Chris PeBenito ab58ad
#DESC Ifconfig - Configure network interfaces
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito ab58ad
# X-Debian-Packages: net-tools
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
Chris PeBenito ab58ad
#################################
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# Rules for the ifconfig_t domain.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
# ifconfig_t is the domain for the ifconfig program.
Chris PeBenito ab58ad
# ifconfig_exec_t is the type of the corresponding program.
Chris PeBenito ab58ad
#
Chris PeBenito ab58ad
type ifconfig_t, domain, privlog, privmodule;
Chris PeBenito ab58ad
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
role system_r types ifconfig_t;
Chris PeBenito ab58ad
role sysadm_r types ifconfig_t;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
uses_shlib(ifconfig_t)
Chris PeBenito ab58ad
general_domain_access(ifconfig_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito ab58ad
ifdef(`targeted_policy', `', `
Chris PeBenito ab58ad
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
Chris PeBenito ab58ad
')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# for /sbin/ip
Chris PeBenito ab58ad
allow ifconfig_t self:packet_socket create_socket_perms;
Chris PeBenito ab58ad
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
Chris PeBenito ab58ad
allow ifconfig_t self:tcp_socket { create ioctl };
Chris PeBenito ab58ad
allow ifconfig_t etc_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow ifconfig_t self:socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Use capabilities.
Chris PeBenito ab58ad
allow ifconfig_t self:capability { net_raw net_admin };
Chris PeBenito ab58ad
dontaudit ifconfig_t self:capability sys_module;
Chris PeBenito ab58ad
allow ifconfig_t self:capability sys_tty_config;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Inherit and use descriptors from init.
Chris PeBenito ab58ad
allow ifconfig_t { kernel_t init_t }:fd use;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Access /proc
Chris PeBenito ab58ad
r_dir_file(ifconfig_t, proc_t)
Chris PeBenito ab58ad
r_dir_file(ifconfig_t, proc_net_t)
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow ifconfig_t privfd:fd use;
Chris PeBenito ab58ad
allow ifconfig_t run_init_t:fd use;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Create UDP sockets, necessary when called from dhcpc
Chris PeBenito ab58ad
allow ifconfig_t self:udp_socket create_socket_perms;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# Access terminals.
Chris PeBenito ab58ad
can_access_pty(ifconfig_t, initrc)
Chris PeBenito ab58ad
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
Chris PeBenito ab58ad
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow ifconfig_t tun_tap_device_t:chr_file { read write };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
# ifconfig attempts to search some sysctl entries.
Chris PeBenito ab58ad
# Do not audit those attempts; comment out these rules if it is desired to
Chris PeBenito ab58ad
# see the denials.
Chris PeBenito ab58ad
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
allow ifconfig_t fs_t:filesystem getattr;
Chris PeBenito ab58ad
Chris PeBenito ab58ad
read_locale(ifconfig_t)
Chris PeBenito ab58ad
allow ifconfig_t lib_t:file { getattr read };
Chris PeBenito ab58ad
Chris PeBenito ab58ad
rhgb_domain(ifconfig_t)
Chris PeBenito ab58ad
allow ifconfig_t userdomain:fd use;
Chris PeBenito ab58ad
dontaudit ifconfig_t root_t:file read;
Chris PeBenito ab58ad
r_dir_file(ifconfig_t, sysfs_t)