[people/stevee/selinux-policy.git] / refpolicy / policy / modules / admin / netutils.te


policy_module(devices,1.0)

########################################
#
# Declarations
#

type netutils_t;
type netutils_exec_t;
init_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t;

type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)

type ping_t; #, nscd_client_domain;
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;

type traceroute_t; #, nscd_client_domain;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;

########################################
#
# Netutils local policy
#

# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_socket_perms;

allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })

corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
corenet_tcp_sendrecv_all_nodes(netutils_t)
corenet_raw_sendrecv_all_nodes(netutils_t)
corenet_udp_sendrecv_all_nodes(netutils_t)
corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_bind_all_nodes(netutils_t)
corenet_udp_bind_all_nodes(netutils_t)

fs_getattr_xattr_fs(netutils_t)

domain_use_wide_inherit_fd(netutils_t)

files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)

init_use_fd(netutils_t)
init_use_script_pty(netutils_t)

libs_use_ld_so(netutils_t)
libs_use_shared_libs(netutils_t)

logging_send_syslog_msg(netutils_t)

miscfiles_read_localization(netutils_t)

userdom_use_all_user_fd(netutils_t)

optional_policy(`nis.te',`
	nis_use_ypbind(netutils_t)
')

ifdef(`TODO',`

ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
allow netutils_t proc_t:dir search;

') dnl end TODO

########################################
#
# Ping local policy
#

allow ping_t self:capability setuid;
dontaudit ping_t self:capability sys_tty_config;

allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:udp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };

corenet_tcp_sendrecv_all_if(ping_t)
corenet_udp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_udp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
corenet_udp_sendrecv_all_ports(ping_t)
corenet_udp_bind_all_nodes(ping_t)
corenet_tcp_bind_all_nodes(ping_t)

fs_dontaudit_getattr_xattr_fs(ping_t)

domain_use_wide_inherit_fd(ping_t)

files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)

libs_use_ld_so(ping_t)
libs_use_shared_libs(ping_t)

sysnet_read_config(ping_t)

logging_send_syslog_msg(ping_t)

tunable_policy(`user_ping',`
	term_use_all_user_ttys(ping_t)
	term_use_all_user_ptys(ping_t)
')

optional_policy(`nis.te',`
	nis_use_ypbind(ping_t)
')

ifdef(`TODO',`
in_user_role(ping_t)
tunable_policy(`user_ping',`
	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
')

') dnl end TODO

########################################
#
# Traceroute local policy
#

allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)

corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_nodes(traceroute_t)
corenet_udp_sendrecv_all_nodes(traceroute_t)
corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)

fs_dontaudit_getattr_xattr_fs(traceroute_t)

domain_use_wide_inherit_fd(traceroute_t)

files_read_etc_files(traceroute_t)
files_dontaudit_search_var(traceroute_t)

libs_use_ld_so(traceroute_t)
libs_use_shared_libs(traceroute_t)

logging_send_syslog_msg(traceroute_t)

miscfiles_read_localization(traceroute_t)

#rules needed for nmap
dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)

tunable_policy(`user_ping',`
	term_use_all_user_ttys(traceroute_t)
	term_use_all_user_ptys(traceroute_t)
')

optional_policy(`nis.te',`
	nis_use_ypbind(traceroute_t)
')

ifdef(`TODO',`
in_user_role(traceroute_t)
tunable_policy(`user_ping',`
	domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
')
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
') dnl end TODO
Commit	Line	Data
4fc91539 CP	1
	2	policy_module(devices,1.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type netutils_t;
	10	type netutils_exec_t;
c9428d33	11	init_system_domain(netutils_t,netutils_exec_t)
4fc91539 CP	12	role system_r types netutils_t;
	13
	14	type netutils_tmp_t;
c9428d33	15	files_tmp_file(netutils_tmp_t)
4fc91539 CP	16
	17	type ping_t; #, nscd_client_domain;
	18	type ping_exec_t;
c9428d33	19	init_system_domain(ping_t,ping_exec_t)
4fc91539 CP	20	role system_r types ping_t;
	21
	22	type traceroute_t; #, nscd_client_domain;
	23	type traceroute_exec_t;
c9428d33	24	init_system_domain(traceroute_t,traceroute_exec_t)
4fc91539 CP	25	role system_r types traceroute_t;
4fc91539 CP	26
4fc91539 CP	27	########################################
	28	#
	29	# Netutils local policy
	30	#
	31
	32	# Perform network administration operations and have raw access to the network.
	33	allow netutils_t self:capability { net_admin net_raw setuid setgid };
	34	allow netutils_t self:process { sigkill sigstop signull signal };
	35	allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
dc67f782 CP	36	allow netutils_t self:packet_socket create_socket_perms;
	37	allow netutils_t self:udp_socket create_socket_perms;
	38	allow netutils_t self:tcp_socket create_socket_perms;
4fc91539	39
dc67f782 CP	40	allow netutils_t netutils_tmp_t:dir create_dir_perms;
dc67f782 CP	41	allow netutils_t netutils_tmp_t:file create_file_perms;
c9428d33	42	files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
4fc91539	43
0fd9dc55 CP	44	corenet_tcp_sendrecv_all_if(netutils_t)
	45	corenet_raw_sendrecv_all_if(netutils_t)
	46	corenet_udp_sendrecv_all_if(netutils_t)
	47	corenet_tcp_sendrecv_all_nodes(netutils_t)
	48	corenet_raw_sendrecv_all_nodes(netutils_t)
	49	corenet_udp_sendrecv_all_nodes(netutils_t)
	50	corenet_tcp_sendrecv_all_ports(netutils_t)
	51	corenet_udp_sendrecv_all_ports(netutils_t)
	52	corenet_tcp_bind_all_nodes(netutils_t)
	53	corenet_udp_bind_all_nodes(netutils_t)
	54
	55	fs_getattr_xattr_fs(netutils_t)
4fc91539	56
c9428d33	57	domain_use_wide_inherit_fd(netutils_t)
4fc91539	58
8fd36732	59	files_read_etc_files(netutils_t)
4fc91539	60	# for nscd
c9428d33	61	files_dontaudit_search_var(netutils_t)
4fc91539	62
ab940a4c CP	63	init_use_fd(netutils_t)
	64	init_use_script_pty(netutils_t)
	65
c9428d33 CP	66	libs_use_ld_so(netutils_t)
c9428d33 CP	67	libs_use_shared_libs(netutils_t)
4fc91539	68
c9428d33	69	logging_send_syslog_msg(netutils_t)
4fc91539 CP	70
	71	miscfiles_read_localization(netutils_t)
	72
ab940a4c	73	userdom_use_all_user_fd(netutils_t)
4fc91539	74
ab940a4c CP	75	optional_policy(`nis.te',`
	76	nis_use_ypbind(netutils_t)
	77	')
4fc91539	78
ab940a4c	79	ifdef(`TODO',`
4fc91539	80
4fc91539 CP	81	ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
	82	allow netutils_t proc_t:dir search;
	83
	84	') dnl end TODO
	85
	86	########################################
	87	#
	88	# Ping local policy
	89	#
	90
	91	allow ping_t self:capability setuid;
	92	dontaudit ping_t self:capability sys_tty_config;
	93
dc67f782 CP	94	allow ping_t self:tcp_socket create_socket_perms;
dc67f782 CP	95	allow ping_t self:udp_socket create_socket_perms;
4fc91539 CP	96	allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
4fc91539 CP	97
0fd9dc55 CP	98	corenet_tcp_sendrecv_all_if(ping_t)
	99	corenet_udp_sendrecv_all_if(ping_t)
	100	corenet_raw_sendrecv_all_if(ping_t)
	101	corenet_raw_sendrecv_all_nodes(ping_t)
	102	corenet_tcp_sendrecv_all_nodes(ping_t)
	103	corenet_udp_sendrecv_all_nodes(ping_t)
	104	corenet_tcp_sendrecv_all_ports(ping_t)
	105	corenet_udp_sendrecv_all_ports(ping_t)
	106	corenet_udp_bind_all_nodes(ping_t)
	107	corenet_tcp_bind_all_nodes(ping_t)
4fc91539	108
0fd9dc55	109	fs_dontaudit_getattr_xattr_fs(ping_t)
4fc91539	110
c9428d33	111	domain_use_wide_inherit_fd(ping_t)
4fc91539	112
8fd36732	113	files_read_etc_files(ping_t)
c9428d33	114	files_dontaudit_search_var(ping_t)
4fc91539	115
c9428d33 CP	116	libs_use_ld_so(ping_t)
c9428d33 CP	117	libs_use_shared_libs(ping_t)
4fc91539	118
c9428d33	119	sysnet_read_config(ping_t)
4fc91539	120
c9428d33	121	logging_send_syslog_msg(ping_t)
4fc91539	122
3eed1090	123	tunable_policy(`user_ping',`
0fd9dc55 CP	124	term_use_all_user_ttys(ping_t)
0fd9dc55 CP	125	term_use_all_user_ptys(ping_t)
3eed1090	126	')
4fc91539	127
ab940a4c CP	128	optional_policy(`nis.te',`
	129	nis_use_ypbind(ping_t)
	130	')
4fc91539	131
ab940a4c	132	ifdef(`TODO',`
fd9deeb8	133	in_user_role(ping_t)
3eed1090	134	tunable_policy(`user_ping',`
4fc91539 CP	135	domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
4fc91539 CP	136	ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
3eed1090 CP	137	')
3eed1090 CP	138
4fc91539 CP	139	') dnl end TODO
	140
	141	########################################
	142	#
	143	# Traceroute local policy
	144	#
	145
	146	allow traceroute_t self:capability { net_admin net_raw setuid setgid };
dc67f782 CP	147	allow traceroute_t self:rawip_socket create_socket_perms;
dc67f782 CP	148	allow traceroute_t self:packet_socket create_socket_perms;
4fc91539 CP	149	allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
	150
	151	kernel_read_system_state(traceroute_t)
	152	kernel_read_network_state(traceroute_t)
	153
0fd9dc55 CP	154	corenet_tcp_sendrecv_all_if(traceroute_t)
	155	corenet_udp_sendrecv_all_if(traceroute_t)
	156	corenet_raw_sendrecv_all_if(traceroute_t)
	157	corenet_raw_sendrecv_all_nodes(traceroute_t)
	158	corenet_tcp_sendrecv_all_nodes(traceroute_t)
	159	corenet_udp_sendrecv_all_nodes(traceroute_t)
	160	corenet_tcp_sendrecv_all_ports(traceroute_t)
	161	corenet_udp_sendrecv_all_ports(traceroute_t)
	162	corenet_udp_bind_all_nodes(traceroute_t)
	163	corenet_tcp_bind_all_nodes(traceroute_t)
4fc91539	164
0fd9dc55	165	fs_dontaudit_getattr_xattr_fs(traceroute_t)
4fc91539	166
c9428d33	167	domain_use_wide_inherit_fd(traceroute_t)
4fc91539	168
8fd36732	169	files_read_etc_files(traceroute_t)
c9428d33	170	files_dontaudit_search_var(traceroute_t)
4fc91539	171
c9428d33 CP	172	libs_use_ld_so(traceroute_t)
c9428d33 CP	173	libs_use_shared_libs(traceroute_t)
4fc91539	174
c9428d33	175	logging_send_syslog_msg(traceroute_t)
4fc91539 CP	176
	177	miscfiles_read_localization(traceroute_t)
	178
	179	#rules needed for nmap
f0c985ca KM	180	dev_read_rand(traceroute_t)
f0c985ca KM	181	dev_read_urand(traceroute_t)
c9428d33	182	files_read_usr_files(traceroute_t)
4fc91539	183
3eed1090	184	tunable_policy(`user_ping',`
0fd9dc55 CP	185	term_use_all_user_ttys(traceroute_t)
0fd9dc55 CP	186	term_use_all_user_ptys(traceroute_t)
3eed1090	187	')
4fc91539	188
ab940a4c CP	189	optional_policy(`nis.te',`
	190	nis_use_ypbind(traceroute_t)
	191	')
4fc91539	192
ab940a4c	193	ifdef(`TODO',`
4fc91539	194	in_user_role(traceroute_t)
3eed1090	195	tunable_policy(`user_ping',`
4fc91539	196	domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
3eed1090	197	')
ab940a4c	198	ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
4fc91539 CP	199	#rules needed for nmap
	200	dontaudit traceroute_t userdomain:dir search;
	201	') dnl end TODO