#DESC Ifconfig - Configure network interfaces # # Authors: Stephen Smalley and Timothy Fraser # X-Debian-Packages: net-tools # ################################# # # Rules for the ifconfig_t domain. # # ifconfig_t is the domain for the ifconfig program. # ifconfig_exec_t is the type of the corresponding program. # type ifconfig_t, domain, privlog, privmodule; type ifconfig_exec_t, file_type, sysadmfile, exec_type; role system_r types ifconfig_t; role sysadm_r types ifconfig_t; uses_shlib(ifconfig_t) general_domain_access(ifconfig_t) domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t) ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t) ') # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms; allow ifconfig_t self:tcp_socket { create ioctl }; allow ifconfig_t etc_t:file { getattr read }; allow ifconfig_t self:socket create_socket_perms; # Use capabilities. allow ifconfig_t self:capability { net_raw net_admin }; dontaudit ifconfig_t self:capability sys_module; allow ifconfig_t self:capability sys_tty_config; # Inherit and use descriptors from init. allow ifconfig_t { kernel_t init_t }:fd use; # Access /proc r_dir_file(ifconfig_t, proc_t) r_dir_file(ifconfig_t, proc_net_t) allow ifconfig_t privfd:fd use; allow ifconfig_t run_init_t:fd use; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; # Access terminals. can_access_pty(ifconfig_t, initrc) allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;') allow ifconfig_t tun_tap_device_t:chr_file { read write }; # ifconfig attempts to search some sysctl entries. # Do not audit those attempts; comment out these rules if it is desired to # see the denials. allow ifconfig_t { sysctl_t sysctl_net_t }:dir search; allow ifconfig_t fs_t:filesystem getattr; read_locale(ifconfig_t) allow ifconfig_t lib_t:file { getattr read }; rhgb_domain(ifconfig_t) allow ifconfig_t userdomain:fd use; dontaudit ifconfig_t root_t:file read; r_dir_file(ifconfig_t, sysfs_t)