2 policy_module(netutils, 1.10.0)
4 ########################################
11 ## Control users use of ping and traceroute
14 gen_tunable(user_ping, false)
18 init_system_domain(netutils_t, netutils_exec_t)
19 role system_r types netutils_t;
22 files_tmp_file(netutils_tmp_t)
26 init_system_domain(ping_t, ping_exec_t)
27 role system_r types ping_t;
30 type traceroute_exec_t;
31 init_system_domain(traceroute_t, traceroute_exec_t)
32 role system_r types traceroute_t;
34 ########################################
36 # Netutils local policy
39 # Perform network administration operations and have raw access to the network.
40 allow netutils_t self:capability { net_admin net_raw setuid setgid };
41 dontaudit netutils_t self:capability sys_tty_config;
42 allow netutils_t self:process { sigkill sigstop signull signal };
43 allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
44 allow netutils_t self:packet_socket create_socket_perms;
45 allow netutils_t self:udp_socket create_socket_perms;
46 allow netutils_t self:tcp_socket create_stream_socket_perms;
47 allow netutils_t self:socket create_socket_perms;
49 manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
50 manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
51 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
53 kernel_search_proc(netutils_t)
54 kernel_read_all_sysctls(netutils_t)
56 corenet_all_recvfrom_unlabeled(netutils_t)
57 corenet_all_recvfrom_netlabel(netutils_t)
58 corenet_tcp_sendrecv_generic_if(netutils_t)
59 corenet_raw_sendrecv_generic_if(netutils_t)
60 corenet_udp_sendrecv_generic_if(netutils_t)
61 corenet_tcp_sendrecv_generic_node(netutils_t)
62 corenet_raw_sendrecv_generic_node(netutils_t)
63 corenet_udp_sendrecv_generic_node(netutils_t)
64 corenet_tcp_sendrecv_all_ports(netutils_t)
65 corenet_udp_sendrecv_all_ports(netutils_t)
66 corenet_tcp_connect_all_ports(netutils_t)
67 corenet_sendrecv_all_client_packets(netutils_t)
68 corenet_udp_bind_generic_node(netutils_t)
70 dev_read_sysfs(netutils_t)
72 fs_getattr_xattr_fs(netutils_t)
74 domain_use_interactive_fds(netutils_t)
76 files_read_etc_files(netutils_t)
78 files_dontaudit_search_var(netutils_t)
80 init_use_fds(netutils_t)
81 init_use_script_ptys(netutils_t)
83 auth_use_nsswitch(netutils_t)
85 logging_send_syslog_msg(netutils_t)
87 miscfiles_read_localization(netutils_t)
89 term_dontaudit_use_console(netutils_t)
90 userdom_use_user_terminals(netutils_t)
91 userdom_use_all_users_fds(netutils_t)
94 nis_use_ypbind(netutils_t)
98 vmware_append_log(netutils_t)
102 xen_append_log(netutils_t)
105 ########################################
110 allow ping_t self:capability { setuid net_raw };
111 dontaudit ping_t self:capability sys_tty_config;
112 allow ping_t self:tcp_socket create_socket_perms;
113 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
114 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
115 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
117 corenet_all_recvfrom_unlabeled(ping_t)
118 corenet_all_recvfrom_netlabel(ping_t)
119 corenet_tcp_sendrecv_generic_if(ping_t)
120 corenet_raw_sendrecv_generic_if(ping_t)
121 corenet_raw_sendrecv_generic_node(ping_t)
122 corenet_tcp_sendrecv_generic_node(ping_t)
123 corenet_raw_bind_generic_node(ping_t)
124 corenet_tcp_sendrecv_all_ports(ping_t)
126 fs_dontaudit_getattr_xattr_fs(ping_t)
128 domain_use_interactive_fds(ping_t)
130 files_read_etc_files(ping_t)
131 files_dontaudit_search_var(ping_t)
133 kernel_read_system_state(ping_t)
135 auth_use_nsswitch(ping_t)
137 logging_send_syslog_msg(ping_t)
139 miscfiles_read_localization(ping_t)
141 userdom_use_user_terminals(ping_t)
143 ifdef(`hide_broken_symptoms',`
144 init_dontaudit_use_fds(ping_t)
147 nagios_dontaudit_rw_pipes(ping_t)
152 munin_append_log(ping_t)
156 pcmcia_use_cardmgr_fds(ping_t)
160 hotplug_use_fds(ping_t)
163 ########################################
165 # Traceroute local policy
168 allow traceroute_t self:capability { net_admin net_raw setuid setgid };
169 allow traceroute_t self:rawip_socket create_socket_perms;
170 allow traceroute_t self:packet_socket create_socket_perms;
171 allow traceroute_t self:udp_socket create_socket_perms;
173 kernel_read_system_state(traceroute_t)
174 kernel_read_network_state(traceroute_t)
176 corenet_all_recvfrom_unlabeled(traceroute_t)
177 corenet_all_recvfrom_netlabel(traceroute_t)
178 corenet_tcp_sendrecv_generic_if(traceroute_t)
179 corenet_udp_sendrecv_generic_if(traceroute_t)
180 corenet_raw_sendrecv_generic_if(traceroute_t)
181 corenet_tcp_sendrecv_generic_node(traceroute_t)
182 corenet_udp_sendrecv_generic_node(traceroute_t)
183 corenet_raw_sendrecv_generic_node(traceroute_t)
184 corenet_tcp_sendrecv_all_ports(traceroute_t)
185 corenet_udp_sendrecv_all_ports(traceroute_t)
186 corenet_udp_bind_generic_node(traceroute_t)
187 corenet_tcp_bind_generic_node(traceroute_t)
188 # traceroute needs this but not tracepath
189 corenet_raw_bind_generic_node(traceroute_t)
190 corenet_udp_bind_traceroute_port(traceroute_t)
191 corenet_tcp_connect_all_ports(traceroute_t)
192 corenet_sendrecv_all_client_packets(traceroute_t)
193 corenet_sendrecv_traceroute_server_packets(traceroute_t)
195 fs_dontaudit_getattr_xattr_fs(traceroute_t)
197 domain_use_interactive_fds(traceroute_t)
199 files_read_etc_files(traceroute_t)
200 files_dontaudit_search_var(traceroute_t)
202 init_use_fds(traceroute_t)
204 auth_use_nsswitch(traceroute_t)
206 logging_send_syslog_msg(traceroute_t)
208 miscfiles_read_localization(traceroute_t)
210 userdom_use_user_terminals(traceroute_t)
212 #rules needed for nmap
213 dev_read_rand(traceroute_t)
214 dev_read_urand(traceroute_t)
215 files_read_usr_files(traceroute_t)
projects / people / stevee / selinux-policy.git / blob