rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
1786071159
selinux-policy/refpolicy/policy/modules/admin/netutils.te
Chris PeBenito dd14d0d892 change read_shared_libraries to use_shared_libraries, since the execute 
permission is checked when using shared libs to execute code in them, which
is not the same as just reading the shared libs.
2005-05-17 15:32:52 +00:00

221 lines
7.2 KiB
Plaintext
Raw Blame History

# Copyright (C) 2005 Tresys Technology, LLC
policy_module(devices,1.0)
########################################
#
# Declarations
#
type netutils_t;
type netutils_exec_t;
init_make_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t;
type netutils_tmp_t;
files_make_temporary_file(netutils_tmp_t)
type ping_t; #, nscd_client_domain;
type ping_exec_t;
init_make_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;
type traceroute_t; #, nscd_client_domain;
type traceroute_exec_t;
init_make_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;
#
# Control users use of ping and traceroute
#
bool user_ping false;
########################################
#
# Netutils local policy
#
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { net_admin net_raw setuid setgid };
allow netutils_t self:process { sigkill sigstop signull signal };
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
allow netutils_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t self:udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t self:tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow netutils_t netutils_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
allow netutils_t netutils_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir })
corenetwork_network_tcp_on_all_interfaces(netutils_t)
corenetwork_network_raw_on_all_interfaces(netutils_t)
corenetwork_network_udp_on_all_interfaces(netutils_t)
corenetwork_network_tcp_on_all_nodes(netutils_t)
corenetwork_network_raw_on_all_nodes(netutils_t)
corenetwork_network_udp_on_all_nodes(netutils_t)
corenetwork_network_tcp_on_all_ports(netutils_t)
corenetwork_network_udp_on_all_ports(netutils_t)
corenetwork_bind_tcp_on_all_nodes(netutils_t)
corenetwork_bind_udp_on_all_nodes(netutils_t)
filesystem_get_persistent_filesystem_attributes(netutils_t)
init_use_file_descriptors(netutils_t)
init_script_use_pseudoterminal(netutils_t)
domain_use_widely_inheritable_file_descriptors(netutils_t)
files_read_general_system_config(netutils_t)
# for nscd
files_ignore_search_system_state_data_directory(netutils_t)
libraries_use_dynamic_loader(netutils_t)
libraries_use_shared_libraries(netutils_t)
logging_send_system_log_message(netutils_t)
miscfiles_read_localization(netutils_t)
ifdef(`TODO',`
role sysadm_r types netutils_t;
can_ypbind(netutils_t)
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
# Inherit and use descriptors from init.
allow netutils_t userdomain:fd use;
# Access terminals.
allow netutils_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
allow netutils_t proc_t:dir search;
') dnl end TODO
########################################
#
# Ping local policy
#
allow ping_t self:capability setuid;
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow ping_t self:udp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
corenetwork_network_tcp_on_all_interfaces(ping_t)
corenetwork_network_udp_on_all_interfaces(ping_t)
corenetwork_network_raw_on_all_interfaces(ping_t)
corenetwork_network_raw_on_all_nodes(ping_t)
corenetwork_network_tcp_on_all_nodes(ping_t)
corenetwork_network_udp_on_all_nodes(ping_t)
corenetwork_network_tcp_on_all_ports(ping_t)
corenetwork_network_udp_on_all_ports(ping_t)
corenetwork_bind_udp_on_all_nodes(ping_t)
corenetwork_bind_tcp_on_all_nodes(ping_t)
filesystem_ignore_get_persistent_filesystem_attributes(ping_t)
domain_use_widely_inheritable_file_descriptors(ping_t)
files_read_general_system_config(ping_t)
files_ignore_search_system_state_data_directory(ping_t)
libraries_use_dynamic_loader(ping_t)
libraries_use_shared_libraries(ping_t)
sysnetwork_read_network_config(ping_t)
logging_send_system_log_message(ping_t)
if (user_ping) {
terminal_use_all_private_physical_terminals(ping_t)
terminal_use_all_private_pseudoterminals(ping_t)
}
ifdef(`TODO',`
can_ypbind(ping_t)
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
role sysadm_r types ping_t;
allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
in_user_role(ping_t)
if (user_ping) {
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
}
') dnl end TODO
########################################
#
# Traceroute local policy
#
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow traceroute_t self:packet_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corenetwork_network_tcp_on_all_interfaces(traceroute_t)
corenetwork_network_udp_on_all_interfaces(traceroute_t)
corenetwork_network_raw_on_all_interfaces(traceroute_t)
corenetwork_network_raw_on_all_nodes(traceroute_t)
corenetwork_network_tcp_on_all_nodes(traceroute_t)
corenetwork_network_udp_on_all_nodes(traceroute_t)
corenetwork_network_tcp_on_all_ports(traceroute_t)
corenetwork_network_udp_on_all_ports(traceroute_t)
corenetwork_bind_udp_on_all_nodes(traceroute_t)
corenetwork_bind_tcp_on_all_nodes(traceroute_t)
filesystem_ignore_get_persistent_filesystem_attributes(traceroute_t)
domain_use_widely_inheritable_file_descriptors(traceroute_t)
files_read_general_system_config(traceroute_t)
files_ignore_search_system_state_data_directory(traceroute_t)
libraries_use_dynamic_loader(traceroute_t)
libraries_use_shared_libraries(traceroute_t)
logging_send_system_log_message(traceroute_t)
miscfiles_read_localization(traceroute_t)
#rules needed for nmap
devices_get_random_data(traceroute_t)
devices_get_pseudorandom_data(traceroute_t)
files_read_general_application_resources(traceroute_t)
if (user_ping) {
terminal_use_all_private_physical_terminals(traceroute_t)
terminal_use_all_private_pseudoterminals(traceroute_t)
}
ifdef(`TODO',`
role sysadm_r types traceroute_t;
can_ypbind(traceroute_t)
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
# Access the terminal.
allow traceroute_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
in_user_role(traceroute_t)
if (user_ping) {
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
}
#rules needed for nmap
dontaudit traceroute_t userdomain:dir search;
') dnl end TODO
Reference in New Issue View Git Blame Copy Permalink