#DESC Ping - Send ICMP messages to network hosts # # Author: David A. Wheeler <dwheeler@ida.org> # X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2 # ################################# # # Rules for the ping_t domain. # # ping_t is the domain for the ping program. # ping_exec_t is the type of the corresponding program. # type ping_t, domain, privlog, nscd_client_domain; role sysadm_r types ping_t; role system_r types ping_t; in_user_role(ping_t) type ping_exec_t, file_type, sysadmfile, exec_type; ifdef(`targeted_policy', ` allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms; ', ` bool user_ping false; if (user_ping) { domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t) # allow access to the terminal allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;') } ') # Transition into this domain when you run this program. domain_auto_trans(sysadm_t, ping_exec_t, ping_t) domain_auto_trans(initrc_t, ping_exec_t, ping_t) uses_shlib(ping_t) can_network_client(ping_t) can_resolve(ping_t) can_ypbind(ping_t) allow ping_t etc_t:file { getattr read }; allow ping_t self:unix_stream_socket create_socket_perms; # Let ping create raw ICMP packets. allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; # Use capabilities. allow ping_t self:capability { net_raw setuid }; # Access the terminal. allow ping_t admin_tty_type:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;') allow ping_t privfd:fd use; dontaudit ping_t fs_t:filesystem getattr; # it tries to access /var/run dontaudit ping_t var_t:dir search; dontaudit ping_t devtty_t:chr_file { read write }; dontaudit ping_t self:capability sys_tty_config; ifdef(`hide_broken_symptoms', ` allow ping_t init_t:fd use; ')