|
Chris PeBenito |
31b7c0 |
#DESC Netutils - Network utilities
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil>
|
|
Chris PeBenito |
31b7c0 |
# X-Debian-Packages: netbase iputils arping tcpdump
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Rules for the netutils_t domain.
|
|
Chris PeBenito |
31b7c0 |
# This domain is for network utilities that require access to
|
|
Chris PeBenito |
31b7c0 |
# special protocol families.
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
type netutils_t, domain, privlog;
|
|
Chris PeBenito |
31b7c0 |
type netutils_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
31b7c0 |
role system_r types netutils_t;
|
|
Chris PeBenito |
31b7c0 |
role sysadm_r types netutils_t;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
uses_shlib(netutils_t)
|
|
Chris PeBenito |
31b7c0 |
can_network(netutils_t)
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
31b7c0 |
can_ypbind(netutils_t)
|
|
Chris PeBenito |
31b7c0 |
tmp_domain(netutils)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
|
|
Chris PeBenito |
31b7c0 |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
31b7c0 |
domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
|
|
Chris PeBenito |
31b7c0 |
')
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Inherit and use descriptors from init.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t { userdomain init_t }:fd use;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:process { fork signal_perms };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Perform network administration operations and have raw access to the network.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:capability { net_admin net_raw setuid setgid };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create and use netlink sockets.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create and use packet sockets.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create and use UDP sockets.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Create and use TCP sockets.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:tcp_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Read certain files in /etc
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t etc_t:file r_file_perms;
|
|
Chris PeBenito |
31b7c0 |
read_locale(netutils_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Access terminals.
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t privfd:fd use;
|
|
Chris PeBenito |
31b7c0 |
can_access_pty(netutils_t, initrc)
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t admin_tty_type:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
|
|
Chris PeBenito |
31b7c0 |
allow netutils_t proc_t:dir search;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# for nscd
|
|
Chris PeBenito |
31b7c0 |
dontaudit netutils_t var_t:dir search;
|