#DESC Traceroute - Display network routes # # Author: Russell Coker <russell@coker.com.au> # based on the work of David A. Wheeler <dwheeler@ida.org> # X-Debian-Packages: traceroute lft # ################################# # # Rules for the traceroute_t domain. # # traceroute_t is the domain for the traceroute program. # traceroute_exec_t is the type of the corresponding program. # type traceroute_t, domain, privlog, nscd_client_domain; role sysadm_r types traceroute_t; role system_r types traceroute_t; # for user_ping: in_user_role(traceroute_t) uses_shlib(traceroute_t) can_network_client(traceroute_t) allow traceroute_t port_type:tcp_socket name_connect; can_ypbind(traceroute_t) allow traceroute_t node_t:rawip_socket node_bind; type traceroute_exec_t, file_type, sysadmfile, exec_type; # Transition into this domain when you run this program. domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t) domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t) allow traceroute_t etc_t:file { getattr read }; # Use capabilities. allow traceroute_t self:capability { net_admin net_raw setuid setgid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow traceroute_t self:unix_stream_socket create_socket_perms; allow traceroute_t device_t:dir search; # for lft allow traceroute_t self:packet_socket create_socket_perms; r_dir_file(traceroute_t, proc_t) r_dir_file(traceroute_t, proc_net_t) # Access the terminal. allow traceroute_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;') allow traceroute_t privfd:fd use; # dont need this dontaudit traceroute_t fs_t:filesystem getattr; dontaudit traceroute_t var_t:dir search; ifdef(`ping.te', ` if (user_ping) { domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t) # allow access to the terminal allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms; } ') #rules needed for nmap allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms; allow traceroute_t usr_t:file { getattr read }; read_locale(traceroute_t) dontaudit traceroute_t userdomain:dir search;