selinux-policy/policy/modules/admin/netutils.if

## <summary>Network analysis utilities</summary>

########################################
## <summary>
##	Execute network utilities in the netutils domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_domtrans',`
	gen_require(`
		type netutils_t, netutils_exec_t;
	')

	domtrans_pattern($1, netutils_exec_t, netutils_t)
')

########################################
## <summary>
##	Execute network utilities in the netutils domain, and
##	allow the specified role the netutils domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`netutils_run',`
	gen_require(`
		type netutils_t;
	')

	netutils_domtrans($1)
	role $2 types netutils_t;
')

########################################
## <summary>
##	Execute network utilities in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_exec',`
	gen_require(`
		type netutils_exec_t;
	')

	can_exec($1, netutils_exec_t)
')

########################################
## <summary>
##	Send generic signals to network utilities.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_signal',`
	gen_require(`
		type netutils_t;
	')

	allow $1 netutils_t:process signal;
')

########################################
## <summary>
##	Execute ping in the ping domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_domtrans_ping',`
	gen_require(`
		type ping_t, ping_exec_t;
	')

	domtrans_pattern($1, ping_exec_t, ping_t)
')

########################################
## <summary>
##	Send a kill (SIGKILL) signal to ping.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_kill_ping',`
	gen_require(`
		type ping_t;
	')

	allow $1 ping_t:process sigkill;
')

########################################
## <summary>
##	Send generic signals to ping.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_signal_ping',`
	gen_require(`
		type ping_t;
	')

	allow $1 ping_t:process signal;
')

########################################
## <summary>
##	Execute ping in the ping domain, and
##	allow the specified role the ping domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_ping',`
	gen_require(`
		type ping_t;
	')

	netutils_domtrans_ping($1)
	role $2 types ping_t;
')

########################################
## <summary>
##	Conditionally execute ping in the ping domain, and
##	allow the specified role the ping domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_ping_cond',`
	gen_require(`
		type ping_t;
		bool user_ping;
	')

	role $2 types ping_t;

	if ( user_ping ) {
		netutils_domtrans_ping($1)
	}
')

########################################
## <summary>
##	Execute ping in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_exec_ping',`
	gen_require(`
		type ping_exec_t;
	')

	can_exec($1, ping_exec_t)
')

########################################
## <summary>
##	Execute traceroute in the traceroute domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_domtrans_traceroute',`
	gen_require(`
		type traceroute_t, traceroute_exec_t;
	')

	domtrans_pattern($1, traceroute_exec_t, traceroute_t)
')

########################################
## <summary>
##	Execute traceroute in the traceroute domain, and
##	allow the specified role the traceroute domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_traceroute',`
	gen_require(`
		type traceroute_t;
	')

	netutils_domtrans_traceroute($1)
	role $2 types traceroute_t;
')

########################################
## <summary>
##	Conditionally execute traceroute in the traceroute domain, and
##	allow the specified role the traceroute domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`netutils_run_traceroute_cond',`
	gen_require(`
		type traceroute_t;
		bool user_ping;
	')

	role $2 types traceroute_t;

	if( user_ping ) {
		netutils_domtrans_traceroute($1)
	}
')

########################################
## <summary>
##	Execute traceroute in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`netutils_exec_traceroute',`
	gen_require(`
		type traceroute_exec_t;
	')

	can_exec($1, traceroute_exec_t)
')
add/update comments 2005-06-24 13:36:57 +00:00			`## <summary>Network analysis utilities</summary>`
initial commit 2005-05-25 19:52:21 +00:00
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute network utilities in the netutils domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
initial commit 2005-05-25 19:52:21 +00:00			`#`
move all interfaces over to the interface macro. add traceback debugging info 2005-06-22 19:21:31 +00:00			interface(`netutils_domtrans',`
review of admin interfaces 2005-06-17 18:27:08 +00:00			gen_require(`
			`type netutils_t, netutils_exec_t;`
			`')`
change over to some perm set macros. add indentation 2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, netutils_exec_t, netutils_t)`
initial commit 2005-05-25 19:52:21 +00:00			`')`

autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute network utilities in the netutils domain, and`
			`## allow the specified role the netutils domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
initial commit 2005-05-25 19:52:21 +00:00			`#`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			interface(`netutils_run',`
			gen_require(`
			`type netutils_t;`
			`')`

			`netutils_domtrans($1)`
			`role $2 types netutils_t;`
			`')`

			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute network utilities in the caller domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
initial commit 2005-05-25 19:52:21 +00:00			`#`
move all interfaces over to the interface macro. add traceback debugging info 2005-06-22 19:21:31 +00:00			interface(`netutils_exec',`
review of admin interfaces 2005-06-17 18:27:08 +00:00			gen_require(`
			`type netutils_exec_t;`
			`')`
change over to some perm set macros. add indentation 2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`can_exec($1, netutils_exec_t)`
initial commit 2005-05-25 19:52:21 +00:00			`')`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00
trunk: 11 more cherry picks from fedora policy, by david hardeman. 2008-08-07 14:17:50 +00:00			`########################################`
			`## <summary>`
			`## Send generic signals to network utilities.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`netutils_signal',`
			gen_require(`
			`type netutils_t;`
			`')`

			`allow $1 netutils_t:process signal;`
			`')`

autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute ping in the ping domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`#`
			interface(`netutils_domtrans_ping',`
			gen_require(`
			`type ping_t, ping_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, ping_exec_t, ping_t)`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`')`

add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`########################################`
			`## <summary>`
			`## Send a kill (SIGKILL) signal to ping.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`netutils_kill_ping',`
			gen_require(`
			`type ping_t;`
			`')`

			`allow $1 ping_t:process sigkill;`
			`')`

			`########################################`
			`## <summary>`
			`## Send generic signals to ping.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`netutils_signal_ping',`
			gen_require(`
			`type ping_t;`
			`')`

			`allow $1 ping_t:process signal;`
			`')`

autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute ping in the ping domain, and`
			`## allow the specified role the ping domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`#`
			interface(`netutils_run_ping',`
			gen_require(`
			`type ping_t;`
			`')`

			`netutils_domtrans_ping($1)`
			`role $2 types ping_t;`
			`')`

a few conditional cleanups 2005-09-27 19:40:44 +00:00			`########################################`
			`## <summary>`
			`## Conditionally execute ping in the ping domain, and`
			`## allow the specified role the ping domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`#`
			interface(`netutils_run_ping_cond',`
			gen_require(`
			`type ping_t;`
			`bool user_ping;`
			`')`

			`role $2 types ping_t;`

			`if ( user_ping ) {`
			`netutils_domtrans_ping($1)`
			`}`
			`')`

autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute ping in the caller domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`#`
			interface(`netutils_exec_ping',`
			gen_require(`
			`type ping_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`can_exec($1, ping_exec_t)`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`')`

			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute traceroute in the traceroute domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`#`
			interface(`netutils_domtrans_traceroute',`
			gen_require(`
			`type traceroute_t, traceroute_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, traceroute_exec_t, traceroute_t)`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`')`

			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute traceroute in the traceroute domain, and`
			`## allow the specified role the traceroute domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`#`
			interface(`netutils_run_traceroute',`
			gen_require(`
			`type traceroute_t;`
			`')`

			`netutils_domtrans_traceroute($1)`
			`role $2 types traceroute_t;`
			`')`

a few conditional cleanups 2005-09-27 19:40:44 +00:00			`########################################`
			`## <summary>`
			`## Conditionally execute traceroute in the traceroute domain, and`
			`## allow the specified role the traceroute domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Docs standardizing on the role portion of run interfaces. Additional docs cleanup. 2010-08-03 13:20:22 +00:00			`## Role allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
a few conditional cleanups 2005-09-27 19:40:44 +00:00			`#`
			interface(`netutils_run_traceroute_cond',`
			gen_require(`
			`type traceroute_t;`
			`bool user_ping;`
			`')`

			`role $2 types traceroute_t;`

			`if( user_ping ) {`
			`netutils_domtrans_traceroute($1)`
			`}`
			`')`

autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`########################################`
change desc to summary 2005-06-28 19:51:46 +00:00			`## <summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## Execute traceroute in the caller domain.`
change desc to summary 2005-06-28 19:51:46 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add nagios, bug 1531 2006-04-06 15:03:23 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`## </param>`
			`#`
			interface(`netutils_exec_traceroute',`
			gen_require(`
			`type traceroute_exec_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`can_exec($1, traceroute_exec_t)`
autofs_t and ypbind cleanup 2005-06-27 16:30:55 +00:00			`')`