|
Chris PeBenito |
ab58ad |
#DESC Ifconfig - Configure network interfaces
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
Chris PeBenito |
ab58ad |
# X-Debian-Packages: net-tools
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
#################################
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# Rules for the ifconfig_t domain.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
# ifconfig_t is the domain for the ifconfig program.
|
|
Chris PeBenito |
ab58ad |
# ifconfig_exec_t is the type of the corresponding program.
|
|
Chris PeBenito |
ab58ad |
#
|
|
Chris PeBenito |
ab58ad |
type ifconfig_t, domain, privlog, privmodule;
|
|
Chris PeBenito |
ab58ad |
type ifconfig_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
role system_r types ifconfig_t;
|
|
Chris PeBenito |
ab58ad |
role sysadm_r types ifconfig_t;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
uses_shlib(ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
general_domain_access(ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
ifdef(`targeted_policy', `', `
|
|
Chris PeBenito |
ab58ad |
domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# for /sbin/ip
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:packet_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:tcp_socket { create ioctl };
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t etc_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Use capabilities.
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:capability { net_raw net_admin };
|
|
Chris PeBenito |
ab58ad |
dontaudit ifconfig_t self:capability sys_module;
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:capability sys_tty_config;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Inherit and use descriptors from init.
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t { kernel_t init_t }:fd use;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Access /proc
|
|
Chris PeBenito |
ab58ad |
r_dir_file(ifconfig_t, proc_t)
|
|
Chris PeBenito |
ab58ad |
r_dir_file(ifconfig_t, proc_net_t)
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t privfd:fd use;
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t run_init_t:fd use;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Create UDP sockets, necessary when called from dhcpc
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# Access terminals.
|
|
Chris PeBenito |
ab58ad |
can_access_pty(ifconfig_t, initrc)
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
|
Chris PeBenito |
ab58ad |
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
# ifconfig attempts to search some sysctl entries.
|
|
Chris PeBenito |
ab58ad |
# Do not audit those attempts; comment out these rules if it is desired to
|
|
Chris PeBenito |
ab58ad |
# see the denials.
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
read_locale(ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t lib_t:file { getattr read };
|
|
Chris PeBenito |
ab58ad |
|
|
Chris PeBenito |
ab58ad |
rhgb_domain(ifconfig_t)
|
|
Chris PeBenito |
ab58ad |
allow ifconfig_t userdomain:fd use;
|
|
Chris PeBenito |
ab58ad |
dontaudit ifconfig_t root_t:file read;
|
|
Chris PeBenito |
ab58ad |
r_dir_file(ifconfig_t, sysfs_t)
|