[selinux-policy: 1914/3172] trunk: add wireshark.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:50:25 UTC 2010 

commit 6e2123fc72a3a3f649002d94c9b24a4d3dd4a21c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Mar 14 15:26:52 2008 +0000

    trunk: add wireshark.

 Changelog                        |    1 +
 policy/modules/apps/wireshark.fc |    3 +
 policy/modules/apps/wireshark.if |  249 ++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/wireshark.te |   10 ++
 4 files changed, 263 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 3691938..1f849e2 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add wireshark module based on ethereal module.
 - Revise upstart support in init module to use a tunable, as upstart is now
   used in Fedora too.
 - Add iferror.m4 rather generate it out of the Makefiles.
diff --git a/policy/modules/apps/wireshark.fc b/policy/modules/apps/wireshark.fc
new file mode 100644
index 0000000..dac9c99
--- /dev/null
+++ b/policy/modules/apps/wireshark.fc
@@ -0,0 +1,3 @@
+HOME_DIR/\.wireshark(/.*)? 		gen_context(system_u:object_r:ROLE_wireshark_home_t,s0)
+
+/usr/bin/wireshark		--	gen_context(system_u:object_r:wireshark_exec_t,s0)
diff --git a/policy/modules/apps/wireshark.if b/policy/modules/apps/wireshark.if
new file mode 100644
index 0000000..3d2b8e4
--- /dev/null
+++ b/policy/modules/apps/wireshark.if
@@ -0,0 +1,249 @@
+## <summary>Wireshark packet capture tool.</summary>
+
+#######################################
+## <summary>
+##	The per role template for the wireshark module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for wireshark packet capture tool.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+#
+template(`wireshark_per_role_template',`
+
+	gen_require(`
+		type wireshark_exec_t;
+	')
+
+	##############################
+	#
+	# Declarations
+	#
+
+	# Type for program
+	type $1_wireshark_t;
+	application_domain($1_wireshark_t,wireshark_exec_t)
+	role $3 types $1_wireshark_t;
+
+	type $1_wireshark_home_t;
+	files_poly_member($1_wireshark_home_t)
+	userdom_user_home_content($1,$1_wireshark_home_t)
+
+	type $1_wireshark_tmp_t;
+	files_tmp_file($1_wireshark_tmp_t)
+
+	type $1_wireshark_tmpfs_t;
+	files_tmpfs_file($1_wireshark_tmpfs_t)
+
+	##############################
+	#
+	# Local Policy
+	#
+
+	allow $1_wireshark_t self:capability { net_admin net_raw setgid };
+	allow $1_wireshark_t self:process { signal getsched };
+	allow $1_wireshark_t self:fifo_file { getattr read write };
+	allow $1_wireshark_t self:shm destroy;
+	allow $1_wireshark_t self:shm create_shm_perms;
+	allow $1_wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
+	allow $1_wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+	allow $1_wireshark_t self:tcp_socket create_socket_perms;
+	allow $1_wireshark_t self:udp_socket create_socket_perms;
+
+	# Re-execute itself (why?)
+	can_exec($1_wireshark_t, wireshark_exec_t)
+	corecmd_search_bin($1_wireshark_t)
+
+	# /home/.wireshark
+	manage_dirs_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+	manage_files_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+	manage_lnk_files_pattern($1_wireshark_t,$1_wireshark_home_t,$1_wireshark_home_t)
+	userdom_user_home_dir_filetrans($1,$1_wireshark_t,$1_wireshark_home_t,dir)
+
+	# Store temporary files
+	manage_dirs_pattern($1_wireshark_t,$1_wireshark_tmp_t,$1_wireshark_tmp_t)
+	manage_files_pattern($1_wireshark_t,$1_wireshark_tmp_t,$1_wireshark_tmp_t)
+	files_tmp_filetrans($1_wireshark_t, $1_wireshark_tmp_t, { dir file })
+
+	manage_dirs_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+	manage_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+	manage_lnk_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+	manage_sock_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+	manage_fifo_files_pattern($1_wireshark_t,$1_wireshark_tmpfs_t,$1_wireshark_tmpfs_t)
+	fs_tmpfs_filetrans($1_wireshark_t,$1_wireshark_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+	domain_auto_trans($2, wireshark_exec_t, $1_wireshark_t)
+	allow $1_wireshark_t $2:fd use;
+	allow $1_wireshark_t $2:process sigchld;
+
+	manage_dirs_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+	manage_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+	manage_lnk_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+	relabel_dirs_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+	relabel_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+	relabel_lnk_files_pattern($2,$1_wireshark_home_t,$1_wireshark_home_t)
+
+	kernel_read_kernel_sysctls($1_wireshark_t)
+	kernel_read_system_state($1_wireshark_t)
+	kernel_read_sysctl($1_wireshark_t)
+
+	corecmd_search_bin($1_wireshark_t)
+
+	corenet_tcp_connect_generic_port($1_wireshark_t)
+	corenet_tcp_sendrecv_generic_if($1_wireshark_t)
+	
+	dev_read_urand($1_wireshark_t)
+
+	files_read_etc_files($1_wireshark_t)
+	files_read_usr_files($1_wireshark_t)
+
+	fs_list_inotifyfs($1_wireshark_t)
+	fs_search_auto_mountpoints($1_wireshark_t)
+
+	libs_read_lib_files($1_wireshark_t)
+	libs_use_ld_so($1_wireshark_t)
+	libs_use_shared_libs($1_wireshark_t)
+
+	miscfiles_read_fonts($1_wireshark_t)
+	miscfiles_read_localization($1_wireshark_t)
+
+	seutil_use_newrole_fds($1_wireshark_t)
+
+	sysnet_read_config($1_wireshark_t)
+
+	userdom_manage_user_home_content_files($1,$1_wireshark_t)
+	
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_dirs($1_wireshark_t)
+		fs_manage_nfs_files($1_wireshark_t)
+		fs_manage_nfs_symlinks($1_wireshark_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_dirs($1_wireshark_t)
+		fs_manage_cifs_files($1_wireshark_t)
+		fs_manage_cifs_symlinks($1_wireshark_t)
+	')
+
+	optional_policy(`
+		nscd_socket_use($1_wireshark_t)
+	')
+
+	# Manual transition from userhelper 
+	optional_policy(`
+		userhelper_use_user_fd($1,$1_wireshark_t)
+		userhelper_sigchld_user($1,$1_wireshark_t)
+	')
+
+	optional_policy(`
+		xserver_user_client_template($1,$1_wireshark_t,$1_wireshark_tmpfs_t)
+		xserver_create_xdm_tmp_sockets($1_wireshark_t)
+	')
+	
+	ifdef(`TODO',`
+		# Why does it write this?
+		optional_policy(`
+			dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
+		')
+		#TODO
+		gnome_application($1_wireshark, $1)
+		gnome_file_dialog($1_wireshark, $1)
+		# FIXME: policy is incomplete
+	')
+	
+')
+
+#######################################
+## <summary>
+##	The administrative functions template for the wireshark module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates rules for administrating wireshark,
+##	allowing the specified user to manage wireshark files.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wireshark_admin_template',`
+	gen_require(`
+		type $1_wireshark_t;
+	')
+
+	# Create various types of sockets
+	allow $1_wireshark_t self:netlink_route_socket create_netlink_socket_perms;
+	allow $1_wireshark_t self:udp_socket create_socket_perms;
+	allow $1_wireshark_t self:packet_socket create_socket_perms;
+	allow $1_wireshark_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_wireshark_t self:tcp_socket create_socket_perms;
+	
+	userdom_use_user_terminals($1,$1_wireshark_t)
+	# wireshark tries to write to user terminal
+	userdom_dontaudit_use_user_terminals($1,$1_wireshark_t)
+')
+
+########################################
+## <summary>
+##	Run wireshark in wireshark domain.
+## </summary>
+## <desc>
+##	<p>
+##	Run wireshark in wireshark domain.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+template(`wireshark_domtrans_user_wireshark',`
+	gen_require(`
+		type $1_wireshark_t, wireshark_exec_t;
+	')
+
+	domtrans_pattern($2,wireshark_exec_t,$1_wireshark_t)
+')
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
new file mode 100644
index 0000000..61092e3
--- /dev/null
+++ b/policy/modules/apps/wireshark.te
@@ -0,0 +1,10 @@
+
+policy_module(wireshark,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wireshark_exec_t;
+application_executable_file(wireshark_exec_t)

More information about the scm-commits mailing list