Policy for network configuration: ifconfig and dhcp client.

####################################### ##

## Execute dhcp client in dhcpc domain. ##

## ## The type of the process performing this action. ## # interface(`sysnet_domtrans_dhcpc',` gen_require(` type dhcpc_t, dhcpc_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) allow $1 dhcpc_t:fd use; allow dhcpc_t $1:fd use; allow dhcpc_t $1:fifo_file rw_file_perms; allow dhcpc_t $1:process sigchld; ') ######################################## ##

## Execute DHCP clients in the dhcpc domain, and ## allow the specified role the dhcpc domain. ##

## ## The type of the process performing this action. ## ## ## The role to be allowed the clock domain. ## ## ## The type of the terminal allow the clock domain to use. ## # interface(`sysnet_run_dhcpc',` gen_require(` type dhcpc_t; ') sysnet_domtrans_dhcpc($1) role $2 types dhcpc_t; allow dhcpc_t $3:chr_file { getattr read write ioctl }; ') ######################################## ##

## Send a SIGCHLD signal to the dhcp client. ##

## ## The domain sending the SIGCHLD. ## # interface(`sysnet_sigchld_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigchld; ') ######################################## ##

## Send a kill signal to the dhcp client. ##

## ## The domain sending the SIGKILL. ## # interface(`sysnet_kill_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigkill; ') ######################################## ##

## Send a SIGSTOP signal to the dhcp client. ##

## ## The domain sending the SIGSTOP. ## # interface(`sysnet_sigstop_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigstop; ') ######################################## ##

## Send a null signal to the dhcp client. ##

## ## The domain sending the null signal. ## # interface(`sysnet_signull_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signull; ') ######################################## ##

## Send a generic signal to the dhcp client. ##

## ## The domain sending the signal. ## # interface(`sysnet_signal_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signal; ') ######################################## ##

## Read and write dhcp configuration files. ##

## ## The domain allowed access. ## # interface(`sysnet_rw_dhcp_config',` gen_require(` type dhcp_etc_t; ') files_search_etc($1) allow $1 dhcp_etc_t:file rw_file_perms; ') ######################################## ##

## Read dhcp client state files. ##

## ## The domain allowed access. ## # interface(`sysnet_read_dhcpc_state',` gen_require(` type dhcpc_state_t; ') allow $1 dhcpc_state_t:file { getattr read }; ') ####################################### ##

## Allow network init to read network config files. ##

## ## The type of the process performing this action. ## # interface(`sysnet_read_config',` gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file r_file_perms; ') ####################################### ##

## Do not audit attempts to read network config files. ##

## ## Domain to not audit. ## # interface(`sysnet_dontaudit_read_config',` gen_require(` type net_conf_t; ') dontaudit $1 net_conf_t:file r_file_perms; ') ####################################### ##

## Create files in /etc with the type used for ## the network config files. ##

## ## The type of the process performing this action. ## # interface(`sysnet_create_config',` gen_require(` type net_conf_t; ') files_create_etc_config($1,net_conf_t,file) ') ####################################### ##

## Create, read, write, and delete network config files. ##

## ## The type of the process performing this action. ## # interface(`sysnet_manage_config',` gen_require(` type net_conf_t; ') allow $1 net_conf_t:file create_file_perms; ') ####################################### ##

## Read the dhcp client pid file. ##

## ## The type of the process performing this action. ## # interface(`sysnet_read_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') files_list_pids($1) allow $1 dhcpc_var_run_t:file { getattr read }; ') ####################################### ##

## Delete the dhcp client pid file. ##

## ## The type of the process performing this action. ## # interface(`sysnet_delete_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') allow $1 dhcpc_var_run_t:file unlink; ') ####################################### ##

## Execute ifconfig in the ifconfig domain. ##

## ## The type of the process performing this action. ## # interface(`sysnet_domtrans_ifconfig',` gen_require(` type ifconfig_t, ifconfig_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) allow $1 ifconfig_t:fd use; allow ifconfig_t $1:fd use; allow ifconfig_t $1:fifo_file rw_file_perms; allow ifconfig_t $1:process sigchld; ') ######################################## ##

## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, ## and use the caller's terminal. ##

## ## The type of the process performing this action. ## ## ## The role to be allowed the ifconfig domain. ## ## ## The type of the terminal allow the ifconfig domain to use. ## # interface(`sysnet_run_ifconfig',` gen_require(` type ifconfig_t; ') corecmd_search_sbin($1) sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; allow ifconfig_t $3:chr_file rw_term_perms; ') ####################################### ##

## Execute ifconfig in the caller domain. ##

## ## Domain allowed access. ## # interface(`sysnet_exec_ifconfig',` gen_require(` type ifconfig_exec_t; ') corecmd_search_sbin($1) can_exec($1,ifconfig_exec_t) ') ######################################## ##

## Read the DHCP configuration files. ##

## ## Domain allowed access. ## # interface(`sysnet_read_dhcp_config',` gen_require(` type dhcp_etc_t; ') files_search_etc($1) allow $1 dhcp_etc_t:dir search; allow $1 dhcp_etc_t:file { getattr read }; ') ######################################## ##

## Search the DHCP state data directory. ##

## ## Domain allowed access. ## # interface(`sysnet_search_dhcp_state',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:dir search; ') ######################################## ##

## Create DHCP state data. ##

## ##

## Create DHCP state data. ##

## This is added for DHCP server, as ## the server and client put their state ## files in the same directory. ##

## ## ## Domain allowed access. ## ## ## The type of the object to be created ## ## ## The object class. If not specified, file is used. ## # interface(`sysnet_create_dhcp_state',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 dhcp_state_t:file $2; ',` type_transition $1 dhcp_state_t:$3 $2; ') ') ######################################## ##

## Perform a DNS name resolution. ##

## ## Domain allowed access. ## # interface(`sysnet_dns_name_resolve',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_dns_port($1) files_search_etc($1) allow $1 net_conf_t:file r_file_perms; ') ######################################## ##

## Connect and use a LDAP server. ##

## ## Domain allowed access. ## # interface(`sysnet_use_ldap',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_ldap_port($1) corenet_tcp_bind_all_nodes($1) corenet_tcp_connect_ldap_port($1) files_search_etc($1) allow $1 net_conf_t:file r_file_perms; ') ######################################## ##

## Connect and use remote port mappers. ##

## ## Domain allowed access. ## # interface(`sysnet_use_portmap',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) corenet_raw_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) corenet_udp_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1) corenet_tcp_sendrecv_portmap_port($1) corenet_udp_sendrecv_portmap_port($1) corenet_tcp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1) corenet_tcp_connect_portmap_port($1) files_search_etc($1) allow $1 net_conf_t:file r_file_perms; ')