Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/system/sysnetwork.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/system/sysnetwork.if')
-rw-r--r--policy/modules/system/sysnetwork.if741
1 files changed, 741 insertions, 0 deletions
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
new file mode 100644
index 000000000..c7f6a4a71
--- /dev/null
+++ b/policy/modules/system/sysnetwork.if
@@ -0,0 +1,741 @@
+## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
+
+#######################################
+## <summary>
+## Execute dhcp client in dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_dhcpc',`
+ gen_require(`
+ type dhcpc_t, dhcpc_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
+')
+
+########################################
+## <summary>
+## Execute DHCP clients in the dhcpc domain, and
+## allow the specified role the dhcpc domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_dhcpc',`
+ gen_require(`
+ attribute_role dhcpc_roles;
+ ')
+
+ sysnet_domtrans_dhcpc($1)
+ roleattribute $2 dhcpc_roles;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to use
+## the dhcp file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_use_dhcpc_fds',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to read/write to
+## the dhcp unix stream socket descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:unix_stream_socket { read write };
+')
+
+
+
+########################################
+## <summary>
+## Send a SIGCHLD signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigchld_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Send a kill signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_kill_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send a SIGSTOP signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_sigstop_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process sigstop;
+')
+
+########################################
+## <summary>
+## Send a null signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_signull_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signull;
+')
+
+########################################
+## <summary>
+## Send a generic signal to the dhcp client.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ allow $1 dhcpc_t:process signal;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## dhcpc over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_dbus_chat_dhcpc',`
+ gen_require(`
+ type dhcpc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 dhcpc_t:dbus send_msg;
+ allow dhcpc_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Read and write dhcp configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_rw_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Search the DHCP client state
+## directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcpc_state_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Read dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client state files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+#######################################
+## <summary>
+## Set the attributes of network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_setattr_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file setattr;
+')
+
+#######################################
+## <summary>
+## Read network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read the
+## general network configuration files. A
+## common example of this is the
+## /etc/resolv.conf file, which has domain
+## name system (DNS) server IP addresses.
+## Typically, most networking processes will
+## require the access provided by this interface.
+## </p>
+## <p>
+## Higher-level interfaces which involve
+## networking will generally call this interface,
+## for example:
+## </p>
+## <ul>
+## <li>sysnet_dns_name_resolve()</li>
+## <li>sysnet_use_ldap()</li>
+## <li>sysnet_use_portmap()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
+
+ ifdef(`distro_redhat',`
+ allow $1 net_conf_t:dir list_dir_perms;
+ read_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Do not audit attempts to read network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ dontaudit $1 net_conf_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Write network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_write_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file write_file_perms;
+')
+
+#######################################
+## <summary>
+## Create network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_create_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Create files in /etc with the type used for
+## the network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_etc_filetrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_etc_filetrans($1, net_conf_t, file)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:file manage_file_perms;
+
+ ifdef(`distro_redhat',`
+ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ')
+')
+
+#######################################
+## <summary>
+## Read the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ files_list_pids($1)
+ allow $1 dhcpc_var_run_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
+## Delete the dhcp client pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_delete_dhcpc_pid',`
+ gen_require(`
+ type dhcpc_var_run_t;
+ ')
+
+ allow $1 dhcpc_var_run_t:file unlink;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the ifconfig domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sysnet_domtrans_ifconfig',`
+ gen_require(`
+ type ifconfig_t, ifconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
+')
+
+########################################
+## <summary>
+## Execute ifconfig in the ifconfig domain, and
+## allow the specified role the ifconfig domain,
+## and use the caller's terminal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_run_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ corecmd_search_bin($1)
+ sysnet_domtrans_ifconfig($1)
+ role $2 types ifconfig_t;
+')
+
+#######################################
+## <summary>
+## Execute ifconfig in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_exec_ifconfig',`
+ gen_require(`
+ type ifconfig_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, ifconfig_exec_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to ifconfig.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_signal_ifconfig',`
+ gen_require(`
+ type ifconfig_t;
+ ')
+
+ allow $1 ifconfig_t:process signal;
+')
+
+########################################
+## <summary>
+## Read the DHCP configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_read_dhcp_config',`
+ gen_require(`
+ type dhcp_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 dhcp_etc_t:dir list_dir_perms;
+ read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+')
+
+########################################
+## <summary>
+## Search the DHCP state data directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcp_state',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dhcp_state_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create DHCP state data.
+## </summary>
+## <desc>
+## <p>
+## Create DHCP state data.
+## </p>
+## <p>
+## This is added for DHCP server, as
+## the server and client put their state
+## files in the same directory.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`sysnet_dhcp_state_filetrans',`
+ gen_require(`
+ type dhcp_state_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, dhcp_state_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Perform a DNS name resolution.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sysnet_dns_name_resolve',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_dns_port($1)
+ corenet_udp_sendrecv_dns_port($1)
+ corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
+ sysnet_read_config($1)
+
+ optional_policy(`
+ avahi_stream_connect($1)
+ ')
+
+ optional_policy(`
+ nscd_socket_use($1)
+ ')
+')
+
+########################################
+## <summary>
+## Connect and use a LDAP server.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_ldap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_ldap_port($1)
+ corenet_tcp_connect_ldap_port($1)
+ corenet_sendrecv_ldap_client_packets($1)
+
+ # Support for LDAPS
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ sysnet_read_config($1)
+')
+
+########################################
+## <summary>
+## Connect and use remote port mappers.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_use_portmap',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 self:tcp_socket create_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_generic_node($1)
+ corenet_udp_sendrecv_generic_node($1)
+ corenet_tcp_sendrecv_portmap_port($1)
+ corenet_udp_sendrecv_portmap_port($1)
+ corenet_tcp_connect_portmap_port($1)
+ corenet_sendrecv_portmap_client_packets($1)
+
+ sysnet_read_config($1)
+')