## <summary>Network analysis utilities</summary> ######################################## ## <summary> ## Execute network utilities in the netutils domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_domtrans',` gen_require(` type netutils_t, netutils_exec_t; ') domain_auto_trans($1,netutils_exec_t,netutils_t) allow $1 netutils_t:fd use; allow netutils_t $1:fd use; allow netutils_t $1:fifo_file rw_file_perms; allow netutils_t $1:process sigchld; ') ######################################## ## <summary> ## Execute network utilities in the netutils domain, and ## allow the specified role the netutils domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the netutils domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the terminal allow the netutils domain to use. ## </summary> ## </param> # interface(`netutils_run',` gen_require(` type netutils_t; ') netutils_domtrans($1) role $2 types netutils_t; allow netutils_t $3:chr_file rw_term_perms; ') ######################################## ## <summary> ## Execute network utilities in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_exec',` gen_require(` type netutils_exec_t; ') can_exec($1,netutils_exec_t) ') ######################################## ## <summary> ## Execute ping in the ping domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_domtrans_ping',` gen_require(` type ping_t, ping_exec_t; ') domain_auto_trans($1,ping_exec_t,ping_t) allow $1 ping_t:fd use; allow ping_t $1:fd use; allow ping_t $1:fifo_file rw_file_perms; allow ping_t $1:process sigchld; ') ######################################## ## <summary> ## Send a kill (SIGKILL) signal to ping. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_kill_ping',` gen_require(` type ping_t; ') allow $1 ping_t:process sigkill; ') ######################################## ## <summary> ## Send generic signals to ping. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_signal_ping',` gen_require(` type ping_t; ') allow $1 ping_t:process signal; ') ######################################## ## <summary> ## Execute ping in the ping domain, and ## allow the specified role the ping domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the ping domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the terminal allow the ping domain to use. ## </summary> ## </param> # interface(`netutils_run_ping',` gen_require(` type ping_t; ') netutils_domtrans_ping($1) role $2 types ping_t; allow ping_t $3:chr_file rw_term_perms; ') ######################################## ## <summary> ## Conditionally execute ping in the ping domain, and ## allow the specified role the ping domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the ping domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the terminal allow the ping domain to use. ## </summary> ## </param> # interface(`netutils_run_ping_cond',` gen_require(` type ping_t; bool user_ping; ') role $2 types ping_t; if ( user_ping ) { netutils_domtrans_ping($1) allow ping_t $3:chr_file rw_term_perms; } ') ######################################## ## <summary> ## Execute ping in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_exec_ping',` gen_require(` type ping_exec_t; ') can_exec($1,ping_exec_t) ') ######################################## ## <summary> ## Execute traceroute in the traceroute domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_domtrans_traceroute',` gen_require(` type traceroute_t, traceroute_exec_t; ') domain_auto_trans($1,traceroute_exec_t,traceroute_t) allow $1 traceroute_t:fd use; allow traceroute_t $1:fd use; allow traceroute_t $1:fifo_file rw_file_perms; allow traceroute_t $1:process sigchld; ') ######################################## ## <summary> ## Execute traceroute in the traceroute domain, and ## allow the specified role the traceroute domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the traceroute domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the terminal allow the traceroute domain to use. ## </summary> ## </param> # interface(`netutils_run_traceroute',` gen_require(` type traceroute_t; ') netutils_domtrans_traceroute($1) role $2 types traceroute_t; allow traceroute_t $3:chr_file rw_term_perms; ') ######################################## ## <summary> ## Conditionally execute traceroute in the traceroute domain, and ## allow the specified role the traceroute domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to be allowed the traceroute domain. ## </summary> ## </param> ## <param name="terminal"> ## <summary> ## The type of the terminal allow the traceroute domain to use. ## </summary> ## </param> # interface(`netutils_run_traceroute_cond',` gen_require(` type traceroute_t; bool user_ping; ') role $2 types traceroute_t; if( user_ping ) { netutils_domtrans_traceroute($1) allow traceroute_t $3:chr_file rw_term_perms; } ') ######################################## ## <summary> ## Execute traceroute in the caller domain. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`netutils_exec_traceroute',` gen_require(` type traceroute_exec_t; ') can_exec($1,traceroute_exec_t) ')