|
Chris PeBenito |
0fbfa5 |
#DESC Ping - Send ICMP messages to network hosts
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: David A. Wheeler <dwheeler@ida.org>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: iputils-ping netkit-ping iputils-arping arping hping2
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the ping_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# ping_t is the domain for the ping program.
|
|
Chris PeBenito |
0fbfa5 |
# ping_exec_t is the type of the corresponding program.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type ping_t, domain, privlog, nscd_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types ping_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types ping_t;
|
|
Chris PeBenito |
0fbfa5 |
in_user_role(ping_t)
|
|
Chris PeBenito |
0fbfa5 |
type ping_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
cf6a7d |
ifdef(`targeted_policy', `
|
|
Chris PeBenito |
cf6a7d |
allow ping_t { devpts_t ttyfile ptyfile }:chr_file rw_file_perms;
|
|
Chris PeBenito |
cf6a7d |
', `
|
|
Chris PeBenito |
0fbfa5 |
bool user_ping false;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
if (user_ping) {
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
|
|
Chris PeBenito |
0fbfa5 |
# allow access to the terminal
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t { ttyfile ptyfile }:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
5493c2 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Transition into this domain when you run this program.
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(initrc_t, ping_exec_t, ping_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(ping_t)
|
|
Chris PeBenito |
0fbfa5 |
can_network_client(ping_t)
|
|
Chris PeBenito |
5493c2 |
can_resolve(ping_t)
|
|
Chris PeBenito |
77f6e2 |
allow ping_t dns_port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(ping_t)
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Let ping create raw ICMP packets.
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t self:capability { net_raw setuid };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access the terminal.
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t admin_tty_type:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
allow ping_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ping_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# it tries to access /var/run
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ping_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ping_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit ping_t self:capability sys_tty_config;
|
|
Chris PeBenito |
cf6a7d |
ifdef(`hide_broken_symptoms', `
|
|
Chris PeBenito |
77f6e2 |
dontaudit ping_t init_t:fd use;
|
|
Chris PeBenito |
cf6a7d |
')
|
|
Chris PeBenito |
0fbfa5 |
|