rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Added rules so that tracepath, traceroute and ping work.

Browse Source
This commit is contained in:
Don Miner 2005-11-02 20:44:17 +00:00
parent b909aca790
commit 8f882ffcd9
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
refpolicy/policy/modules/admin/netutils.te
View File

@ -95,7 +95,7 @@ ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
# Ping local policy # Ping local policy
# #
allow ping_t self:capability setuid; allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config; dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:tcp_socket create_socket_perms;
@ -133,6 +133,8 @@ ifdef(`hide_broken_symptoms',`
') ')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
term_use_unallocated_tty(ping_t)
term_use_generic_pty(ping_t)
term_use_all_user_ttys(ping_t) term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t) term_use_all_user_ptys(ping_t)
',` ',`
@ -173,6 +175,7 @@ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t) kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t) kernel_read_network_state(traceroute_t)
@ -187,6 +190,8 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t) corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t) corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t) corenet_tcp_bind_all_nodes(traceroute_t)
# traceroute needs this but not tracepath
corenet_raw_bind_all_nodes(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t) corenet_tcp_connect_all_ports(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t)
@ -208,6 +213,13 @@ dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t) dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t) files_read_usr_files(traceroute_t)
sysnet_read_config(traceroute_t)
ifdef(`targeted_policy',`
term_use_unallocated_tty(traceroute_t)
term_use_generic_pty(traceroute_t)
')
tunable_policy(`user_ping',` tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t) term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t) term_use_all_user_ptys(traceroute_t)

16
refpolicy/policy/modules/kernel/corenetwork.if.in
View File

@ -500,6 +500,22 @@ interface(`corenet_udp_bind_all_nodes',`
allow $1 node_type:udp_socket node_bind; allow $1 node_type:udp_socket node_bind;
') ')
########################################
## <summary>
## Bind raw sockets to all nodes.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
# rawip_socket node_bind does not make much sense.
interface(`corenet_raw_bind_all_nodes',`
gen_require(`
attribute node_type;
')
allow $1 node_type:rawip_socket node_bind;
')
######################################## ########################################
## <summary> ## <summary>
## Send and receive TCP network traffic on generic ports. ## Send and receive TCP network traffic on generic ports.