selinux-refpolicy/policy/modules/system/sysnetwork.fc


#
# /dev
#
ifdef(`distro_debian',`
/dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
')

#
# /etc
#
/etc/dhclient.*conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/ethers		--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/hostname		--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)

/etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)

/etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)

ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')

#
# /usr
#
/usr/bin/dhclient.*		    --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/bin/dhcdbd		        --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/bin/dhcp6c		        --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/bin/dhcpcd		        --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/bin/ethtool		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/ifconfig		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/ip			        --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/iw			        --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/iwconfig		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/mii-tool		    --	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/bin/pump			    --	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/bin/tc			        --	gen_context(system_u:object_r:ifconfig_exec_t,s0)

/usr/sbin/dhclient.*		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/dhcdbd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/dhcp6c		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/dhcpcd		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/ethtool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_configure		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_interface		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/iw			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/pump			--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
/usr/sbin/tc			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)

#
# /var
#
/var/lib/dhcp3?		-d	gen_context(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.*	gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpv6(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/wifiroamd(/.*)?	gen_context(system_u:object_r:dhcpc_state_t,s0)

/run/dhclient.*	--	gen_context(system_u:object_r:dhcpc_runtime_t,s0)
/run/dhcpcd(/.*)?		gen_context(system_u:object_r:dhcpc_runtime_t,s0)
/run/netns	-d		gen_context(system_u:object_r:ifconfig_runtime_t,s0)
/run/netns/[^/]+	--	<<none>>

ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
')

ifdef(`distro_debian',`
/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
/run/resolvconf/.* --	gen_context(system_u:object_r:net_conf_t,s0)
')
initial commit 2005-05-10 19:51:00 +00:00
Debian file locations patch from Russell Coker. 2011-11-16 20:29:18 +00:00			`#`
			`# /dev`
			`#`
			ifdef(`distro_debian',`
			`/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)`
			`')`

initial commit 2005-05-10 19:51:00 +00:00			`#`
			`# /etc`
			`#`
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)`
			`/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)`
			`/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)`
			`/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`/etc/dhcp/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			`/etc/ethers -- gen_context(system_u:object_r:net_conf_t,s0)`
Sysnetwork patch from Dan Walsh. 2010-03-18 19:40:04 +00:00			`/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)`
Label /etc/hosts.allow as net_conf_t /etc/hosts.deny is labeled as net_conf_t so it makes sense to label hosts.allow the same way Signed-off-by: Laurent Bigonville <bigon@bigon.be> 2018-06-20 09:38:12 +00:00			`/etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0)`
Sysnetwork patch from Dan Walsh. 2010-03-18 19:40:04 +00:00			`/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)`
Modify type for /etc/hostname hostnamectl updates /etc/hostname This change is setting the type for the file /etc/hostname to net_conf_t and granting hostnamectl permission to edit this file. Note that hostnamectl is initially creating a new file .#hostname* which is why the create permissions are requied. type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-01-15 03:20:29 +00:00			`/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0)`
Sysnetwork patch from Dan Walsh. 2010-03-18 19:40:04 +00:00			`/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)`
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)`
			`/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)`
			`/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
policy for systemd-networkd Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working. I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise. Signed-off-by: Dave Sugar <dsugar@tresys.com> 2017-10-11 14:59:08 +00:00			`/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)`

add stuff from distros.fc 2005-11-03 18:08:36 +00:00			ifdef(`distro_redhat',`
			`/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)`
Sysnetwork patch from Dan Walsh. 2010-03-18 19:40:04 +00:00			`/etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)`
Whitespace fixes in sysnetwork. 2011-02-28 14:33:29 +00:00			`/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)`
add stuff from distros.fc 2005-11-03 18:08:36 +00:00			`')`

initial commit 2005-05-10 19:51:00 +00:00			`#`
			`# /usr`
			`#`
Support systems with a single /usr/bin directory On systems such as Arch Linux, all programs which are usually located in /bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the other locations are symbolic links to this directory. With such a configuration, the file contexts which define types for files in /bin, /sbin and /usr/sbin need to be duplicated to provide definitions for /usr/bin/... As the "/bin vs. /usr/bin" part of the needed definitions has already been done with the "usr merge" patches, the next step consists in duplicating file contexts for /usr/sbin. This is what this patch does for all modules which are not in contrib. This is the second iteration of an idea I have previously posted on http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html 2017-04-15 18:49:07 +00:00			`/usr/bin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/bin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/bin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/bin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/bin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/bin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/bin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib Some policy modules define file contexts in /bin, /sbin and /lib without defining similar file contexts in the same directory under /usr. Add these missing file contexts when there are outside ifdef blocks. 2016-12-27 16:06:54 +00:00
			`/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
usrmerge FC fixes from Russell Coker. 2017-02-07 23:51:58 +00:00			`/usr/sbin/dhcp6c -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib Some policy modules define file contexts in /bin, /sbin and /lib without defining similar file contexts in the same directory under /usr. Add these missing file contexts when there are outside ifdef blocks. 2016-12-27 16:06:54 +00:00			`/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
			`/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)`
			`/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)`
initial commit 2005-05-10 19:51:00 +00:00
			`#`
			`# /var`
			`#`
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)`
			`/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)`
			`/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)`
Network daemon patches from Russell Coker. 2017-02-25 16:20:19 +00:00			`/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)`
more merging from 1.27.1-15 2005-10-14 17:55:40 +00:00			`/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)`
Sysnetwork patch from Dan Walsh. 2010-03-18 19:40:04 +00:00			`/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)`
more strict testing fixes 2006-08-23 19:36:04 +00:00
Rename _var_run_t types to _runtime_t. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-08 20:55:02 +00:00			`/run/dhclient.* -- gen_context(system_u:object_r:dhcpc_runtime_t,s0)`
			`/run/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_runtime_t,s0)`
sysnetwork: allow using "ip netns" When using network namespaces with `ip netns`, command `ip` creates files in `/run/netns` that are mountpoints for `nsfs`. For example: $ ip netns add VPN $ ls -Z /run/netns/VPN system_u:object_r:nsfs_t /run/netns/VPN $ findmnt /run/netns/VPN TARGET SOURCE FSTYPE OPTIONS /run/netns/VPN nsfs[net:[4026532371]] nsfs rw /run/netns/VPN nsfs[net:[4026532371]] nsfs rw From a shell CLI, it is possible to retrieve the name of the current network namespace: $ ip netns exec VPN bash $ ip netns identify $$ VPN This requires reading `/proc/$PID/ns/net`, which is labelled as a user domain. Allow this access using `userdom_read_all_users_state()`. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2020-04-19 09:43:45 +00:00			`/run/netns -d gen_context(system_u:object_r:ifconfig_runtime_t,s0)`
			`/run/netns/[^/]+ -- <<none>>`
more strict testing fixes 2006-08-23 19:36:04 +00:00
			ifdef(`distro_gentoo',`
			`/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)`
			`')`
sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. Signed-off-by: Dominick Grift <dominick.grift@gmail.com> 2013-09-26 21:46:32 +00:00
			ifdef(`distro_debian',`
transition file contexts to /run Remove file context aliases and update file context paths to use the /run filesystem path. Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321 Lock files are still seated at /var/lock 2016-12-16 20:07:56 +00:00			`/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)`
/var/run -> /run again Here's the latest version of my patch to remove all /var/run when it's not needed. I have removed the subst thing from the patch, but kept a distro_debian bit that relies on it. So with this patch the policy won't install if you build it with distro_debian unless you have my subst patch. Chris, if your automated tests require that it build and install with distro_debian then skip the patch for sysnetwork.fc. From Russell Coker 2017-03-25 16:56:03 +00:00			`/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)`
sysnetwork: Debian stores network interface configuration in /run/network (ifstate), That directory is created by the /etc/init.d/networking script. Signed-off-by: Dominick Grift <dominick.grift@gmail.com> 2013-09-26 21:46:32 +00:00			`')`