## Policy for network configuration: ifconfig and dhcp client. ####################################### ## ## Execute dhcp client in dhcpc domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`sysnet_domtrans_dhcpc',` gen_require(` type dhcpc_t, dhcpc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) allow $1 dhcpc_exec_t:file map; ') ######################################## ## ## Execute DHCP clients in the dhcpc domain, and ## allow the specified role the dhcpc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`sysnet_run_dhcpc',` gen_require(` type dhcpc_t; attribute_role dhcpc_roles; ') sysnet_domtrans_dhcpc($1) roleattribute $2 dhcpc_roles; optional_policy(` networkmanager_run(dhcpc_t, $2) ') optional_policy(` nis_run_ypbind(dhcpc_t, $2) ') optional_policy(` nscd_run(dhcpc_t, $2) ') optional_policy(` ntp_run(dhcpc_t, $2) ') seutil_run_setfiles(dhcpc_t, $2) ') ######################################## ## ## Do not audit attempts to read and ## write dhcpc udp socket descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:udp_socket { read write }; ') ######################################## ## ## Do not audit attempts to use ## the dhcp file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`sysnet_dontaudit_use_dhcpc_fds',` gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:fd use; ') ######################################## ## ## Do not audit attempts to read/write to the ## dhcp unix stream socket descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',` gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:unix_stream_socket { read write }; ') ######################################## ## ## Send a SIGCHLD signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_sigchld_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigchld; ') ######################################## ## ## Send a kill signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_kill_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigkill; ') ######################################## ## ## Send a SIGSTOP signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_sigstop_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigstop; ') ######################################## ## ## Send a null signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_signull_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signull; ') ######################################## ## ## Send a generic signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_signal_dhcpc',` gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signal; ') ######################################## ## ## Send and receive messages from ## dhcpc over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_dbus_chat_dhcpc',` gen_require(` type dhcpc_t; class dbus send_msg; ') allow $1 dhcpc_t:dbus send_msg; allow dhcpc_t $1:dbus send_msg; ') ######################################## ## ## Read and write dhcp configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_rw_dhcp_config',` gen_require(` type dhcp_etc_t; ') files_search_etc($1) rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t) ') ######################################## ## ## Search the DHCP client state ## directories. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_search_dhcpc_state',` gen_require(` type dhcpc_state_t; ') files_search_var_lib($1) allow $1 dhcpc_state_t:dir search_dir_perms; ') ######################################## ## ## Read dhcp client state files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_read_dhcpc_state',` gen_require(` type dhcpc_state_t; ') list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') ####################################### ## ## Delete the dhcp client state files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_delete_dhcpc_state',` gen_require(` type dhcpc_state_t; ') delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') ######################################## ## ## Allow caller to relabel dhcpc_state files ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_relabelfrom_dhcpc_state',` gen_require(` type dhcpc_state_t; ') allow $1 dhcpc_state_t:file relabelfrom; ') ####################################### ## ## Manage the dhcp client state files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_dhcpc_state',` gen_require(` type dhcpc_state_t; ') manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') ####################################### ## ## Set the attributes of network config files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_setattr_config',` gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file setattr_file_perms; ') ####################################### ## ## Allow caller to relabel net_conf files ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_relabelfrom_net_conf',` gen_require(` type net_conf_t; ') allow $1 net_conf_t:file relabelfrom; ') ###################################### ## ## Allow caller to relabel net_conf files ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_relabelto_net_conf',` gen_require(` type net_conf_t; ') allow $1 net_conf_t:file relabelto; ') ####################################### ## ## Read network config files. ## ## ##

## Allow the specified domain to read the ## general network configuration files. A ## common example of this is the ## /etc/resolv.conf file, which has domain ## name system (DNS) server IP addresses. ## Typically, most networking processes will ## require the access provided by this interface. ##

##

## Higher-level interfaces which involve ## networking will generally call this interface, ## for example: ##

##
    ##
  • sysnet_dns_name_resolve()
  • ##
  • sysnet_use_ldap()
  • ##
  • sysnet_use_portmap()
  • ##
##
## ## ## Domain allowed access. ## ## # interface(`sysnet_read_config',` gen_require(` type net_conf_t; ') files_search_etc($1) read_files_pattern($1, net_conf_t, net_conf_t) read_lnk_files_pattern($1, net_conf_t, net_conf_t) ifdef(`distro_debian',` files_search_pids($1) list_dirs_pattern($1, net_conf_t, net_conf_t) ') ifdef(`distro_redhat',` files_search_all_pids($1) init_search_pid_dirs($1) list_dirs_pattern($1, net_conf_t, net_conf_t) ') ') ####################################### ## ## Do not audit attempts to read network config files. ## ## ## ## Domain to not audit. ## ## # interface(`sysnet_dontaudit_read_config',` gen_require(` type net_conf_t; ') dontaudit $1 net_conf_t:file read_file_perms; dontaudit $1 net_conf_t:lnk_file read_lnk_file_perms; ') ####################################### ## ## Write network config files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_write_config',` gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file write_file_perms; ') ####################################### ## ## Create network config files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_create_config',` gen_require(` type net_conf_t; ') files_rw_etc_dirs($1) allow $1 net_conf_t:file create_file_perms; allow $1 net_conf_t:lnk_file create_lnk_file_perms; ') ####################################### ## ## Watch network config files and lnk_files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_watch_config',` gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file watch_file_perms; allow $1 net_conf_t:lnk_file watch_lnk_file_perms; ') ####################################### ## ## Create files in /etc with the type used for ## the network config files. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`sysnet_etc_filetrans_config',` gen_require(` type net_conf_t; ') files_etc_filetrans($1, net_conf_t, file, $2) files_etc_filetrans($1, net_conf_t, lnk_file, $2) ') ######################################## ## ## Transition content to the type used for ## the network config files. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the directory to which the object will be created. ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # interface(`sysnet_filetrans_config_fromdir',` gen_require(` type net_conf_t; ') filetrans_pattern($1, $2, net_conf_t, $3, $4) ') ####################################### ## ## Create, read, write, and delete network config files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_config',` gen_require(` type net_conf_t; ') sysnet_read_config($1) manage_files_pattern($1, net_conf_t, net_conf_t) manage_lnk_files_pattern($1, net_conf_t, net_conf_t) ') ####################################### ## ## Create, read, write, and delete network config dirs. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_config_dirs',` gen_require(` type net_conf_t; ') sysnet_read_config($1) manage_dirs_pattern($1, net_conf_t, net_conf_t) ') ######################################## ## ## Create, read, write and delete ## network config pipes. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_config_pipes',` gen_require(` type net_conf_t; ') manage_fifo_files_pattern($1, net_conf_t, net_conf_t) ') ####################################### ## ## Read the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_read_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') files_list_pids($1) allow $1 dhcpc_var_run_t:file read_file_perms; ') ####################################### ## ## Delete the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_delete_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') files_rw_pid_dirs($1) allow $1 dhcpc_var_run_t:file unlink; ') ####################################### ## ## Manage the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') files_rw_pid_dirs($1) manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t) ') ######################################## ## ## Create specified objects in generic ## pid directories with the dhcpc pid file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`sysnet_filetrans_dhcpc_pid',` gen_require(` type dhcpc_var_run_t; ') files_pid_filetrans($1, dhcpc_var_run_t, file, $2) ') ####################################### ## ## Execute ifconfig in the ifconfig domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`sysnet_domtrans_ifconfig',` gen_require(` type ifconfig_t, ifconfig_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) ') ######################################## ## ## NNP Transition to ifconfig_t. ## ## ## ## Domain allowed to transition. ## ## # interface(`sysnet_nnp_domtrans_ifconfig',` gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process2 { nnp_transition nosuid_transition }; ') ######################################## ## ## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`sysnet_run_ifconfig',` gen_require(` type ifconfig_t; ') corecmd_search_bin($1) sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; ') ####################################### ## ## Execute ifconfig in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_exec_ifconfig',` gen_require(` type ifconfig_exec_t; ') corecmd_search_bin($1) can_exec($1, ifconfig_exec_t) ') ######################################## ## ## Send a generic signal to ifconfig. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_signal_ifconfig',` gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process signal; ') ######################################## ## ## Send null signals to ifconfig. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_signull_ifconfig',` gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process signull; ') ######################################## ## ## Send a kill signal to iconfig. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_kill_ifconfig',` gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process sigkill; ') ######################################## ## ## Read the DHCP configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_read_dhcp_config',` gen_require(` type dhcp_etc_t; ') files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) allow $1 dhcp_etc_t:file map; allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Search the DHCP state data directory. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_search_dhcp_state',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:dir search_dir_perms; ') ####################################### ## ## Set the attributes of network config files. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_setattr_dhcp_state',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:file setattr_file_perms; ') ######################################## ## ## Create DHCP state data. ## ## ##

## Create DHCP state data. ##

##

## This is added for DHCP server, as ## the server and client put their state ## files in the same directory. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # interface(`sysnet_dhcp_state_filetrans',` gen_require(` type dhcp_state_t; ') files_search_var_lib($1) filetrans_pattern($1, dhcp_state_t, $2, $3, $4) ') ######################################## ## ## Perform a DNS name resolution. ## ## ## ## Domain allowed access. ## ## ## # interface(`sysnet_dns_name_resolve',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) corenet_tcp_connect_dnssec_port($1) corenet_sendrecv_dns_client_packets($1) files_search_all_pids($1) miscfiles_read_generic_certs($1) miscfiles_map_generic_certs($1) sysnet_read_config($1) optional_policy(` avahi_stream_connect($1) ') optional_policy(` dbus_stream_connect_system_dbusd($1) ') optional_policy(` nscd_use($1) ') ') ######################################## ## ## Connect and use a LDAP server. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_use_ldap',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) # Support for LDAPS dev_read_rand($1) # LDAP Configuration using encrypted requires dev_read_urand($1) sysnet_read_config($1) optional_policy(` ldap_read_certs($1) ') ') ######################################## ## ## Connect and use remote port mappers. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_use_portmap',` gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_portmap_port($1) corenet_udp_sendrecv_portmap_port($1) corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) sysnet_read_config($1) ') ######################################## ## ## Do not audit attempts to use ## the dhcp file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`sysnet_dontaudit_dhcpc_use_fds',` gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:fd use; ') ######################################## ## ## Transition to system_r when execute an dhclient script ## ## ##

## Execute dhclient script in a specified role ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Role to transition from. ## ## interface(`sysnet_role_transition_dhcpc',` gen_require(` type dhcpc_exec_t; ') role_transition $1 dhcpc_exec_t system_r; ') ######################################## ## ## Set up filename transitions for systemd-resolved network ## configuration content. ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_filetrans_systemd_resolved',` gen_require(` type net_conf_t; ') optional_policy(` systemd_resolved_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") ') ') ######################################## ## ## Transition to sysnet named content ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_filetrans_named_content',` gen_require(` type net_conf_t; ') sysnet_etc_filetrans_config($1, "resolv.conf") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf") files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") files_etc_filetrans($1, net_conf_t, file, "denyhosts") files_etc_filetrans($1, net_conf_t, file, "hosts") files_etc_filetrans($1, net_conf_t, file, "hosts.deny") files_etc_filetrans($1, net_conf_t, file, "ethers") files_etc_filetrans($1, net_conf_t, file, "yp.conf") files_etc_filetrans($1, net_conf_t, file, "ntp.conf") init_pid_filetrans($1, net_conf_t, dir, "network") optional_policy(` networkmanager_pid_filetrans($1, net_conf_t, file, "no-stub-resolv.conf") networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ') sysnet_filetrans_systemd_resolved($1) ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_manage_ifconfig_run',` gen_require(` type ifconfig_var_run_t; ') manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ###################################### ## ## Watch ifconfig_var_run_t directories ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_watch_ifconfig_run_dirs',` gen_require(` type ifconfig_var_run_t; ') watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ######################################## ## ## Read ifconfig_var_run_t files and link files ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_read_ifconfig_run_files',` gen_require(` type ifconfig_var_run_t; ') list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_filetrans_named_content_ifconfig',` gen_require(` type ifconfig_var_run_t; ') files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_filetrans_net_conf',` gen_require(` type net_conf_t; ') files_etc_filetrans($1, net_conf_t, file) ') ######################################## ## ## Transition to cloud-init named content ## ## ## ## Domain allowed access. ## ## # interface(`sysnet_filetrans_cloud_net_conf',` gen_require(` type net_conf_t; ') files_pid_filetrans($1, net_conf_t, dir, "cloud-init") ')