[selinux-policy: 916/3172] Added rules so that tracepath, traceroute and ping work.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:24:15 UTC 2010
commit 8f882ffcd9e7ab3662dc6a7fdb1d77be7e311009
Author: Don Miner <dminer at tresys.com>
Date: Wed Nov 2 20:44:17 2005 +0000
Added rules so that tracepath, traceroute and ping work.
refpolicy/policy/modules/admin/netutils.te | 14 +++++++++++++-
refpolicy/policy/modules/kernel/corenetwork.if.in | 16 ++++++++++++++++
2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 88921ad..98a5ecb 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -95,7 +95,7 @@ ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
# Ping local policy
#
-allow ping_t self:capability setuid;
+allow ping_t self:capability { setuid net_raw };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
@@ -133,6 +133,8 @@ ifdef(`hide_broken_symptoms',`
')
ifdef(`targeted_policy',`
+ term_use_unallocated_tty(ping_t)
+ term_use_generic_pty(ping_t)
term_use_all_user_ttys(ping_t)
term_use_all_user_ptys(ping_t)
',`
@@ -173,6 +175,7 @@ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
@@ -187,6 +190,8 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
corenet_udp_sendrecv_all_ports(traceroute_t)
corenet_udp_bind_all_nodes(traceroute_t)
corenet_tcp_bind_all_nodes(traceroute_t)
+# traceroute needs this but not tracepath
+corenet_raw_bind_all_nodes(traceroute_t)
corenet_tcp_connect_all_ports(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -208,6 +213,13 @@ dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t)
files_read_usr_files(traceroute_t)
+sysnet_read_config(traceroute_t)
+
+ifdef(`targeted_policy',`
+ term_use_unallocated_tty(traceroute_t)
+ term_use_generic_pty(traceroute_t)
+')
+
tunable_policy(`user_ping',`
term_use_all_user_ttys(traceroute_t)
term_use_all_user_ptys(traceroute_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 126957c..bd845e4 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -502,6 +502,22 @@ interface(`corenet_udp_bind_all_nodes',`
########################################
## <summary>
+## Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+# rawip_socket node_bind does not make much sense.
+interface(`corenet_raw_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
## Send and receive TCP network traffic on generic ports.
## </summary>
## <param name="domain">
More information about the scm-commits
mailing list