31 lines
1.2 KiB
Plaintext
31 lines
1.2 KiB
Plaintext
|
#DESC uml_net helper program for user-mode Linux
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
#
|
||
|
# WARNING: Do not install this file on any machine that has hostile users.
|
||
|
|
||
|
type uml_net_t, domain, privlog;
|
||
|
type uml_net_exec_t, file_type, sysadmfile, exec_type;
|
||
|
in_user_role(uml_net_t)
|
||
|
allow uml_net_t self:process { fork signal_perms };
|
||
|
allow uml_net_t { bin_t sbin_t }:dir search;
|
||
|
allow uml_net_t self:fifo_file { read write };
|
||
|
allow uml_net_t device_t:dir search;
|
||
|
allow uml_net_t self:udp_socket { create ioctl };
|
||
|
uses_shlib(uml_net_t)
|
||
|
allow uml_net_t devtty_t:chr_file { read write };
|
||
|
allow uml_net_t etc_runtime_t:file { getattr read };
|
||
|
allow uml_net_t etc_t:file { getattr read };
|
||
|
allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
|
||
|
allow uml_net_t proc_t:file { getattr read };
|
||
|
|
||
|
# if you want ip_forward to be set then you should set it yourself
|
||
|
dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
|
||
|
dontaudit uml_net_t sysctl_net_t:file write;
|
||
|
|
||
|
dontaudit ifconfig_t uml_net_t:udp_socket { read write };
|
||
|
dontaudit uml_net_t self:capability sys_module;
|
||
|
|
||
|
allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
|
||
|
can_exec(uml_net_t, { shell_exec_t sbin_t })
|