From 8f882ffcd9e7ab3662dc6a7fdb1d77be7e311009 Mon Sep 17 00:00:00 2001 From: Don Miner Date: Wed, 2 Nov 2005 20:44:17 +0000 Subject: [PATCH] Added rules so that tracepath, traceroute and ping work. --- refpolicy/policy/modules/admin/netutils.te | 14 +++++++++++++- .../policy/modules/kernel/corenetwork.if.in | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 88921add..98a5ecb3 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -95,7 +95,7 @@ ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;') # Ping local policy # -allow ping_t self:capability setuid; +allow ping_t self:capability { setuid net_raw }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; @@ -133,6 +133,8 @@ ifdef(`hide_broken_symptoms',` ') ifdef(`targeted_policy',` + term_use_unallocated_tty(ping_t) + term_use_generic_pty(ping_t) term_use_all_user_ttys(ping_t) term_use_all_user_ptys(ping_t) ',` @@ -173,6 +175,7 @@ allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -187,6 +190,8 @@ corenet_tcp_sendrecv_all_ports(traceroute_t) corenet_udp_sendrecv_all_ports(traceroute_t) corenet_udp_bind_all_nodes(traceroute_t) corenet_tcp_bind_all_nodes(traceroute_t) +# traceroute needs this but not tracepath +corenet_raw_bind_all_nodes(traceroute_t) corenet_tcp_connect_all_ports(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t) @@ -208,6 +213,13 @@ dev_read_rand(traceroute_t) dev_read_urand(traceroute_t) files_read_usr_files(traceroute_t) +sysnet_read_config(traceroute_t) + +ifdef(`targeted_policy',` + term_use_unallocated_tty(traceroute_t) + term_use_generic_pty(traceroute_t) +') + tunable_policy(`user_ping',` term_use_all_user_ttys(traceroute_t) term_use_all_user_ptys(traceroute_t) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 126957c0..bd845e44 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -500,6 +500,22 @@ interface(`corenet_udp_bind_all_nodes',` allow $1 node_type:udp_socket node_bind; ') +######################################## +## +## Bind raw sockets to all nodes. +## +## +## The type of the process performing this action. +## +# rawip_socket node_bind does not make much sense. +interface(`corenet_raw_bind_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:rawip_socket node_bind; +') + ######################################## ## ## Send and receive TCP network traffic on generic ports.