]>
Commit | Line | Data |
---|---|---|
4fc91539 CP |
1 | |
2 | policy_module(devices,1.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type netutils_t; | |
10 | type netutils_exec_t; | |
c9428d33 | 11 | init_system_domain(netutils_t,netutils_exec_t) |
4fc91539 CP |
12 | role system_r types netutils_t; |
13 | ||
14 | type netutils_tmp_t; | |
c9428d33 | 15 | files_tmp_file(netutils_tmp_t) |
4fc91539 CP |
16 | |
17 | type ping_t; #, nscd_client_domain; | |
18 | type ping_exec_t; | |
c9428d33 | 19 | init_system_domain(ping_t,ping_exec_t) |
4fc91539 CP |
20 | role system_r types ping_t; |
21 | ||
22 | type traceroute_t; #, nscd_client_domain; | |
23 | type traceroute_exec_t; | |
c9428d33 | 24 | init_system_domain(traceroute_t,traceroute_exec_t) |
4fc91539 CP |
25 | role system_r types traceroute_t; |
26 | ||
4fc91539 CP |
27 | ######################################## |
28 | # | |
29 | # Netutils local policy | |
30 | # | |
31 | ||
32 | # Perform network administration operations and have raw access to the network. | |
33 | allow netutils_t self:capability { net_admin net_raw setuid setgid }; | |
34 | allow netutils_t self:process { sigkill sigstop signull signal }; | |
35 | allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write }; | |
dc67f782 CP |
36 | allow netutils_t self:packet_socket create_socket_perms; |
37 | allow netutils_t self:udp_socket create_socket_perms; | |
38 | allow netutils_t self:tcp_socket create_socket_perms; | |
4fc91539 | 39 | |
dc67f782 CP |
40 | allow netutils_t netutils_tmp_t:dir create_dir_perms; |
41 | allow netutils_t netutils_tmp_t:file create_file_perms; | |
c9428d33 | 42 | files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir }) |
4fc91539 | 43 | |
0fd9dc55 CP |
44 | corenet_tcp_sendrecv_all_if(netutils_t) |
45 | corenet_raw_sendrecv_all_if(netutils_t) | |
46 | corenet_udp_sendrecv_all_if(netutils_t) | |
47 | corenet_tcp_sendrecv_all_nodes(netutils_t) | |
48 | corenet_raw_sendrecv_all_nodes(netutils_t) | |
49 | corenet_udp_sendrecv_all_nodes(netutils_t) | |
50 | corenet_tcp_sendrecv_all_ports(netutils_t) | |
51 | corenet_udp_sendrecv_all_ports(netutils_t) | |
52 | corenet_tcp_bind_all_nodes(netutils_t) | |
53 | corenet_udp_bind_all_nodes(netutils_t) | |
54 | ||
55 | fs_getattr_xattr_fs(netutils_t) | |
4fc91539 | 56 | |
c9428d33 | 57 | domain_use_wide_inherit_fd(netutils_t) |
4fc91539 | 58 | |
8fd36732 | 59 | files_read_etc_files(netutils_t) |
4fc91539 | 60 | # for nscd |
c9428d33 | 61 | files_dontaudit_search_var(netutils_t) |
4fc91539 | 62 | |
ab940a4c CP |
63 | init_use_fd(netutils_t) |
64 | init_use_script_pty(netutils_t) | |
65 | ||
c9428d33 CP |
66 | libs_use_ld_so(netutils_t) |
67 | libs_use_shared_libs(netutils_t) | |
4fc91539 | 68 | |
c9428d33 | 69 | logging_send_syslog_msg(netutils_t) |
4fc91539 CP |
70 | |
71 | miscfiles_read_localization(netutils_t) | |
72 | ||
ab940a4c | 73 | userdom_use_all_user_fd(netutils_t) |
4fc91539 | 74 | |
ab940a4c CP |
75 | optional_policy(`nis.te',` |
76 | nis_use_ypbind(netutils_t) | |
77 | ') | |
4fc91539 | 78 | |
ab940a4c | 79 | ifdef(`TODO',` |
4fc91539 | 80 | |
4fc91539 CP |
81 | ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') |
82 | allow netutils_t proc_t:dir search; | |
83 | ||
84 | ') dnl end TODO | |
85 | ||
86 | ######################################## | |
87 | # | |
88 | # Ping local policy | |
89 | # | |
90 | ||
91 | allow ping_t self:capability setuid; | |
92 | dontaudit ping_t self:capability sys_tty_config; | |
93 | ||
dc67f782 CP |
94 | allow ping_t self:tcp_socket create_socket_perms; |
95 | allow ping_t self:udp_socket create_socket_perms; | |
4fc91539 CP |
96 | allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; |
97 | ||
0fd9dc55 CP |
98 | corenet_tcp_sendrecv_all_if(ping_t) |
99 | corenet_udp_sendrecv_all_if(ping_t) | |
100 | corenet_raw_sendrecv_all_if(ping_t) | |
101 | corenet_raw_sendrecv_all_nodes(ping_t) | |
102 | corenet_tcp_sendrecv_all_nodes(ping_t) | |
103 | corenet_udp_sendrecv_all_nodes(ping_t) | |
104 | corenet_tcp_sendrecv_all_ports(ping_t) | |
105 | corenet_udp_sendrecv_all_ports(ping_t) | |
106 | corenet_udp_bind_all_nodes(ping_t) | |
107 | corenet_tcp_bind_all_nodes(ping_t) | |
4fc91539 | 108 | |
0fd9dc55 | 109 | fs_dontaudit_getattr_xattr_fs(ping_t) |
4fc91539 | 110 | |
c9428d33 | 111 | domain_use_wide_inherit_fd(ping_t) |
4fc91539 | 112 | |
8fd36732 | 113 | files_read_etc_files(ping_t) |
c9428d33 | 114 | files_dontaudit_search_var(ping_t) |
4fc91539 | 115 | |
c9428d33 CP |
116 | libs_use_ld_so(ping_t) |
117 | libs_use_shared_libs(ping_t) | |
4fc91539 | 118 | |
c9428d33 | 119 | sysnet_read_config(ping_t) |
4fc91539 | 120 | |
c9428d33 | 121 | logging_send_syslog_msg(ping_t) |
4fc91539 | 122 | |
3eed1090 | 123 | tunable_policy(`user_ping',` |
0fd9dc55 CP |
124 | term_use_all_user_ttys(ping_t) |
125 | term_use_all_user_ptys(ping_t) | |
3eed1090 | 126 | ') |
4fc91539 | 127 | |
ab940a4c CP |
128 | optional_policy(`nis.te',` |
129 | nis_use_ypbind(ping_t) | |
130 | ') | |
4fc91539 | 131 | |
ab940a4c | 132 | ifdef(`TODO',` |
fd9deeb8 | 133 | in_user_role(ping_t) |
3eed1090 | 134 | tunable_policy(`user_ping',` |
4fc91539 CP |
135 | domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) |
136 | ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') | |
3eed1090 CP |
137 | ') |
138 | ||
4fc91539 CP |
139 | ') dnl end TODO |
140 | ||
141 | ######################################## | |
142 | # | |
143 | # Traceroute local policy | |
144 | # | |
145 | ||
146 | allow traceroute_t self:capability { net_admin net_raw setuid setgid }; | |
dc67f782 CP |
147 | allow traceroute_t self:rawip_socket create_socket_perms; |
148 | allow traceroute_t self:packet_socket create_socket_perms; | |
4fc91539 CP |
149 | allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; |
150 | ||
151 | kernel_read_system_state(traceroute_t) | |
152 | kernel_read_network_state(traceroute_t) | |
153 | ||
0fd9dc55 CP |
154 | corenet_tcp_sendrecv_all_if(traceroute_t) |
155 | corenet_udp_sendrecv_all_if(traceroute_t) | |
156 | corenet_raw_sendrecv_all_if(traceroute_t) | |
157 | corenet_raw_sendrecv_all_nodes(traceroute_t) | |
158 | corenet_tcp_sendrecv_all_nodes(traceroute_t) | |
159 | corenet_udp_sendrecv_all_nodes(traceroute_t) | |
160 | corenet_tcp_sendrecv_all_ports(traceroute_t) | |
161 | corenet_udp_sendrecv_all_ports(traceroute_t) | |
162 | corenet_udp_bind_all_nodes(traceroute_t) | |
163 | corenet_tcp_bind_all_nodes(traceroute_t) | |
4fc91539 | 164 | |
0fd9dc55 | 165 | fs_dontaudit_getattr_xattr_fs(traceroute_t) |
4fc91539 | 166 | |
c9428d33 | 167 | domain_use_wide_inherit_fd(traceroute_t) |
4fc91539 | 168 | |
8fd36732 | 169 | files_read_etc_files(traceroute_t) |
c9428d33 | 170 | files_dontaudit_search_var(traceroute_t) |
4fc91539 | 171 | |
c9428d33 CP |
172 | libs_use_ld_so(traceroute_t) |
173 | libs_use_shared_libs(traceroute_t) | |
4fc91539 | 174 | |
c9428d33 | 175 | logging_send_syslog_msg(traceroute_t) |
4fc91539 CP |
176 | |
177 | miscfiles_read_localization(traceroute_t) | |
178 | ||
179 | #rules needed for nmap | |
f0c985ca KM |
180 | dev_read_rand(traceroute_t) |
181 | dev_read_urand(traceroute_t) | |
c9428d33 | 182 | files_read_usr_files(traceroute_t) |
4fc91539 | 183 | |
3eed1090 | 184 | tunable_policy(`user_ping',` |
0fd9dc55 CP |
185 | term_use_all_user_ttys(traceroute_t) |
186 | term_use_all_user_ptys(traceroute_t) | |
3eed1090 | 187 | ') |
4fc91539 | 188 | |
ab940a4c CP |
189 | optional_policy(`nis.te',` |
190 | nis_use_ypbind(traceroute_t) | |
191 | ') | |
4fc91539 | 192 | |
ab940a4c | 193 | ifdef(`TODO',` |
4fc91539 | 194 | in_user_role(traceroute_t) |
3eed1090 | 195 | tunable_policy(`user_ping',` |
4fc91539 | 196 | domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) |
3eed1090 | 197 | ') |
ab940a4c | 198 | ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') |
4fc91539 CP |
199 | #rules needed for nmap |
200 | dontaudit traceroute_t userdomain:dir search; | |
201 | ') dnl end TODO |