|
Chris PeBenito |
0fbfa5 |
#DESC Traceroute - Display network routes
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# based on the work of David A. Wheeler <dwheeler@ida.org>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: traceroute lft
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the traceroute_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# traceroute_t is the domain for the traceroute program.
|
|
Chris PeBenito |
0fbfa5 |
# traceroute_exec_t is the type of the corresponding program.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
type traceroute_t, domain, privlog, nscd_client_domain;
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types traceroute_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types traceroute_t;
|
|
Chris PeBenito |
0fbfa5 |
# for user_ping:
|
|
Chris PeBenito |
0fbfa5 |
in_user_role(traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib(traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
can_network_client(traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t node_t:rawip_socket node_bind;
|
|
Chris PeBenito |
0fbfa5 |
type traceroute_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Transition into this domain when you run this program.
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(initrc_t, traceroute_exec_t, traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(sysadm_t, traceroute_exec_t, traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use capabilities.
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t self:rawip_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t device_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for lft
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(traceroute_t, proc_t)
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(traceroute_t, proc_net_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access the terminal.
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t admin_tty_type:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# dont need this
|
|
Chris PeBenito |
0fbfa5 |
dontaudit traceroute_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit traceroute_t var_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`ping.te', `
|
|
Chris PeBenito |
0fbfa5 |
if (user_ping) {
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
# allow access to the terminal
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t { ttyfile ptyfile }:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
#rules needed for nmap
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t { urandom_device_t random_device_t }:chr_file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow traceroute_t usr_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
read_locale(traceroute_t)
|
|
Chris PeBenito |
0fbfa5 |
dontaudit traceroute_t userdomain:dir search;
|