## Policy for network configuration: ifconfig and dhcp client.
#######################################
##
## Execute dhcp client in dhcpc domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`sysnet_domtrans_dhcpc',`
gen_require(`
type dhcpc_t, dhcpc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
')
########################################
##
## Execute DHCP clients in the dhcpc domain, and
## allow the specified role the dhcpc domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`sysnet_run_dhcpc',`
gen_require(`
attribute_role dhcpc_roles;
')
sysnet_domtrans_dhcpc($1)
roleattribute $2 dhcpc_roles;
')
########################################
##
## Do not audit attempts to read and
## write dhcpc udp socket descriptors.
##
##
##
## Domain to not audit.
##
##
#
interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:udp_socket { read write };
')
########################################
##
## Do not audit attempts to use
## the dhcp file descriptors.
##
##
##
## Domain to not audit.
##
##
#
interface(`sysnet_dontaudit_use_dhcpc_fds',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:fd use;
')
########################################
##
## Do not audit attempts to read/write to the
## dhcp unix stream socket descriptors.
##
##
##
## Domain to not audit.
##
##
#
interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:unix_stream_socket { read write };
')
########################################
##
## Send a SIGCHLD signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_sigchld_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigchld;
')
########################################
##
## Send a kill signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`sysnet_kill_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigkill;
')
########################################
##
## Send a SIGSTOP signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_sigstop_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigstop;
')
########################################
##
## Send a null signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_signull_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signull;
')
########################################
##
## Send a generic signal to the dhcp client.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`sysnet_signal_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signal;
')
########################################
##
## Send and receive messages from
## dhcpc over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_dbus_chat_dhcpc',`
gen_require(`
type dhcpc_t;
class dbus send_msg;
')
allow $1 dhcpc_t:dbus send_msg;
allow dhcpc_t $1:dbus send_msg;
')
########################################
##
## Read and write dhcp configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_rw_dhcp_config',`
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:file rw_file_perms;
')
########################################
##
## Search the DHCP client state
## directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_search_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
files_search_var_lib($1)
allow $1 dhcpc_state_t:dir search_dir_perms;
')
########################################
##
## Read dhcp client state files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_read_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
#######################################
##
## Delete the dhcp client state files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_delete_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
#######################################
##
## Set the attributes of network config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_setattr_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file setattr_file_perms;
')
#######################################
##
## Read network config files.
##
##
##
## Allow the specified domain to read the
## general network configuration files. A
## common example of this is the
## /etc/resolv.conf file, which has domain
## name system (DNS) server IP addresses.
## Typically, most networking processes will
## require the access provided by this interface.
##
##
## Higher-level interfaces which involve
## networking will generally call this interface,
## for example:
##
##
## - sysnet_dns_name_resolve()
## - sysnet_use_ldap()
## - sysnet_use_portmap()
##
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_read_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
ifdef(`distro_debian',`
files_search_pids($1)
allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`distro_redhat',`
allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`init_systemd',`
systemd_read_resolved_runtime($1)
')
')
#######################################
##
## Do not audit attempts to read network config files.
##
##
##
## Domain to not audit.
##
##
#
interface(`sysnet_dontaudit_read_config',`
gen_require(`
type net_conf_t;
')
dontaudit $1 net_conf_t:file read_file_perms;
')
#######################################
##
## Write network config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_write_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file write_file_perms;
')
#######################################
##
## Create network config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_create_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file create_file_perms;
')
#######################################
##
## Relabel network config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file { relabelfrom relabelto };
')
#######################################
##
## Create files in /etc with the type used for
## the network config files.
##
##
##
## Domain allowed access.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`sysnet_etc_filetrans_config',`
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1, net_conf_t, file, $2)
')
#######################################
##
## Create, read, write, and delete network config files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_manage_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
files_search_pids($1)
manage_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`distro_redhat',`
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
#######################################
##
## Read the dhcp client pid file.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_read_dhcpc_pid',`
gen_require(`
type dhcpc_var_run_t;
')
files_list_pids($1)
allow $1 dhcpc_var_run_t:file read_file_perms;
')
#######################################
##
## Delete the dhcp client pid file.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_delete_dhcpc_pid',`
gen_require(`
type dhcpc_var_run_t;
')
allow $1 dhcpc_var_run_t:file unlink;
')
#######################################
##
## Execute ifconfig in the ifconfig domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`sysnet_domtrans_ifconfig',`
gen_require(`
type ifconfig_t, ifconfig_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
')
########################################
##
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`sysnet_run_ifconfig',`
gen_require(`
type ifconfig_t;
')
corecmd_search_bin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
')
#######################################
##
## Execute ifconfig in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_exec_ifconfig',`
gen_require(`
type ifconfig_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ifconfig_exec_t)
')
########################################
##
## Send a generic signal to ifconfig.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`sysnet_signal_ifconfig',`
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signal;
')
########################################
##
## Send null signals to ifconfig.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`sysnet_signull_ifconfig',`
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signull;
')
########################################
##
## Read the DHCP configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_read_dhcp_config',`
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
')
########################################
##
## Search the DHCP state data directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_search_dhcp_state',`
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:dir search_dir_perms;
')
########################################
##
## Create DHCP state data.
##
##
##
## Create DHCP state data.
##
##
## This is added for DHCP server, as
## the server and client put their state
## files in the same directory.
##
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created
##
##
##
##
## The object class.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`sysnet_dhcp_state_filetrans',`
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
filetrans_pattern($1, dhcp_state_t, $2, $3, $4)
')
########################################
##
## Perform a DNS name resolution.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`sysnet_dns_name_resolve',`
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
sysnet_read_config($1)
optional_policy(`
avahi_stream_connect($1)
')
optional_policy(`
nscd_use($1)
')
# This seems needed when the mymachines NSS module is used
optional_policy(`
systemd_read_machines($1)
')
')
########################################
##
## Connect and use a LDAP server.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_use_ldap',`
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
# Support for LDAPS
dev_read_rand($1)
dev_read_urand($1)
sysnet_read_config($1)
')
########################################
##
## Connect and use remote port mappers.
##
##
##
## Domain allowed access.
##
##
#
interface(`sysnet_use_portmap',`
gen_require(`
type net_conf_t;
')
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_portmap_port($1)
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
sysnet_read_config($1)
')
# This should be after an ifdef distro_gentoo but that is not allowed in an if file
########################################
##
## Make the specified program domain
## accessable from the DHCP hooks/scripts.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
interface(`sysnet_dhcpc_script_entry',`
gen_require(`
type dhcpc_script_t;
attribute_role dhcpc_roles;
')
role dhcpc_roles types $1;
domtrans_pattern(dhcpc_script_t, $2, $1)
')