1 files changed, 140 insertions, 0 deletions

diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
new file mode 100644
index 00000000..ade6c2cc
--- /dev/null
+++ b/policy/modules/contrib/zebra.te
@@ -0,0 +1,140 @@
+policy_module(zebra, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow zebra daemon to write it configuration files
+## </p>
+## </desc>
+#
+gen_tunable(allow_zebra_write_config, false)
+
+type zebra_t;
+type zebra_exec_t;
+init_daemon_domain(zebra_t, zebra_exec_t)
+
+type zebra_conf_t;
+files_type(zebra_conf_t)
+
+type zebra_initrc_exec_t;
+init_script_file(zebra_initrc_exec_t)
+
+type zebra_log_t;
+logging_log_file(zebra_log_t)
+
+type zebra_tmp_t;
+files_tmp_file(zebra_tmp_t)
+
+type zebra_var_run_t;
+files_pid_file(zebra_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow zebra_t self:capability { setgid setuid net_admin net_raw };
+dontaudit zebra_t self:capability sys_tty_config;
+allow zebra_t self:process { signal_perms getcap setcap };
+allow zebra_t self:file rw_file_perms;
+allow zebra_t self:unix_dgram_socket create_socket_perms;
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
+allow zebra_t self:udp_socket create_socket_perms;
+allow zebra_t self:rawip_socket create_socket_perms;
+
+allow zebra_t zebra_conf_t:dir list_dir_perms;
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+
+allow zebra_t zebra_log_t:dir setattr;
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
+logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+
+# /tmp/.bgpd is such a bad idea!
+allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
+files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
+
+manage_dirs_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+manage_sock_files_pattern(zebra_t, zebra_var_run_t, zebra_var_run_t)
+files_pid_filetrans(zebra_t, zebra_var_run_t, { dir file sock_file })
+
+kernel_read_system_state(zebra_t)
+kernel_read_network_state(zebra_t)
+kernel_read_kernel_sysctls(zebra_t)
+kernel_rw_net_sysctls(zebra_t)
+
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
+corenet_tcp_sendrecv_generic_if(zebra_t)
+corenet_udp_sendrecv_generic_if(zebra_t)
+corenet_raw_sendrecv_generic_if(zebra_t)
+corenet_tcp_sendrecv_generic_node(zebra_t)
+corenet_udp_sendrecv_generic_node(zebra_t)
+corenet_raw_sendrecv_generic_node(zebra_t)
+corenet_tcp_sendrecv_all_ports(zebra_t)
+corenet_udp_sendrecv_all_ports(zebra_t)
+corenet_tcp_bind_generic_node(zebra_t)
+corenet_udp_bind_generic_node(zebra_t)
+corenet_tcp_bind_bgp_port(zebra_t)
+corenet_tcp_bind_zebra_port(zebra_t)
+corenet_udp_bind_router_port(zebra_t)
+corenet_tcp_connect_bgp_port(zebra_t)
+corenet_sendrecv_zebra_server_packets(zebra_t)
+corenet_sendrecv_router_server_packets(zebra_t)
+
+dev_associate_usbfs(zebra_var_run_t)
+dev_list_all_dev_nodes(zebra_t)
+dev_read_sysfs(zebra_t)
+dev_rw_zero(zebra_t)
+
+fs_getattr_all_fs(zebra_t)
+fs_search_auto_mountpoints(zebra_t)
+
+term_list_ptys(zebra_t)
+
+domain_use_interactive_fds(zebra_t)
+
+files_search_etc(zebra_t)
+files_read_etc_files(zebra_t)
+files_read_etc_runtime_files(zebra_t)
+
+logging_send_syslog_msg(zebra_t)
+
+miscfiles_read_localization(zebra_t)
+
+sysnet_read_config(zebra_t)
+
+userdom_dontaudit_use_unpriv_user_fds(zebra_t)
+userdom_dontaudit_search_user_home_dirs(zebra_t)
+
+tunable_policy(`allow_zebra_write_config',`
+	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(zebra_t)
+')
+
+optional_policy(`
+	rpm_read_pipes(zebra_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(zebra_t)
+')
+
+optional_policy(`
+	udev_read_db(zebra_t)
+')
+
+optional_policy(`
+	unconfined_sigchld(zebra_t)
+')