2005-06-24 13:36:57 +00:00
|
|
|
## <summary>Network analysis utilities</summary>
|
2005-05-25 19:52:21 +00:00
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute network utilities in the netutils domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2005-05-25 19:52:21 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`netutils_domtrans',`
|
2005-06-17 18:27:08 +00:00
|
|
|
gen_require(`
|
|
|
|
type netutils_t, netutils_exec_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-17 18:27:08 +00:00
|
|
|
domain_auto_trans($1,netutils_exec_t,netutils_t)
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 netutils_t:fd use;
|
|
|
|
allow netutils_t $1:fd use;
|
|
|
|
allow netutils_t $1:fifo_file rw_file_perms;
|
|
|
|
allow netutils_t $1:process sigchld;
|
2005-05-25 19:52:21 +00:00
|
|
|
')
|
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute network utilities in the netutils domain, and
|
|
|
|
## allow the specified role the netutils domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The role to be allowed the netutils domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The type of the terminal allow the netutils domain to use.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-25 19:52:21 +00:00
|
|
|
#
|
2005-06-27 16:30:55 +00:00
|
|
|
interface(`netutils_run',`
|
|
|
|
gen_require(`
|
|
|
|
type netutils_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
netutils_domtrans($1)
|
|
|
|
role $2 types netutils_t;
|
|
|
|
allow netutils_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute network utilities in the caller domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2005-05-25 19:52:21 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`netutils_exec',`
|
2005-06-17 18:27:08 +00:00
|
|
|
gen_require(`
|
|
|
|
type netutils_exec_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-09 17:21:52 +00:00
|
|
|
can_exec($1,netutils_exec_t)
|
2005-05-25 19:52:21 +00:00
|
|
|
')
|
2005-06-27 16:30:55 +00:00
|
|
|
|
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute ping in the ping domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_domtrans_ping',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_t, ping_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,ping_exec_t,ping_t)
|
|
|
|
|
|
|
|
allow $1 ping_t:fd use;
|
|
|
|
allow ping_t $1:fd use;
|
|
|
|
allow ping_t $1:fifo_file rw_file_perms;
|
|
|
|
allow ping_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
2006-04-06 15:03:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send a kill (SIGKILL) signal to ping.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_kill_ping',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 ping_t:process sigkill;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Send generic signals to ping.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_signal_ping',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 ping_t:process signal;
|
|
|
|
')
|
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute ping in the ping domain, and
|
|
|
|
## allow the specified role the ping domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The role to be allowed the ping domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The type of the terminal allow the ping domain to use.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-06-27 16:30:55 +00:00
|
|
|
#
|
|
|
|
interface(`netutils_run_ping',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
netutils_domtrans_ping($1)
|
|
|
|
role $2 types ping_t;
|
|
|
|
allow ping_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
2005-09-27 19:40:44 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Conditionally execute ping in the ping domain, and
|
|
|
|
## allow the specified role the ping domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## The role to be allowed the ping domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## The type of the terminal allow the ping domain to use.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-09-27 19:40:44 +00:00
|
|
|
#
|
|
|
|
interface(`netutils_run_ping_cond',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_t;
|
|
|
|
bool user_ping;
|
|
|
|
')
|
|
|
|
|
|
|
|
role $2 types ping_t;
|
|
|
|
|
|
|
|
if ( user_ping ) {
|
|
|
|
netutils_domtrans_ping($1)
|
|
|
|
allow ping_t $3:chr_file rw_term_perms;
|
|
|
|
}
|
|
|
|
')
|
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute ping in the caller domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_exec_ping',`
|
|
|
|
gen_require(`
|
|
|
|
type ping_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
can_exec($1,ping_exec_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute traceroute in the traceroute domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_domtrans_traceroute',`
|
|
|
|
gen_require(`
|
|
|
|
type traceroute_t, traceroute_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
|
|
|
|
|
|
|
|
allow $1 traceroute_t:fd use;
|
|
|
|
allow traceroute_t $1:fd use;
|
|
|
|
allow traceroute_t $1:fifo_file rw_file_perms;
|
|
|
|
allow traceroute_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute traceroute in the traceroute domain, and
|
|
|
|
## allow the specified role the traceroute domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The role to be allowed the traceroute domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## The type of the terminal allow the traceroute domain to use.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-06-27 16:30:55 +00:00
|
|
|
#
|
|
|
|
interface(`netutils_run_traceroute',`
|
|
|
|
gen_require(`
|
|
|
|
type traceroute_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
netutils_domtrans_traceroute($1)
|
|
|
|
role $2 types traceroute_t;
|
|
|
|
allow traceroute_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
2005-09-27 19:40:44 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Conditionally execute traceroute in the traceroute domain, and
|
|
|
|
## allow the specified role the traceroute domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## The role to be allowed the traceroute domain.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## The type of the terminal allow the traceroute domain to use.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-27 19:40:44 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-09-27 19:40:44 +00:00
|
|
|
#
|
|
|
|
interface(`netutils_run_traceroute_cond',`
|
|
|
|
gen_require(`
|
|
|
|
type traceroute_t;
|
|
|
|
bool user_ping;
|
|
|
|
')
|
|
|
|
|
|
|
|
role $2 types traceroute_t;
|
|
|
|
|
|
|
|
if( user_ping ) {
|
|
|
|
netutils_domtrans_traceroute($1)
|
|
|
|
allow traceroute_t $3:chr_file rw_term_perms;
|
|
|
|
}
|
|
|
|
')
|
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-06-28 19:51:46 +00:00
|
|
|
## <summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## Execute traceroute in the caller domain.
|
2005-06-28 19:51:46 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-04-06 15:03:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`netutils_exec_traceroute',`
|
|
|
|
gen_require(`
|
|
|
|
type traceroute_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
can_exec($1,traceroute_exec_t)
|
|
|
|
')
|