selinux-policy/policy/modules/admin/netutils.if

329 lines
6.4 KiB
Plaintext
Raw Normal View History

2005-06-24 13:36:57 +00:00
## <summary>Network analysis utilities</summary>
2005-05-25 19:52:21 +00:00
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute network utilities in the netutils domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
2005-05-25 19:52:21 +00:00
#
interface(`netutils_domtrans',`
2005-06-17 18:27:08 +00:00
gen_require(`
type netutils_t, netutils_exec_t;
')
2005-06-17 18:27:08 +00:00
domain_auto_trans($1,netutils_exec_t,netutils_t)
allow $1 netutils_t:fd use;
allow netutils_t $1:fd use;
allow netutils_t $1:fifo_file rw_file_perms;
allow netutils_t $1:process sigchld;
2005-05-25 19:52:21 +00:00
')
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute network utilities in the netutils domain, and
## allow the specified role the netutils domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="role">
## <summary>
2005-06-27 16:30:55 +00:00
## The role to be allowed the netutils domain.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-06-27 16:30:55 +00:00
## The type of the terminal allow the netutils domain to use.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-05-25 19:52:21 +00:00
#
2005-06-27 16:30:55 +00:00
interface(`netutils_run',`
gen_require(`
type netutils_t;
')
netutils_domtrans($1)
role $2 types netutils_t;
allow netutils_t $3:chr_file rw_term_perms;
')
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute network utilities in the caller domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
2005-05-25 19:52:21 +00:00
#
interface(`netutils_exec',`
2005-06-17 18:27:08 +00:00
gen_require(`
type netutils_exec_t;
')
2005-06-09 17:21:52 +00:00
can_exec($1,netutils_exec_t)
2005-05-25 19:52:21 +00:00
')
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute ping in the ping domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
#
interface(`netutils_domtrans_ping',`
gen_require(`
type ping_t, ping_exec_t;
')
domain_auto_trans($1,ping_exec_t,ping_t)
allow $1 ping_t:fd use;
allow ping_t $1:fd use;
allow ping_t $1:fifo_file rw_file_perms;
allow ping_t $1:process sigchld;
')
2006-04-06 15:03:23 +00:00
########################################
## <summary>
## Send a kill (SIGKILL) signal to ping.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_kill_ping',`
gen_require(`
type ping_t;
')
allow $1 ping_t:process sigkill;
')
########################################
## <summary>
## Send generic signals to ping.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netutils_signal_ping',`
gen_require(`
type ping_t;
')
allow $1 ping_t:process signal;
')
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute ping in the ping domain, and
## allow the specified role the ping domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="role">
## <summary>
2005-06-27 16:30:55 +00:00
## The role to be allowed the ping domain.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-06-27 16:30:55 +00:00
## The type of the terminal allow the ping domain to use.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-06-27 16:30:55 +00:00
#
interface(`netutils_run_ping',`
gen_require(`
type ping_t;
')
netutils_domtrans_ping($1)
role $2 types ping_t;
allow ping_t $3:chr_file rw_term_perms;
')
2005-09-27 19:40:44 +00:00
########################################
## <summary>
## Conditionally execute ping in the ping domain, and
## allow the specified role the ping domain.
## </summary>
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
## <param name="role">
## <summary>
2005-09-27 19:40:44 +00:00
## The role to be allowed the ping domain.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-09-27 19:40:44 +00:00
## The type of the terminal allow the ping domain to use.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-27 19:40:44 +00:00
#
interface(`netutils_run_ping_cond',`
gen_require(`
type ping_t;
bool user_ping;
')
role $2 types ping_t;
if ( user_ping ) {
netutils_domtrans_ping($1)
allow ping_t $3:chr_file rw_term_perms;
}
')
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute ping in the caller domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
#
interface(`netutils_exec_ping',`
gen_require(`
type ping_exec_t;
')
can_exec($1,ping_exec_t)
')
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute traceroute in the traceroute domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
#
interface(`netutils_domtrans_traceroute',`
gen_require(`
type traceroute_t, traceroute_exec_t;
')
domain_auto_trans($1,traceroute_exec_t,traceroute_t)
allow $1 traceroute_t:fd use;
allow traceroute_t $1:fd use;
allow traceroute_t $1:fifo_file rw_file_perms;
allow traceroute_t $1:process sigchld;
')
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="role">
## <summary>
2005-06-27 16:30:55 +00:00
## The role to be allowed the traceroute domain.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-06-27 16:30:55 +00:00
## The type of the terminal allow the traceroute domain to use.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-06-27 16:30:55 +00:00
#
interface(`netutils_run_traceroute',`
gen_require(`
type traceroute_t;
')
netutils_domtrans_traceroute($1)
role $2 types traceroute_t;
allow traceroute_t $3:chr_file rw_term_perms;
')
2005-09-27 19:40:44 +00:00
########################################
## <summary>
## Conditionally execute traceroute in the traceroute domain, and
## allow the specified role the traceroute domain.
## </summary>
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
## <param name="role">
## <summary>
2005-09-27 19:40:44 +00:00
## The role to be allowed the traceroute domain.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
## <param name="terminal">
## <summary>
2005-09-27 19:40:44 +00:00
## The type of the terminal allow the traceroute domain to use.
## </summary>
2005-09-27 19:40:44 +00:00
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2005-09-27 19:40:44 +00:00
#
interface(`netutils_run_traceroute_cond',`
gen_require(`
type traceroute_t;
bool user_ping;
')
role $2 types traceroute_t;
if( user_ping ) {
netutils_domtrans_traceroute($1)
allow traceroute_t $3:chr_file rw_term_perms;
}
')
2005-06-27 16:30:55 +00:00
########################################
2005-06-28 19:51:46 +00:00
## <summary>
2005-06-27 16:30:55 +00:00
## Execute traceroute in the caller domain.
2005-06-28 19:51:46 +00:00
## </summary>
2005-06-27 16:30:55 +00:00
## <param name="domain">
## <summary>
2006-04-06 15:03:23 +00:00
## Domain allowed access.
## </summary>
2005-06-27 16:30:55 +00:00
## </param>
#
interface(`netutils_exec_traceroute',`
gen_require(`
type traceroute_exec_t;
')
can_exec($1,traceroute_exec_t)
')