) |
4fc91539 | 129 | |
cf6a7d89 | 130 | ifdef(`hide_broken_symptoms',` |
1c1ac67f | 131 | init_dontaudit_use_fds(ping_t) |
cf6a7d89 CP |
132 | ') |
133 | ||
134 | ifdef(`targeted_policy',` | |
1815bad1 CP |
135 | term_use_unallocated_ttys(ping_t) |
136 | term_use_generic_ptys(ping_t) | |
0fd9dc55 CP |
137 | term_use_all_user_ttys(ping_t) |
138 | term_use_all_user_ptys(ping_t) | |
cf6a7d89 CP |
139 | ',` |
140 | tunable_policy(`user_ping',` | |
141 | term_use_all_user_ttys(ping_t) | |
142 | term_use_all_user_ptys(ping_t) | |
143 | ') | |
3eed1090 | 144 | ') |
4fc91539 | 145 | |
bb7170f6 | 146 | optional_policy(` |
ab940a4c CP |
147 | nis_use_ypbind(ping_t) |
148 | ') | |
4fc91539 | 149 | |
bb7170f6 | 150 | optional_policy(` |
1815bad1 | 151 | nscd_socket_use(ping_t) |
493d6c4a CP |
152 | ') |
153 | ||
bb7170f6 | 154 | optional_policy(` |
15722ec9 | 155 | pcmcia_use_cardmgr_fds(ping_t) |
cf6a7d89 CP |
156 | ') |
157 | ||
bb7170f6 | 158 | optional_policy(` |
1c1ac67f | 159 | hotplug_use_fds(ping_t) |
ebdc3b79 CP |
160 | ') |
161 | ||
4fc91539 CP |
162 | ######################################## |
163 | # | |
164 | # Traceroute local policy | |
165 | # | |
166 | ||
167 | allow traceroute_t self:capability { net_admin net_raw setuid setgid }; | |
dc67f782 CP |
168 | allow traceroute_t self:rawip_socket create_socket_perms; |
169 | allow traceroute_t self:packet_socket create_socket_perms; | |
4fc91539 | 170 | allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; |
8f882ffc | 171 | allow traceroute_t self:udp_socket create_socket_perms; |
4fc91539 CP |
172 | |
173 | kernel_read_system_state(traceroute_t) | |
174 | kernel_read_network_state(traceroute_t) | |
175 | ||
0fd9dc55 CP |
176 | corenet_tcp_sendrecv_all_if(traceroute_t) |
177 | corenet_udp_sendrecv_all_if(traceroute_t) | |
178 | corenet_raw_sendrecv_all_if(traceroute_t) | |
179 | corenet_raw_sendrecv_all_nodes(traceroute_t) | |
180 | corenet_tcp_sendrecv_all_nodes(traceroute_t) | |
181 | corenet_udp_sendrecv_all_nodes(traceroute_t) | |
182 | corenet_tcp_sendrecv_all_ports(traceroute_t) | |
183 | corenet_udp_sendrecv_all_ports(traceroute_t) | |
bd70373d | 184 | corenet_non_ipsec_sendrecv(traceroute_t) |
0fd9dc55 CP |
185 | corenet_udp_bind_all_nodes(traceroute_t) |
186 | corenet_tcp_bind_all_nodes(traceroute_t) | |
8f882ffc DM |
187 | # traceroute needs this but not tracepath |
188 | corenet_raw_bind_all_nodes(traceroute_t) | |
2705f9a0 | 189 | corenet_tcp_connect_all_ports(traceroute_t) |
4fc91539 | 190 | |
0fd9dc55 | 191 | fs_dontaudit_getattr_xattr_fs(traceroute_t) |
4fc91539 | 192 | |
15722ec9 | 193 | domain_use_interactive_fds(traceroute_t) |
4fc91539 | 194 | |
8fd36732 | 195 | files_read_etc_files(traceroute_t) |
c9428d33 | 196 | files_dontaudit_search_var(traceroute_t) |
4fc91539 | 197 | |
c9428d33 CP |
198 | libs_use_ld_so(traceroute_t) |
199 | libs_use_shared_libs(traceroute_t) | |
4fc91539 | 200 | |
c9428d33 | 201 | logging_send_syslog_msg(traceroute_t) |
4fc91539 CP |
202 | |
203 | miscfiles_read_localization(traceroute_t) | |
204 | ||
205 | #rules needed for nmap | |
f0c985ca KM |
206 | dev_read_rand(traceroute_t) |
207 | dev_read_urand(traceroute_t) | |
c9428d33 | 208 | files_read_usr_files(traceroute_t) |
4fc91539 | 209 | |
8f882ffc DM |
210 | sysnet_read_config(traceroute_t) |
211 | ||
212 | ifdef(`targeted_policy',` | |
1815bad1 CP |
213 | term_use_unallocated_ttys(traceroute_t) |
214 | term_use_generic_ptys(traceroute_t) | |
8f882ffc DM |
215 | ') |
216 | ||
3eed1090 | 217 | tunable_policy(`user_ping',` |
0fd9dc55 CP |
218 | term_use_all_user_ttys(traceroute_t) |
219 | term_use_all_user_ptys(traceroute_t) | |
3eed1090 | 220 | ') |
4fc91539 | 221 | |
bb7170f6 | 222 | optional_policy(` |
ab940a4c CP |
223 | nis_use_ypbind(traceroute_t) |
224 | ') | |
4fc91539 | 225 | |
bb7170f6 | 226 | optional_policy(` |
1815bad1 | 227 | nscd_socket_use(traceroute_t) |
493d6c4a | 228 | ') |