|
Chris PeBenito |
2705f9 |
# DESC - Ethereal
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
# Author: Ivan Gyurdiev <ivg2@cornell.edu>
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
#############################################################
|
|
Chris PeBenito |
2705f9 |
# ethereal_networking(app_prefix) -
|
|
Chris PeBenito |
2705f9 |
# restricted ethereal rules (sysadm only)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`ethereal_networking', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Create various types of sockets
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:netlink_route_socket create_netlink_socket_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:tcp_socket create_socket_perms;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow $1_t self:capability { dac_override dac_read_search net_raw setgid setuid };
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Resolve names via DNS
|
|
Chris PeBenito |
2705f9 |
can_resolve($1_t)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl ethereal_networking
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
########################################################
|
|
Chris PeBenito |
2705f9 |
# Ethereal (GNOME)
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
define(`ethereal_domain', `
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Type for program
|
|
Chris PeBenito |
2705f9 |
type $1_ethereal_t, domain, nscd_client_domain;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Transition from sysadm type
|
|
Chris PeBenito |
2705f9 |
domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)
|
|
Chris PeBenito |
2705f9 |
role $1_r types $1_ethereal_t;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Manual transition from userhelper
|
|
Chris PeBenito |
2705f9 |
ifdef(`userhelper.te', `
|
|
Chris PeBenito |
a08248 |
allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
|
|
Chris PeBenito |
a08248 |
allow $1_ethereal_t userhelperdomain:fd use;
|
|
Chris PeBenito |
a08248 |
allow $1_ethereal_t userhelperdomain:process sigchld;
|
|
Chris PeBenito |
2705f9 |
') dnl userhelper
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# X, GNOME
|
|
Chris PeBenito |
2705f9 |
x_client_domain($1_ethereal, $1)
|
|
Chris PeBenito |
2705f9 |
gnome_application($1_ethereal, $1)
|
|
Chris PeBenito |
2705f9 |
gnome_file_dialog($1_ethereal, $1)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Why does it write this?
|
|
Chris PeBenito |
2705f9 |
ifdef(`snmpd.te', `
|
|
Chris PeBenito |
2705f9 |
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# /home/.ethereal
|
|
Chris PeBenito |
2705f9 |
home_domain($1, ethereal)
|
|
Chris PeBenito |
2705f9 |
file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Enable restricted networking rules for sysadm - this is shared w/ tethereal
|
|
Chris PeBenito |
2705f9 |
ifelse($1, `sysadm', `
|
|
Chris PeBenito |
2705f9 |
ethereal_networking($1_ethereal)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Ethereal tries to write to user terminal
|
|
Chris PeBenito |
2705f9 |
dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };
|
|
Chris PeBenito |
2705f9 |
dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;
|
|
Chris PeBenito |
2705f9 |
', `')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Store temporary files
|
|
Chris PeBenito |
2705f9 |
tmp_domain($1_ethereal)
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Re-execute itself (why?)
|
|
Chris PeBenito |
2705f9 |
can_exec($1_ethereal_t, ethereal_exec_t)
|
|
Chris PeBenito |
2705f9 |
allow $1_ethereal_t sbin_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# Supress .local denials until properly implemented
|
|
Chris PeBenito |
2705f9 |
dontaudit $1_ethereal_t $1_home_t:dir search;
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
# FIXME: policy is incomplete
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
') dnl ethereal_domain
|