# Copyright (C) 2005 Tresys Technology, LLC
## <module name="sysnetwork" layer="system">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>

########################################
#
# sysnetwork_dhcpc_transition(domain)
#
define(`sysnetwork_dhcpc_transition',`
requires_block_template(`$0'_depend)
allow $1 dhcpc_exec_t:file { getattr read execute };
allow $1 dhcpc_t:process transition;
type_transition $1 dhcpc_exec_t:process dhcpc_t;
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
allow $1 dhcpc_t:fd use;
allow dhcpc_t $1:fd use;
allow dhcpc_t $1:fifo_file rw_file_perms;
allow dhcpc_t $1:process sigchld;
')

define(`sysnetwork_dhcpc_transition_depend',`
type dhcpc_t, dhcpc_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')

#######################################
## <interface name="sysnetwork_ifconfig_transition">
##	<description>
##		Execute ifconfig in the ifconfig domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`sysnetwork_ifconfig_transition',`
requires_block_template(`$0'_depend)
allow $1 ifconfig_exec_t:file { getattr read execute };
allow $1 ifconfig_t:process transition;
type_transition $1 ifconfig_exec_t:process ifconfig_t;
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
allow $1 ifconfig_t:fd use;
allow ifconfig_t $1:fd use;
allow ifconfig_t $1:fifo_file rw_file_perms;
allow ifconfig_t $1:process sigchld;
')

define(`sysnetwork_ifconfig_transition_depend',`
type ifconfig_t, ifconfig_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')

########################################
## <interface name="sysnetwork_ifconfig_transition_add_role_use_terminal">
##	<description>
##		Execute ifconfig in the ifconfig domain, and
##		allow the specified role the ifconfig domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the ifconfig domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the ifconfig domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',`
requires_block_template(`$0'_depend)
sysnetwork_ifconfig_transition($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file { getattr read write ioctl };
')

define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
type ifconfig_t;
class chr_file { getattr read write ioctl };
')

########################################
#
# sysnetwork_read_network_config(domain)
#
define(`sysnetwork_read_network_config',`
requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1)
allow $1 net_conf_t:file { getattr read };
')

define(`sysnetwork_read_network_config_depend',`
type net_conf_t;
class file { getattr read };
')

## </module>