[selinux-policy: 916/3172] Added rules so that tracepath, traceroute and ping work.

[Daniel J Walsh]

commit 8f882ffcd9e7ab3662dc6a7fdb1d77be7e311009
Author: Don Miner <dminer at tresys.com>
Date:   Wed Nov 2 20:44:17 2005 +0000

    Added rules so that tracepath, traceroute and ping work.

 refpolicy/policy/modules/admin/netutils.te        |   14 +++++++++++++-
 refpolicy/policy/modules/kernel/corenetwork.if.in |   16 ++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 88921ad..98a5ecb 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -95,7 +95,7 @@ ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 # Ping local policy
 #
 
-allow ping_t self:capability setuid;
+allow ping_t self:capability { setuid net_raw };
 dontaudit ping_t self:capability sys_tty_config;
 
 allow ping_t self:tcp_socket create_socket_perms;
@@ -133,6 +133,8 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 ifdef(`targeted_policy',`
+	term_use_unallocated_tty(ping_t)
+	term_use_generic_pty(ping_t)
 	term_use_all_user_ttys(ping_t)
 	term_use_all_user_ptys(ping_t)
 ',`
@@ -173,6 +175,7 @@ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket create_socket_perms;
 allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow traceroute_t self:udp_socket create_socket_perms;
 
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
@@ -187,6 +190,8 @@ corenet_tcp_sendrecv_all_ports(traceroute_t)
 corenet_udp_sendrecv_all_ports(traceroute_t)
 corenet_udp_bind_all_nodes(traceroute_t)
 corenet_tcp_bind_all_nodes(traceroute_t)
+# traceroute needs this but not tracepath
+corenet_raw_bind_all_nodes(traceroute_t)
 corenet_tcp_connect_all_ports(traceroute_t)
 
 fs_dontaudit_getattr_xattr_fs(traceroute_t)
@@ -208,6 +213,13 @@ dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
 
+sysnet_read_config(traceroute_t)
+
+ifdef(`targeted_policy',`
+	term_use_unallocated_tty(traceroute_t)
+	term_use_generic_pty(traceroute_t)
+')
+
 tunable_policy(`user_ping',`
 	term_use_all_user_ttys(traceroute_t)
 	term_use_all_user_ptys(traceroute_t)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 126957c..bd845e4 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -502,6 +502,22 @@ interface(`corenet_udp_bind_all_nodes',`
 
 ########################################
 ## <summary>
+##	Bind raw sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+# rawip_socket node_bind does not make much sense. 
+interface(`corenet_raw_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:rawip_socket node_bind;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">