From 8cc49473ec846ef45beb87c07108ce1a153b1bd4 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 17 Jan 2006 23:01:14 +0000
Subject: [PATCH] add usernetctl.

---
 refpolicy/Changelog                           |  3 +
 refpolicy/policy/modules/admin/consoletype.if | 25 +++++++
 refpolicy/policy/modules/apps/usernetctl.fc   |  2 +
 refpolicy/policy/modules/apps/usernetctl.if   | 66 +++++++++++++++++
 refpolicy/policy/modules/apps/usernetctl.te   | 70 +++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.if |  4 ++
 refpolicy/policy/modules/system/userdomain.te |  2 +-
 7 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 refpolicy/policy/modules/apps/usernetctl.fc
 create mode 100644 refpolicy/policy/modules/apps/usernetctl.if
 create mode 100644 refpolicy/policy/modules/apps/usernetctl.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index db66471bc..82a16945a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,6 @@
+- Added modules:
+	usernetctl
+
 * Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
 - Adds support for generating corenetwork interfaces based on attributes 
   in addition to types.
diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if
index 29e69fa39..42a741b30 100644
--- a/refpolicy/policy/modules/admin/consoletype.if
+++ b/refpolicy/policy/modules/admin/consoletype.if
@@ -27,6 +27,31 @@ interface(`consoletype_domtrans',`
 	allow consoletype_t $1:process sigchld;
 ')
 
+########################################
+## <summary>
+##	Execute consoletype in the consoletype domain, and
+##	allow the specified role the consoletype domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the consoletype domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the consoletype domain to use.
+## </param>
+#
+interface(`consoletype_run',`
+	gen_require(`
+		type consoletype_t;
+	')
+
+	consoletype_domtrans($1)
+	role $2 types consoletype_t;
+	allow consoletype_t $3:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Execute consoletype in the caller domain.
diff --git a/refpolicy/policy/modules/apps/usernetctl.fc b/refpolicy/policy/modules/apps/usernetctl.fc
new file mode 100644
index 000000000..aa07e1e43
--- /dev/null
+++ b/refpolicy/policy/modules/apps/usernetctl.fc
@@ -0,0 +1,2 @@
+
+/usr/sbin/usernetctl	--	gen_context(system_u:object_r:usernetctl_exec_t,s0)
diff --git a/refpolicy/policy/modules/apps/usernetctl.if b/refpolicy/policy/modules/apps/usernetctl.if
new file mode 100644
index 000000000..ce58e4295
--- /dev/null
+++ b/refpolicy/policy/modules/apps/usernetctl.if
@@ -0,0 +1,66 @@
+## <summary>User network interface configuration helper</summary>
+
+########################################
+## <summary>
+##	Execute usernetctl in the usernetctl domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`usernetctl_domtrans',`
+	gen_require(`
+		type usernetctl_t, usernetctl_exec_t;
+	')
+
+	tunable_policy(`user_net_control',`
+		domain_auto_trans($1,usernetctl_exec_t,usernetctl_t)
+
+		allow $1 usernetctl_t:fd use;
+		allow usernetctl_t $1:fd use;
+		allow usernetctl_t $1:fifo_file rw_file_perms;
+		allow usernetctl_t $1:process sigchld;
+	',`
+		can_exec($1,usernetctl_exec_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute usernetctl in the usernetctl domain, and
+##	allow the specified role the usernetctl domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="role">
+##	The role to be allowed the usernetctl domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the usernetctl domain to use.
+## </param>
+#
+interface(`usernetctl_run',`
+	gen_require(`
+		type usernetctl_t;
+	')
+
+	usernetctl_domtrans($1)
+	role $2 types usernetctl_t;
+	allow usernetctl_t $3:chr_file rw_term_perms;
+
+	sysnet_run_ifconfig(usernetctl_t,$2,$3)
+	sysnet_run_dhcpc(usernetctl_t,$2,$3)
+
+	optional_policy(`consoletype',`
+		consoletype_run(usernetctl_t,$2,$3)
+	')
+
+	optional_policy(`iptables',`
+		iptables_run(usernetctl_t,$2,$3)
+	')
+
+	optional_policy(`modutils',`
+		modutils_run_insmod(usernetctl_t,$2,$3)
+	')
+')
diff --git a/refpolicy/policy/modules/apps/usernetctl.te b/refpolicy/policy/modules/apps/usernetctl.te
new file mode 100644
index 000000000..ec38a72c9
--- /dev/null
+++ b/refpolicy/policy/modules/apps/usernetctl.te
@@ -0,0 +1,70 @@
+
+policy_module(usernetctl,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type usernetctl_t;
+type usernetctl_exec_t;
+domain_type(usernetctl_t)
+domain_entry_file(usernetctl_t,usernetctl_exec_t)
+domain_wide_inherit_fd(usernetctl_t)
+
+########################################
+#
+# Local policy
+#
+
+allow usernetctl_t self:capability { setuid setgid dac_override };
+allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow usernetctl_t self:fd use;
+allow usernetctl_t self:fifo_file rw_file_perms;
+allow usernetctl_t self:shm create_shm_perms;
+allow usernetctl_t self:sem create_sem_perms;
+allow usernetctl_t self:msgq create_msgq_perms;
+allow usernetctl_t self:msg { send receive };
+allow usernetctl_t self:unix_dgram_socket create_socket_perms;
+allow usernetctl_t self:unix_stream_socket create_stream_socket_perms;
+allow usernetctl_t self:unix_dgram_socket sendto;
+allow usernetctl_t self:unix_stream_socket connectto;
+
+can_exec(usernetctl_t,usernetctl_exec_t)
+
+kernel_read_system_state(usernetctl_t)
+kernel_read_kernel_sysctl(usernetctl_t)
+
+corecmd_list_bin(usernetctl_t)
+corecmd_exec_bin(usernetctl_t)
+corecmd_list_sbin(usernetctl_t)
+corecmd_exec_sbin(usernetctl_t)
+corecmd_exec_shell(usernetctl_t)
+
+domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+files_read_etc_files(usernetctl_t)
+files_exec_etc_files(usernetctl_t)
+files_read_etc_runtime_files(usernetctl_t)
+files_list_pids(usernetctl_t)
+files_list_home(usernetctl_t)
+files_read_usr_files(usernetctl_t)
+
+fs_search_auto_mountpoints(usernetctl_t)
+
+libs_use_ld_so(usernetctl_t)
+libs_use_shared_libs(usernetctl_t)
+
+miscfiles_read_localization(usernetctl_t)
+
+seutil_read_config(usernetctl_t)
+
+sysnet_read_config(usernetctl_t)
+
+optional_policy(`hostname',`
+	hostname_exec(usernetctl_t)
+')
+
+optional_policy(`nis',`
+	nis_use_ypbind(usernetctl_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a19ab6446..cace0a0e3 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -440,6 +440,10 @@ template(`base_user_template',`
 		usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
 	')
 
+	optional_policy(`usernetctl',`
+		usernetctl_run($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
+	')
+
 	ifdef(`TODO',`
 	#
 	# Cups daemon running as user tries to write /etc/printcap
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2d3612372..a59de334e 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.2.0)
+policy_module(userdomain,1.2.1)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r, secadm_r;