Chris PeBenito 0fbfa5
#DESC uml_net helper program for user-mode Linux
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author: Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# WARNING: Do not install this file on any machine that has hostile users.
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type uml_net_t, domain, privlog;
Chris PeBenito 0fbfa5
type uml_net_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
in_user_role(uml_net_t)
Chris PeBenito 0fbfa5
allow uml_net_t self:process { fork signal_perms };
Chris PeBenito 0fbfa5
allow uml_net_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow uml_net_t self:fifo_file { read write };
Chris PeBenito 0fbfa5
allow uml_net_t device_t:dir search;
Chris PeBenito 0fbfa5
allow uml_net_t self:udp_socket { create ioctl };
Chris PeBenito 0fbfa5
uses_shlib(uml_net_t)
Chris PeBenito 0fbfa5
allow uml_net_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow uml_net_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
allow uml_net_t etc_t:file read;
Chris PeBenito 0fbfa5
allow uml_net_t { proc_t sysctl_t sysctl_net_t }:dir search;
Chris PeBenito 0fbfa5
allow uml_net_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# if you want ip_forward to be set then you should set it yourself
Chris PeBenito 0fbfa5
dontaudit uml_net_t { sysctl_t sysctl_net_t }:dir search;
Chris PeBenito 0fbfa5
dontaudit uml_net_t sysctl_net_t:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit ifconfig_t uml_net_t:udp_socket { read write };
Chris PeBenito 0fbfa5
dontaudit uml_net_t self:capability sys_module;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow uml_net_t tun_tap_device_t:chr_file { read write getattr ioctl };
Chris PeBenito 0fbfa5
can_exec(uml_net_t, { shell_exec_t sbin_t })