Attachment #92296 for bug #141156

View | Details | Raw Unified | Return to bug 141156
Collapse All | Expand All

Lines 1-3 Link Here

(-)ethereal.fc (-3 / +2 lines)
1	/usr/(s)?bin/tethereal.* -- system_u:object_r:tethereal_exec_t	1	/usr/(s)?bin/tshark.* -- system_u:object_r:twireshark_exec_t
2	/usr/(s)?bin/ethereal.* -- system_u:object_r:ethereal_exec_t	2	/usr/(s)?bin/wireshark.* -- system_u:object_r:wireshark_exec_t
3	#HOME_DIR/\.ethereal(/.*)? system_u:object_r:ROLE_ethereal_home_t




#

# Type for executables
type twireshark_exec_t, file_type, exec_type;
type wireshark_exec_t, file_type, exec_type;

########################################################
# Tethereal 
#

# Type for program
type twireshark_t, domain, nscd_client_domain;

# Transition from sysadm type
domain_auto_trans(sysadm_t, twireshark_exec_t, twireshark_t)
role sysadm_r types twireshark_t;

uses_shlib(twireshark_t)
read_locale(twireshark_t)

# Terminal output
access_terminal(twireshark_t, sysadm)

# /proc
read_sysctl(twireshark_t)
allow twireshark_t { self proc_t }:dir { read search getattr };
allow twireshark_t { self proc_t }:{ file lnk_file } { read getattr };

# Access root
allow twireshark_t root_t:dir search;

# Read ethereal files in /usr
allow twireshark_t usr_t:file { read getattr };

# /etc/nsswitch.conf
allow twireshark_t etc_t:file { read getattr };

# Ethereal sysadm rules
wireshark_networking(twireshark)

# FIXME: policy is incomplete





#	restricted ethereal rules (sysadm only)
#                               

define(`wireshark_networking', `

# Create various types of sockets
allow $1_t self:netlink_route_socket create_netlink_socket_perms;

# Resolve names via DNS
can_resolve($1_t)

') dnl wireshark_networking

########################################################
# Ethereal (GNOME) 
#

define(`wireshark_domain', `

# Type for program
type $1_wireshark_t, domain, nscd_client_domain;

# Transition from sysadm type
domain_auto_trans($1_t, wireshark_exec_t, $1_wireshark_t)
role $1_r types $1_ethereal_t;

# Manual transition from userhelper 
ifdef(`userhelper.te', `
allow userhelperdomain $1_wireshark_t:process { transition siginh rlimitinh noatsecure };
allow $1_wireshark_t userhelperdomain:fd use;
allow $1_wireshark_t userhelperdomain:process sigchld;
') dnl userhelper

# X, GNOME
x_client_domain($1_wireshark, $1)
gnome_application($1_wireshark, $1)
gnome_file_dialog($1_wireshark, $1)

# Why does it write this? - think this is the snmp library dgb
ifdef(`snmpd.te', `
dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
')

# /home/.ethereal
home_domain($1, wireshark)
file_type_auto_trans($1_wireshark_t, $1_home_dir_t, $1_wireshark_home_t, dir)

# Enable restricted networking rules for sysadm - this is shared w/ tethereal
ifelse($1, `sysadm', `
wireshark_networking($1_wireshark) 

# Ethereal tries to write to user terminal
dontaudit sysadm_wireshark_t user_tty_type:chr_file { read write };
dontaudit sysadm_wireshark_t unpriv_userdomain:fd use;
', `')

# Store temporary files
tmp_domain($1_wireshark)

# Re-execute itself (why?)
can_exec($1_wireshark_t, wireshark_exec_t)
allow $1_wireshark_t sbin_t:dir search;

# Supress .local denials until properly implemented
dontaudit $1_wireshark_t $1_home_t:dir search;

# FIXME: policy is incomplete


Return to bug 141156

Lines 4-45 Link Here

(-)ethereal.te (-15 / +15 lines)
4	#	4	#
5		5
6	# Type for executables	6	# Type for executables
7	type tethereal_exec_t, file_type, exec_type;	7	type twireshark_exec_t, file_type, exec_type;
8	type ethereal_exec_t, file_type, exec_type;	8	type wireshark_exec_t, file_type, exec_type;
9		9
10	########################################################	10	########################################################
11	# Tethereal	11	# Tethereal
12	#	12	#
13		13
14	# Type for program	14	# Type for program
15	type tethereal_t, domain, nscd_client_domain;	15	type twireshark_t, domain, nscd_client_domain;
16		16
17	# Transition from sysadm type	17	# Transition from sysadm type
18	domain_auto_trans(sysadm_t, tethereal_exec_t, tethereal_t)	18	domain_auto_trans(sysadm_t, twireshark_exec_t, twireshark_t)
19	role sysadm_r types tethereal_t;	19	role sysadm_r types twireshark_t;
20		20
21	uses_shlib(tethereal_t)	21	uses_shlib(twireshark_t)
22	read_locale(tethereal_t)	22	read_locale(twireshark_t)
23		23
24	# Terminal output	24	# Terminal output
25	access_terminal(tethereal_t, sysadm)	25	access_terminal(twireshark_t, sysadm)
26		26
27	# /proc	27	# /proc
28	read_sysctl(tethereal_t)	28	read_sysctl(twireshark_t)
29	allow tethereal_t { self proc_t }:dir { read search getattr };	29	allow twireshark_t { self proc_t }:dir { read search getattr };
30	allow tethereal_t { self proc_t }:{ file lnk_file } { read getattr };	30	allow twireshark_t { self proc_t }:{ file lnk_file } { read getattr };
31		31
32	# Access root	32	# Access root
33	allow tethereal_t root_t:dir search;	33	allow twireshark_t root_t:dir search;
34		34
35	# Read ethereal files in /usr	35	# Read ethereal files in /usr
36	allow tethereal_t usr_t:file { read getattr };	36	allow twireshark_t usr_t:file { read getattr };
37		37
38	# /etc/nsswitch.conf	38	# /etc/nsswitch.conf
39	allow tethereal_t etc_t:file { read getattr };	39	allow twireshark_t etc_t:file { read getattr };
40		40
41	# Ethereal sysadm rules	41	# Ethereal sysadm rules
42	ethereal_networking(tethereal)	42	wireshark_networking(twireshark)
43		43
44	# FIXME: policy is incomplete	44	# FIXME: policy is incomplete
45		45

Lines 8-14 Link Here

(-)ethereal_macros.te (-22 / +22 lines)
8	# restricted ethereal rules (sysadm only)	8	# restricted ethereal rules (sysadm only)
9	#	9	#
10		10
11	define(`ethereal_networking', `	11	define(`wireshark_networking', `
12		12
13	# Create various types of sockets	13	# Create various types of sockets
14	allow $1_t self:netlink_route_socket create_netlink_socket_perms;	14	allow $1_t self:netlink_route_socket create_netlink_socket_perms;
Lines 22-81 Link Here
22	# Resolve names via DNS	22	# Resolve names via DNS
23	can_resolve($1_t)	23	can_resolve($1_t)
24		24
25	') dnl ethereal_networking	25	') dnl wireshark_networking
26		26
27	########################################################	27	########################################################
28	# Ethereal (GNOME)	28	# Ethereal (GNOME)
29	#	29	#
30		30
31	define(`ethereal_domain', `	31	define(`wireshark_domain', `
32		32
33	# Type for program	33	# Type for program
34	type $1_ethereal_t, domain, nscd_client_domain;	34	type $1_wireshark_t, domain, nscd_client_domain;
35		35
36	# Transition from sysadm type	36	# Transition from sysadm type
37	domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t)	37	domain_auto_trans($1_t, wireshark_exec_t, $1_wireshark_t)
38	role $1_r types $1_ethereal_t;	38	role $1_r types $1_ethereal_t;
39		39
40	# Manual transition from userhelper	40	# Manual transition from userhelper
41	ifdef(`userhelper.te', `	41	ifdef(`userhelper.te', `
42	allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };	42	allow userhelperdomain $1_wireshark_t:process { transition siginh rlimitinh noatsecure };
43	allow $1_ethereal_t userhelperdomain:fd use;	43	allow $1_wireshark_t userhelperdomain:fd use;
44	allow $1_ethereal_t userhelperdomain:process sigchld;	44	allow $1_wireshark_t userhelperdomain:process sigchld;
45	') dnl userhelper	45	') dnl userhelper
46		46
47	# X, GNOME	47	# X, GNOME
48	x_client_domain($1_ethereal, $1)	48	x_client_domain($1_wireshark, $1)
49	gnome_application($1_ethereal, $1)	49	gnome_application($1_wireshark, $1)
50	gnome_file_dialog($1_ethereal, $1)	50	gnome_file_dialog($1_wireshark, $1)
51		51
52	# Why does it write this?	52	# Why does it write this? - think this is the snmp library dgb
53	ifdef(`snmpd.te', `	53	ifdef(`snmpd.te', `
54	dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write;	54	dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write;
55	')	55	')
56		56
57	# /home/.ethereal	57	# /home/.ethereal
58	home_domain($1, ethereal)	58	home_domain($1, wireshark)
59	file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir)	59	file_type_auto_trans($1_wireshark_t, $1_home_dir_t, $1_wireshark_home_t, dir)
60		60
61	# Enable restricted networking rules for sysadm - this is shared w/ tethereal	61	# Enable restricted networking rules for sysadm - this is shared w/ tethereal
62	ifelse($1, `sysadm', `	62	ifelse($1, `sysadm', `
63	ethereal_networking($1_ethereal)	63	wireshark_networking($1_wireshark)
64		64
65	# Ethereal tries to write to user terminal	65	# Ethereal tries to write to user terminal
66	dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write };	66	dontaudit sysadm_wireshark_t user_tty_type:chr_file { read write };
67	dontaudit sysadm_ethereal_t unpriv_userdomain:fd use;	67	dontaudit sysadm_wireshark_t unpriv_userdomain:fd use;
68	', `')	68	', `')
69		69
70	# Store temporary files	70	# Store temporary files
71	tmp_domain($1_ethereal)	71	tmp_domain($1_wireshark)
72		72
73	# Re-execute itself (why?)	73	# Re-execute itself (why?)
74	can_exec($1_ethereal_t, ethereal_exec_t)	74	can_exec($1_wireshark_t, wireshark_exec_t)
75	allow $1_ethereal_t sbin_t:dir search;	75	allow $1_wireshark_t sbin_t:dir search;
76		76
77	# Supress .local denials until properly implemented	77	# Supress .local denials until properly implemented
78	dontaudit $1_ethereal_t $1_home_t:dir search;	78	dontaudit $1_wireshark_t $1_home_t:dir search;
79		79
80	# FIXME: policy is incomplete	80	# FIXME: policy is incomplete
81		81