Lines 8-14
Link Here
|
8 |
# restricted ethereal rules (sysadm only) |
8 |
# restricted ethereal rules (sysadm only) |
9 |
# |
9 |
# |
10 |
|
10 |
|
11 |
define(`ethereal_networking', ` |
11 |
define(`wireshark_networking', ` |
12 |
|
12 |
|
13 |
# Create various types of sockets |
13 |
# Create various types of sockets |
14 |
allow $1_t self:netlink_route_socket create_netlink_socket_perms; |
14 |
allow $1_t self:netlink_route_socket create_netlink_socket_perms; |
Lines 22-81
Link Here
|
22 |
# Resolve names via DNS |
22 |
# Resolve names via DNS |
23 |
can_resolve($1_t) |
23 |
can_resolve($1_t) |
24 |
|
24 |
|
25 |
') dnl ethereal_networking |
25 |
') dnl wireshark_networking |
26 |
|
26 |
|
27 |
######################################################## |
27 |
######################################################## |
28 |
# Ethereal (GNOME) |
28 |
# Ethereal (GNOME) |
29 |
# |
29 |
# |
30 |
|
30 |
|
31 |
define(`ethereal_domain', ` |
31 |
define(`wireshark_domain', ` |
32 |
|
32 |
|
33 |
# Type for program |
33 |
# Type for program |
34 |
type $1_ethereal_t, domain, nscd_client_domain; |
34 |
type $1_wireshark_t, domain, nscd_client_domain; |
35 |
|
35 |
|
36 |
# Transition from sysadm type |
36 |
# Transition from sysadm type |
37 |
domain_auto_trans($1_t, ethereal_exec_t, $1_ethereal_t) |
37 |
domain_auto_trans($1_t, wireshark_exec_t, $1_wireshark_t) |
38 |
role $1_r types $1_ethereal_t; |
38 |
role $1_r types $1_ethereal_t; |
39 |
|
39 |
|
40 |
# Manual transition from userhelper |
40 |
# Manual transition from userhelper |
41 |
ifdef(`userhelper.te', ` |
41 |
ifdef(`userhelper.te', ` |
42 |
allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure }; |
42 |
allow userhelperdomain $1_wireshark_t:process { transition siginh rlimitinh noatsecure }; |
43 |
allow $1_ethereal_t userhelperdomain:fd use; |
43 |
allow $1_wireshark_t userhelperdomain:fd use; |
44 |
allow $1_ethereal_t userhelperdomain:process sigchld; |
44 |
allow $1_wireshark_t userhelperdomain:process sigchld; |
45 |
') dnl userhelper |
45 |
') dnl userhelper |
46 |
|
46 |
|
47 |
# X, GNOME |
47 |
# X, GNOME |
48 |
x_client_domain($1_ethereal, $1) |
48 |
x_client_domain($1_wireshark, $1) |
49 |
gnome_application($1_ethereal, $1) |
49 |
gnome_application($1_wireshark, $1) |
50 |
gnome_file_dialog($1_ethereal, $1) |
50 |
gnome_file_dialog($1_wireshark, $1) |
51 |
|
51 |
|
52 |
# Why does it write this? |
52 |
# Why does it write this? - think this is the snmp library dgb |
53 |
ifdef(`snmpd.te', ` |
53 |
ifdef(`snmpd.te', ` |
54 |
dontaudit sysadm_ethereal_t snmpd_var_lib_t:file write; |
54 |
dontaudit sysadm_wireshark_t snmpd_var_lib_t:file write; |
55 |
') |
55 |
') |
56 |
|
56 |
|
57 |
# /home/.ethereal |
57 |
# /home/.ethereal |
58 |
home_domain($1, ethereal) |
58 |
home_domain($1, wireshark) |
59 |
file_type_auto_trans($1_ethereal_t, $1_home_dir_t, $1_ethereal_home_t, dir) |
59 |
file_type_auto_trans($1_wireshark_t, $1_home_dir_t, $1_wireshark_home_t, dir) |
60 |
|
60 |
|
61 |
# Enable restricted networking rules for sysadm - this is shared w/ tethereal |
61 |
# Enable restricted networking rules for sysadm - this is shared w/ tethereal |
62 |
ifelse($1, `sysadm', ` |
62 |
ifelse($1, `sysadm', ` |
63 |
ethereal_networking($1_ethereal) |
63 |
wireshark_networking($1_wireshark) |
64 |
|
64 |
|
65 |
# Ethereal tries to write to user terminal |
65 |
# Ethereal tries to write to user terminal |
66 |
dontaudit sysadm_ethereal_t user_tty_type:chr_file { read write }; |
66 |
dontaudit sysadm_wireshark_t user_tty_type:chr_file { read write }; |
67 |
dontaudit sysadm_ethereal_t unpriv_userdomain:fd use; |
67 |
dontaudit sysadm_wireshark_t unpriv_userdomain:fd use; |
68 |
', `') |
68 |
', `') |
69 |
|
69 |
|
70 |
# Store temporary files |
70 |
# Store temporary files |
71 |
tmp_domain($1_ethereal) |
71 |
tmp_domain($1_wireshark) |
72 |
|
72 |
|
73 |
# Re-execute itself (why?) |
73 |
# Re-execute itself (why?) |
74 |
can_exec($1_ethereal_t, ethereal_exec_t) |
74 |
can_exec($1_wireshark_t, wireshark_exec_t) |
75 |
allow $1_ethereal_t sbin_t:dir search; |
75 |
allow $1_wireshark_t sbin_t:dir search; |
76 |
|
76 |
|
77 |
# Supress .local denials until properly implemented |
77 |
# Supress .local denials until properly implemented |
78 |
dontaudit $1_ethereal_t $1_home_t:dir search; |
78 |
dontaudit $1_wireshark_t $1_home_t:dir search; |
79 |
|
79 |
|
80 |
# FIXME: policy is incomplete |
80 |
# FIXME: policy is incomplete |
81 |
|
81 |
|