add ethereal, bug 1383
This commit is contained in:
		
							parent
							
								
									7400d12dcc
								
							
						
					
					
						commit
						0834f9b9e8
					
				| @ -10,6 +10,7 @@ | ||||
| 	apt (Erich Schubert) | ||||
| 	clamav (Erich Schubert) | ||||
| 	dpkg (Erich Schubert) | ||||
| 	ethereal | ||||
| 	evolution | ||||
| 	mozilla | ||||
| 	mplayer | ||||
|  | ||||
							
								
								
									
										7
									
								
								refpolicy/policy/modules/apps/ethereal.fc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								refpolicy/policy/modules/apps/ethereal.fc
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,7 @@ | ||||
| 
 | ||||
| /usr/sbin/ethereal.*		--	gen_context(system_u:object_r:ethereal_exec_t,s0) | ||||
| /usr/sbin/tethereal.*		--	gen_context(system_u:object_r:tethereal_exec_t,s0) | ||||
| 
 | ||||
| ifdef(`strict_policy',` | ||||
| HOME_DIR/\.ethereal(/.*)? 		gen_context(system_u:object_r:ROLE_ethereal_home_t,s0) | ||||
| ') | ||||
							
								
								
									
										303
									
								
								refpolicy/policy/modules/apps/ethereal.if
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										303
									
								
								refpolicy/policy/modules/apps/ethereal.if
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,303 @@ | ||||
| ## <summary>Ethereal packet capture tool.</summary> | ||||
| 
 | ||||
| ####################################### | ||||
| ## <summary> | ||||
| ##	The per user domain template for the ethereal module. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	This template creates a derived domains which are used | ||||
| ##	for ethereal packet capture tool. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This template is invoked automatically for each user, and | ||||
| ##	generally does not need to be invoked directly | ||||
| ##	by policy writers. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	<summary> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="user_domain"> | ||||
| ##	<summary> | ||||
| ##	The type of the user domain. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="user_role"> | ||||
| ##	<summary> | ||||
| ##	The role associated with the user domain. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`ethereal_per_userdomain_template',` | ||||
| 
 | ||||
| 	############################## | ||||
| 	# | ||||
| 	# Declarations | ||||
| 	# | ||||
| 
 | ||||
| 	# Type for program | ||||
| 	type $1_ethereal_t; | ||||
| 	domain_type($1_ethereal_t) | ||||
| 	domain_entry_file($1_ethereal_t,ethereal_exec_t) | ||||
| 	role $3 types $1_ethereal_t; | ||||
| 
 | ||||
| 	type $1_ethereal_home_t alias $1_ethereal_rw_t; | ||||
| 	files_poly_member($1_ethereal_home_t) | ||||
| 	userdom_user_home_content($1,$1_ethereal_home_t) | ||||
| 
 | ||||
| 	type $1_ethereal_tmp_t; | ||||
| 	files_tmp_file($1_ethereal_tmp_t) | ||||
| 
 | ||||
| 	type $1_ethereal_tmpfs_t; | ||||
| 	files_tmpfs_file($1_ethereal_tmpfs_t) | ||||
| 
 | ||||
| 	############################## | ||||
| 	# | ||||
| 	# Local Policy | ||||
| 	# | ||||
| 
 | ||||
| 	allow $1_ethereal_t self:capability { net_admin net_raw setgid }; | ||||
| 	allow $1_ethereal_t self:process { signal getsched }; | ||||
| 	allow $1_ethereal_t self:fifo_file { getattr read write }; | ||||
| 	allow $1_ethereal_t self:shm destroy; | ||||
| 	allow $1_ethereal_t self:shm create_shm_perms; | ||||
| 	allow $1_ethereal_t self:netlink_route_socket { nlmsg_read create_socket_perms }; | ||||
| 	allow $1_ethereal_t self:packet_socket { setopt bind ioctl getopt create read }; | ||||
| 	allow $1_ethereal_t self:tcp_socket create_socket_perms; | ||||
| 	allow $1_ethereal_t self:udp_socket create_socket_perms; | ||||
| 
 | ||||
| 	# Store temporary files | ||||
| 	allow $1_ethereal_t $1_ethereal_tmp_t:dir create_dir_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_tmp_t:file create_file_perms; | ||||
| 	files_tmp_filetrans($1_ethereal_t, $1_ethereal_tmp_t, { dir file }) | ||||
| 
 | ||||
| 	# Re-execute itself (why?) | ||||
| 	can_exec($1_ethereal_t, ethereal_exec_t) | ||||
| 	corecmd_search_sbin($1_ethereal_t) | ||||
| 
 | ||||
| 	# /home/.ethereal | ||||
| 	allow $1_ethereal_t $1_ethereal_home_t:dir manage_dir_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_home_t:file manage_file_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_home_t:lnk_file create_lnk_perms; | ||||
| 	userdom_user_home_dir_filetrans($1,$1_ethereal_t,$1_ethereal_home_t,dir) | ||||
| 
 | ||||
| 	allow $1_ethereal_t $1_ethereal_tmpfs_t:dir manage_dir_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_tmpfs_t:file manage_file_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_tmpfs_t:lnk_file create_lnk_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_tmpfs_t:sock_file manage_file_perms; | ||||
| 	allow $1_ethereal_t $1_ethereal_tmpfs_t:fifo_file manage_file_perms; | ||||
| 	fs_tmpfs_filetrans($1_ethereal_t,$1_ethereal_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) | ||||
| 
 | ||||
| 	domain_auto_trans($2, ethereal_exec_t, $1_ethereal_t) | ||||
| 	allow $1_ethereal_t $2:fd use; | ||||
| 	allow $1_ethereal_t $2:process sigchld; | ||||
| 
 | ||||
| 	allow $2 $1_ethereal_home_t:dir manage_dir_perms; | ||||
| 	allow $2 $1_ethereal_home_t:file manage_file_perms; | ||||
| 	allow $2 $1_ethereal_home_t:lnk_file create_lnk_perms; | ||||
| 	allow $2 $1_ethereal_home_t:{ dir file lnk_file } { relabelfrom relabelto }; | ||||
| 
 | ||||
| 	kernel_read_kernel_sysctls($1_ethereal_t) | ||||
| 	kernel_read_system_state($1_ethereal_t) | ||||
| 	kernel_read_sysctl($1_ethereal_t) | ||||
| 
 | ||||
| 	corecmd_search_bin($1_ethereal_t) | ||||
| 
 | ||||
| 	corenet_tcp_connect_generic_port($1_ethereal_t) | ||||
| 	corenet_tcp_sendrecv_generic_if($1_ethereal_t) | ||||
| 	 | ||||
| 	dev_read_urand($1_ethereal_t) | ||||
| 
 | ||||
| 	files_read_etc_files($1_ethereal_t) | ||||
| 	files_read_usr_files($1_ethereal_t) | ||||
| 
 | ||||
| 	fs_list_inotifyfs($1_ethereal_t) | ||||
| 	fs_search_auto_mountpoints($1_ethereal_t) | ||||
| 
 | ||||
| 	libs_read_lib_files($1_ethereal_t) | ||||
| 	libs_use_ld_so($1_ethereal_t) | ||||
| 	libs_use_shared_libs($1_ethereal_t) | ||||
| 
 | ||||
| 	miscfiles_read_fonts($1_ethereal_t) | ||||
| 	miscfiles_read_localization($1_ethereal_t) | ||||
| 
 | ||||
| 	seutil_use_newrole_fds($1_ethereal_t) | ||||
| 
 | ||||
| 	sysnet_read_config($1_ethereal_t) | ||||
| 
 | ||||
| 	userdom_manage_user_home_content_files($1,$1_ethereal_t) | ||||
| 	 | ||||
| 	tunable_policy(`use_nfs_home_dirs',` | ||||
| 		fs_manage_nfs_dirs($1_ethereal_t) | ||||
| 		fs_manage_nfs_files($1_ethereal_t) | ||||
| 		fs_manage_nfs_symlinks($1_ethereal_t) | ||||
| 	') | ||||
| 
 | ||||
| 	tunable_policy(`use_samba_home_dirs',` | ||||
| 		fs_manage_cifs_dirs($1_ethereal_t) | ||||
| 		fs_manage_cifs_files($1_ethereal_t) | ||||
| 		fs_manage_cifs_symlinks($1_ethereal_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`nscd',` | ||||
| 		nscd_socket_use($1_ethereal_t) | ||||
| 	') | ||||
| 
 | ||||
| 	# Manual transition from userhelper  | ||||
| 	optional_policy(`userhelper', ` | ||||
| 		userhelper_use_user_fd($1,$1_ethereal_t) | ||||
| 		userhelper_sigchld_user($1,$1_ethereal_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`xserver',` | ||||
| 		xserver_user_client_template($1,$1_ethereal_t,$1_ethereal_tmpfs_t) | ||||
| 		xserver_create_xdm_tmp_sockets($1_ethereal_t) | ||||
| 	') | ||||
| 	 | ||||
| 	ifdef(`TODO',` | ||||
| 		# Why does it write this? | ||||
| 		optional_policy(`snmpd.te', ` | ||||
| 			dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; | ||||
| 		') | ||||
| 		#TODO | ||||
| 		gnome_application($1_ethereal, $1) | ||||
| 		gnome_file_dialog($1_ethereal, $1) | ||||
| 		# FIXME: policy is incomplete | ||||
| 	') | ||||
| 	 | ||||
| ') | ||||
| 
 | ||||
| ####################################### | ||||
| ## <summary> | ||||
| ##	The administrative functions template for the ethereal module. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	This template creates rules for administrating ethereal, | ||||
| ##	allowing the specified user to manage ethereal files. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	<summary> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="user_domain"> | ||||
| ##	<summary> | ||||
| ##	The type of the user domain. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`tethereal_admin_template',` | ||||
| 	gen_require(` | ||||
| 		type $1_ethereal_t; | ||||
| 	') | ||||
| 
 | ||||
| 	# Create various types of sockets | ||||
| 	allow $1_ethereal_t self:netlink_route_socket create_netlink_socket_perms; | ||||
| 	allow $1_ethereal_t self:udp_socket create_socket_perms; | ||||
| 	allow $1_ethereal_t self:packet_socket create_socket_perms; | ||||
| 	allow $1_ethereal_t self:unix_stream_socket create_stream_socket_perms; | ||||
| 	allow $1_ethereal_t self:tcp_socket create_socket_perms; | ||||
| 	 | ||||
| 	userdom_use_user_terminals($1,$1_ethereal_t) | ||||
| 	# Ethereal tries to write to user terminal | ||||
| 	userdom_dontaudit_use_user_terminals($1,$1_ethereal_t) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Run ethereal in ethereal domain. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	Run ethereal in ethereal domain. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This is a templated interface, and should only | ||||
| ##	be called from a per-userdomain template. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	<summary> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	<summary> | ||||
| ##	Domain allowed access. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`ethereal_domtrans_user_ethereal',` | ||||
| 	gen_require(` | ||||
| 		type $1_ethereal_t, ethereal_exec_t; | ||||
| 	') | ||||
| 
 | ||||
| 	domain_auto_trans($2,ethereal_exec_t,$1_ethereal_t) | ||||
| 
 | ||||
| 	allow $2 $1_ethereal_t:fd use; | ||||
| 	allow $1_ethereal_t $2:fd use; | ||||
| 	allow $1_ethereal_t $2:fifo_file rw_file_perms; | ||||
| 	allow $1_ethereal_t $2:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Run tethereal in the tethereal domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	<summary> | ||||
| ##	Domain allowed access. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`ethereal_domtrans_tethereal',` | ||||
| 	gen_require(` | ||||
| 		type tethereal_t, tethereal_exec_t; | ||||
| 	') | ||||
| 
 | ||||
| 	domain_auto_trans($1,tethereal_exec_t,tethereal_t) | ||||
| 
 | ||||
| 	allow $1 tethereal_t:fd use; | ||||
| 	allow tethereal_t $1:fd use; | ||||
| 	allow tethereal_t $1:fifo_file rw_file_perms; | ||||
| 	allow tethereal_t $1:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute tethereal in the tethereal domain, and | ||||
| ##	allow the specified role the tethereal domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	<summary> | ||||
| ##	Domain allowed access. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="role"> | ||||
| ##	<summary> | ||||
| ##	The role to be allowed the tethereal domain. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="terminal"> | ||||
| ##	<summary> | ||||
| ##	The type of the terminal allow the tethereal domain to use. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| interface(`ethereal_run_tethereal',` | ||||
| 	gen_require(` | ||||
| 		type tethereal_t; | ||||
| 	') | ||||
| 
 | ||||
| 	ethereal_domtrans_tethereal($1) | ||||
| 	role $2 types tethereal_t; | ||||
| 	allow tethereal_t $3:chr_file rw_term_perms; | ||||
| ') | ||||
							
								
								
									
										57
									
								
								refpolicy/policy/modules/apps/ethereal.te
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										57
									
								
								refpolicy/policy/modules/apps/ethereal.te
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,57 @@ | ||||
| 
 | ||||
| policy_module(ethereal,1.0.0) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| type ethereal_exec_t; | ||||
| files_type(ethereal_exec_t) | ||||
| 
 | ||||
| type tethereal_t; | ||||
| type tethereal_exec_t; | ||||
| domain_type(tethereal_t) | ||||
| domain_entry_file(tethereal_t,tethereal_exec_t) | ||||
| 
 | ||||
| type tethereal_tmp_t; | ||||
| files_tmp_file(tethereal_tmp_t) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Tethereal policy | ||||
| # | ||||
| 
 | ||||
| allow tethereal_t tethereal_t : capability { dac_override dac_read_search setgid setuid net_raw }; | ||||
| allow tethereal_t self:unix_stream_socket create_stream_socket_perms; | ||||
| allow tethereal_t self:netlink_route_socket create_netlink_socket_perms; | ||||
| allow tethereal_t self:packet_socket create_socket_perms; | ||||
| allow tethereal_t self:tcp_socket create_socket_perms; | ||||
| allow tethereal_t self:udp_socket create_socket_perms; | ||||
| 
 | ||||
| # Store temporary files | ||||
| allow tethereal_t tethereal_tmp_t:dir create_dir_perms; | ||||
| allow tethereal_t tethereal_tmp_t:file create_file_perms; | ||||
| files_tmp_filetrans(tethereal_t, tethereal_tmp_t, { dir file }) | ||||
| 
 | ||||
| # /proc | ||||
| kernel_read_all_sysctls(tethereal_t) | ||||
| kernel_read_system_state(tethereal_t) | ||||
| 
 | ||||
| # Read ethereal files in /usr | ||||
| files_read_usr_files(tethereal_t) | ||||
| # /etc/nsswitch.conf | ||||
| files_read_etc_files(tethereal_t) | ||||
| 
 | ||||
| libs_use_ld_so(tethereal_t) | ||||
| libs_use_shared_libs(tethereal_t) | ||||
| 
 | ||||
| miscfiles_read_localization(tethereal_t) | ||||
| 
 | ||||
| seutil_use_newrole_fds(tethereal_t) | ||||
| 
 | ||||
| sysnet_dns_name_resolve(tethereal_t) | ||||
| 
 | ||||
| optional_policy(`nscd',` | ||||
| 	nscd_socket_use(tethereal_t) | ||||
| ') | ||||
| @ -174,6 +174,9 @@ template(`userhelper_per_userdomain_template',` | ||||
| 		userdom_entry_spec_domtrans_sysadm($1_userhelper_t) | ||||
| 	') | ||||
| 	 | ||||
| 	optional_policy(`ethereal',` | ||||
| 		ethereal_domtrans_user_ethereal($1,$1_userhelper_t) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`logging',` | ||||
| 		logging_send_syslog_msg($1_userhelper_t) | ||||
| @ -243,3 +246,48 @@ interface(`userhelper_dontaudit_search_config',` | ||||
| 
 | ||||
| 	dontaudit $1 userhelper_conf_t:dir search_dir_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow domain to use userhelper file descriptor. | ||||
| ## </summary> | ||||
| ## <param name="prefix"> | ||||
| ##	<summary> | ||||
| ##	The prefix of the domain, example user is the prefix of user_t. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	<summary> | ||||
| ##      Domain allowed access. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`userhelper_use_user_fd',` | ||||
| 	gen_require(` | ||||
| 		type $1_userhelper_t; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $2 $1_userhelper_t:fd use; | ||||
| ') | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow domain to send sigchld to userhelper. | ||||
| ## </summary> | ||||
| ## <param name="prefix"> | ||||
| ##	<summary> | ||||
| ##	The prefix of the domain, example user is the prefix of user_t. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	<summary> | ||||
| ##      Domain allowed access. | ||||
| ##	</summary> | ||||
| ## </param> | ||||
| # | ||||
| template(`userhelper_sigchld_user',` | ||||
| 	gen_require(` | ||||
| 		type $1_userhelper_t; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $2 $1_userhelper_t:process sigchld; | ||||
| ') | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(userhelper,1.0.0) | ||||
| policy_module(userhelper,1.0.1) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
|  | ||||
| @ -894,6 +894,10 @@ template(`admin_user_template',` | ||||
| 		cron_admin_template($1,$1_t,$1_r) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`ethereal',` | ||||
| 		tethereal_admin_template($1,$1_t,$1_r) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`lpd',` | ||||
| 		lpr_admin_template($1,$1_t,$1_r) | ||||
| 	') | ||||
|  | ||||
| @ -1,5 +1,5 @@ | ||||
| 
 | ||||
| policy_module(userdomain,1.3.3) | ||||
| policy_module(userdomain,1.3.4) | ||||
| 
 | ||||
| gen_require(` | ||||
| 	role sysadm_r, staff_r, user_r; | ||||
| @ -256,6 +256,10 @@ ifdef(`targeted_policy',` | ||||
| 		dpkg_run(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`ethereal',` | ||||
| 		ethereal_run_tethereal(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`firstboot',` | ||||
| 		firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) | ||||
| 	') | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user