nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
60a3d5af67
selinux-refpolicy/policy/modules/system/sysnetwork.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

907 lines
17 KiB
Plaintext
Raw Blame History

## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
#######################################
## <summary>
## Execute dhcp client in dhcpc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`sysnet_domtrans_dhcpc',`
gen_require(`
type dhcpc_t, dhcpc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dhcpc_exec_t, dhcpc_t)
')
########################################
## <summary>
## Execute DHCP clients in the dhcpc domain, and
## allow the specified role the dhcpc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_run_dhcpc',`
gen_require(`
attribute_role dhcpc_roles;
')
sysnet_domtrans_dhcpc($1)
roleattribute $2 dhcpc_roles;
')
########################################
## <summary>
## Do not audit attempts to read and
## write dhcpc udp socket descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysnet_dontaudit_rw_dhcpc_udp_sockets',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:udp_socket { read write };
')
########################################
## <summary>
## Do not audit attempts to use
## the dhcp file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysnet_dontaudit_use_dhcpc_fds',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to read/write to the
## dhcp unix stream socket descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
gen_require(`
type dhcpc_t;
')
dontaudit $1 dhcpc_t:unix_stream_socket { read write };
')
########################################
## <summary>
## Send a SIGCHLD signal to the dhcp client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_sigchld_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigchld;
')
########################################
## <summary>
## Send a kill signal to the dhcp client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_kill_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigkill;
')
########################################
## <summary>
## Send a SIGSTOP signal to the dhcp client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_sigstop_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process sigstop;
')
########################################
## <summary>
## Send a null signal to the dhcp client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_signull_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signull;
')
########################################
## <summary>
## Send a generic signal to the dhcp client.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_signal_dhcpc',`
gen_require(`
type dhcpc_t;
')
allow $1 dhcpc_t:process signal;
')
########################################
## <summary>
## Send and receive messages from
## dhcpc over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_dbus_chat_dhcpc',`
gen_require(`
type dhcpc_t;
class dbus send_msg;
')
allow $1 dhcpc_t:dbus send_msg;
allow dhcpc_t $1:dbus send_msg;
')
########################################
## <summary>
## Read and write dhcp configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_rw_dhcp_config',`
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:file rw_file_perms;
')
########################################
## <summary>
## Search the DHCP client state
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_search_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
files_search_var_lib($1)
allow $1 dhcpc_state_t:dir search_dir_perms;
')
########################################
## <summary>
## Read dhcp client state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_read_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
#######################################
## <summary>
## Delete the dhcp client state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_delete_dhcpc_state',`
gen_require(`
type dhcpc_state_t;
')
delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
')
#######################################
## <summary>
## Set the attributes of network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_setattr_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file setattr_file_perms;
')
#######################################
## <summary>
## Read network config files.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the
## general network configuration files. A
## common example of this is the
## /etc/resolv.conf file, which has domain
## name system (DNS) server IP addresses.
## Typically, most networking processes will
## require the access provided by this interface.
## </p>
## <p>
## Higher-level interfaces which involve
## networking will generally call this interface,
## for example:
## </p>
## <ul>
## <li>sysnet_dns_name_resolve()</li>
## <li>sysnet_use_ldap()</li>
## <li>sysnet_use_portmap()</li>
## </ul>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_read_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
files_search_runtime($1)
allow $1 net_conf_t:dir list_dir_perms;
allow $1 net_conf_t:file read_file_perms;
ifdef(`distro_debian',`
files_search_runtime($1)
allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`distro_redhat',`
allow $1 net_conf_t:dir list_dir_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`init_systemd',`
systemd_read_resolved_runtime($1)
')
')
#######################################
## <summary>
## Map network config files.
## </summary>
## <desc>
## <p>
## Allow the specified domain to mmap the
## general network configuration files.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_mmap_config_files',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file map;
')
#######################################
## <summary>
## map network config files.
## </summary>
## <desc>
## <p>
## Allow the specified domain to mmap the
## general network configuration files.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_mmap_read_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file mmap_read_file_perms;
')
#######################################
## <summary>
## Do not audit attempts to read network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sysnet_dontaudit_read_config',`
gen_require(`
type net_conf_t;
')
dontaudit $1 net_conf_t:file read_file_perms;
')
#######################################
## <summary>
## Write network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_write_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file write_file_perms;
')
#######################################
## <summary>
## Create network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_create_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file create_file_perms;
')
#######################################
## <summary>
## Relabel network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_relabel_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file relabel_file_perms;
')
#######################################
## <summary>
## Create files in /etc with the type used for
## the network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`sysnet_etc_filetrans_config',`
gen_require(`
type net_conf_t;
')
files_etc_filetrans($1, net_conf_t, file, $2)
')
#######################################
## <summary>
## Create, read, write, and delete network config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_manage_config',`
gen_require(`
type net_conf_t;
')
files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
files_search_runtime($1)
manage_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`distro_redhat',`
manage_files_pattern($1, net_conf_t, net_conf_t)
')
ifdef(`init_systemd',`
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
#######################################
## <summary>
## Read the dhcp client pid file. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_read_dhcpc_pid',`
refpolicywarn(`$0($*) has been deprecated, please use sysnet_read_dhcpc_runtime_files() instead.')
sysnet_read_dhcpc_runtime_files($1)
')
#######################################
## <summary>
## Delete the dhcp client pid file. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_delete_dhcpc_pid',`
refpolicywarn(`$0($*) has been deprecated, please use sysnet_delete_dhcpc_runtime_files() instead.')
sysnet_delete_dhcpc_runtime_files($1)
')
#######################################
## <summary>
## Read dhcp client runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_read_dhcpc_runtime_files',`
gen_require(`
type dhcpc_runtime_t;
')
files_list_runtime($1)
allow $1 dhcpc_runtime_t:file read_file_perms;
')
#######################################
## <summary>
## Delete the dhcp client runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_delete_dhcpc_runtime_files',`
gen_require(`
type dhcpc_runtime_t;
')
allow $1 dhcpc_runtime_t:file unlink;
')
#######################################
## <summary>
## Execute ifconfig in the ifconfig domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`sysnet_domtrans_ifconfig',`
gen_require(`
type ifconfig_t, ifconfig_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
')
########################################
## <summary>
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_run_ifconfig',`
gen_require(`
type ifconfig_t;
')
corecmd_search_bin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
')
#######################################
## <summary>
## Execute ifconfig in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_exec_ifconfig',`
gen_require(`
type ifconfig_exec_t;
')
corecmd_search_bin($1)
can_exec($1, ifconfig_exec_t)
')
########################################
## <summary>
## Send a generic signal to ifconfig.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_signal_ifconfig',`
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signal;
')
########################################
## <summary>
## Send null signals to ifconfig.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_signull_ifconfig',`
gen_require(`
type ifconfig_t;
')
allow $1 ifconfig_t:process signull;
')
########################################
## <summary>
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_read_dhcp_config',`
gen_require(`
type dhcp_etc_t;
')
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
')
########################################
## <summary>
## Search the DHCP state data directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_search_dhcp_state',`
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
allow $1 dhcp_state_t:dir search_dir_perms;
')
########################################
## <summary>
## Create DHCP state data.
## </summary>
## <desc>
## <p>
## Create DHCP state data.
## </p>
## <p>
## This is added for DHCP server, as
## the server and client put their state
## files in the same directory.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file_type">
## <summary>
## The type of the object to be created
## </summary>
## </param>
## <param name="object_class">
## <summary>
## The object class.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`sysnet_dhcp_state_filetrans',`
gen_require(`
type dhcp_state_t;
')
files_search_var_lib($1)
filetrans_pattern($1, dhcp_state_t, $2, $3, $4)
')
########################################
## <summary>
## Perform a DNS name resolution.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sysnet_dns_name_resolve',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
sysnet_read_config($1)
optional_policy(`
avahi_stream_connect($1)
')
optional_policy(`
# for /etc/resolv.conf symlink
networkmanager_read_runtime_files($1)
')
optional_policy(`
nscd_use($1)
')
ifdef(`init_systemd',`
optional_policy(`
systemd_dbus_chat_resolved($1)
')
# This seems needed when the mymachines NSS module is used
optional_policy(`
systemd_read_machines($1)
')
')
')
########################################
## <summary>
## Connect and use a LDAP server.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
# Support for LDAPS
dev_read_rand($1)
dev_read_urand($1)
sysnet_read_config($1)
')
########################################
## <summary>
## Connect and use remote port mappers.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sysnet_use_portmap',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
sysnet_read_config($1)
')
Reference in New Issue View Git Blame Copy Permalink