[selinux-policy: 35/3172] complete corenetwork
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:07:58 UTC 2010
commit 0e730cc8e1e4ee5b730043bbb89a2bbf62a44e3a
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Apr 21 21:53:15 2005 +0000
complete corenetwork
refpolicy/Makefile | 2 +-
refpolicy/policy/modules/kernel/corenetwork.if | 1077 ++++++++++++++++++++++--
refpolicy/policy/modules/kernel/kernel.te | 8 +-
refpolicy/policy/modules/system/init.te | 28 +-
4 files changed, 1008 insertions(+), 107 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 7e4d4a6..6e27e81 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -156,7 +156,7 @@ tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/co
$(QUIET) for i in $(notdir $(ALL_TE_FILES)); do \
echo "define(\`$$i')" >> $@ ;\
done
- $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
+ $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@
tmp/all_interfaces.conf: $(ALL_INTERFACES)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if
index 6a58cf1..aabac0b 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if
+++ b/refpolicy/policy/modules/kernel/corenetwork.if
@@ -2,16 +2,46 @@
#######################################
#
-# corenetwork_send_tcp_on_general_interface(domain,[`optional'])
+# corenetwork_network_tcp_on_general_interface(domain,[`optional'])
#
-define(`corenetwork_send_tcp_on_general_interface',`
-requires_block_template(`corenetwork_send_tcp_on_general_interface_depend',$2)
-allow $1 netif_t:netif tcp_send;
+define(`corenetwork_network_tcp_on_general_interface',`
+requires_block_template(`corenetwork_network_tcp_on_general_interface_depend',$2)
+allow $1 netif_t:netif { tcp_send tcp_recv };
')
-define(`corenetwork_send_tcp_on_general_interface_depend',`
+define(`corenetwork_network_tcp_on_general_interface_depend',`
type netif_t;
-class netif tcp_send;
+class netif { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_general_interface',`
+requires_block_template(`corenetwork_network_udp_on_general_interface_depend',$2)
+corenetwork_send_udp_on_general_interface($1,$2)
+corenetwork_receive_udp_on_general_interface($1,$2)
+')
+
+define(`corenetwork_network_udp_on_general_interface_depend',`
+corenetwork_send_udp_on_general_interface_depend
+corenetwork_receive_udp_on_general_interface_depend
+')
+
+#######################################
+#
+# corenetwork_network_raw_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_network_raw_on_general_interface',`
+requires_block_template(`corenetwork_network_raw_on_general_interface_depend',$2)
+corenetwork_send_raw_on_general_interface($1,$2)
+corenetwork_receive_raw_on_general_interface($1,$2)
+')
+
+define(`corenetwork_network_raw_on_general_interface_depend',`
+corenetwork_send_raw_on_general_interface_depend
+corenetwork_receive_raw_on_general_interface_depend
')
#######################################
@@ -30,6 +60,20 @@ class netif udp_send;
#######################################
#
+# corenetwork_receive_udp_on_general_interface(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_general_interface',`
+requires_block_template(`corenetwork_receive_udp_on_general_interface_depend',$2)
+allow $1 netif_t:netif udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_general_interface_depend',`
+type netif_t;
+class netif udp_recv;
+')
+
+#######################################
+#
# corenetwork_send_raw_on_general_interface(domain,[`optional'])
#
define(`corenetwork_send_raw_on_general_interface',`
@@ -46,58 +90,60 @@ class capability net_raw;
#######################################
#
-# corenetwork_receive_tcp_on_general_interface(domain,[`optional'])
+# corenetwork_receive_raw_on_general_interface(domain,[`optional'])
#
-define(`corenetwork_receive_tcp_on_general_interface',`
-requires_block_template(`corenetwork_receive_tcp_on_general_interface_depend',$2)
-allow $1 netif_t:netif tcp_recv;
+define(`corenetwork_receive_raw_on_general_interface',`
+requires_block_template(`corenetwork_receive_raw_on_general_interface_depend',$2)
+allow $1 netif_t:netif rawip_recv;
')
-define(`corenetwork_receive_tcp_on_general_interface_depend',`
+define(`corenetwork_receive_raw_on_general_interface_depend',`
type netif_t;
-class netif tcp_recv;
+class netif rawip_recv;
')
#######################################
#
-# corenetwork_receive_udp_on_general_interface(domain,[`optional'])
+# corenetwork_network_tcp_on_all_interfaces(domain,[`optional'])
#
-define(`corenetwork_receive_udp_on_general_interface',`
-requires_block_template(`corenetwork_receive_udp_on_general_interface_depend',$2)
-allow $1 netif_t:netif udp_recv;
+define(`corenetwork_network_tcp_on_all_interfaces',`
+requires_block_template(`corenetwork_network_tcp_on_all_interfaces_depend',$2)
+allow $1 netif_type:netif { tcp_send tcp_recv };
')
-define(`corenetwork_receive_udp_on_general_interface_depend',`
-type netif_t;
-class netif udp_recv;
+define(`corenetwork_network_tcp_on_all_interfaces_depend',`
+attribute netif_type;
+class netif { tcp_send tcp_recv };
')
#######################################
#
-# corenetwork_receive_raw_on_general_interface(domain,[`optional'])
+# corenetwork_network_udp_on_all_interfaces(domain,[`optional'])
#
-define(`corenetwork_receive_raw_on_general_interface',`
-requires_block_template(`corenetwork_receive_raw_on_general_interface_depend',$2)
-allow $1 netif_t:netif rawip_recv;
+define(`corenetwork_network_udp_on_all_interfaces',`
+requires_block_template(`corenetwork_network_udp_on_all_interfaces_depend',$2)
+corenetwork_send_udp_on_all_interfaces($1,$2)
+corenetwork_receive_udp_on_all_interfaces($1,$2)
')
-define(`corenetwork_receive_raw_on_general_interface_depend',`
-type netif_t;
-class netif rawip_recv;
+define(`corenetwork_network_udp_on_all_interfaces_depend',`
+corenetwork_send_udp_on_all_interfaces_depend
+corenetwork_receive_udp_on_all_interfaces_depend
')
#######################################
#
-# corenetwork_send_tcp_on_all_interfaces(domain,[`optional'])
+# corenetwork_network_raw_on_all_interfaces(domain,[`optional'])
#
-define(`corenetwork_send_tcp_on_all_interfaces',`
-requires_block_template(`corenetwork_send_tcp_on_all_interfaces_depend',$2)
-allow $1 netif_type:netif tcp_send;
+define(`corenetwork_network_raw_on_all_interfaces',`
+requires_block_template(`corenetwork_network_raw_on_all_interfaces_depend',$2)
+corenetwork_send_raw_on_all_interfaces($1,$2)
+corenetwork_receive_raw_on_all_interfaces($1,$2)
')
-define(`corenetwork_send_tcp_on_all_interfaces_depend',`
-attribute all_netif_type;
-class netif tcp_send;
+define(`corenetwork_network_raw_on_all_interfaces_depend',`
+corenetwork_send_raw_on_all_interfaces_depend
+corenetwork_receive_raw_on_all_interfaces_depend
')
#######################################
@@ -132,20 +178,6 @@ class capability net_raw;
#######################################
#
-# corenetwork_receive_tcp_on_all_interfaces(domain,[`optional'])
-#
-define(`corenetwork_receive_tcp_on_all_interfaces',`
-requires_block_template(`corenetwork_receive_tcp_on_all_interfaces_depend',$2)
-allow $1 netif_type:netif tcp_recv;
-')
-
-define(`corenetwork_receive_tcp_on_all_interfaces_depend',`
-attribute netif_type;
-class netif tcp_recv;
-')
-
-#######################################
-#
# corenetwork_receive_udp_on_all_interfaces(domain,[`optional'])
#
define(`corenetwork_receive_udp_on_all_interfaces',`
@@ -172,6 +204,614 @@ attribute netif_type;
class netif rawip_recv;
')
+#######################################
+#
+# corenetwork_network_tcp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_general_node',`
+requires_block_template(`corenetwork_network_tcp_on_general_node_depend',$2)
+allow $1 node_t:node { tcp_send tcp_recv };
+')
+
+define(`corenetwork_network_tcp_on_general_node_depend',`
+type node_t;
+class node { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_general_node',`
+requires_block_template(`corenetwork_network_udp_on_general_node_depend',$2)
+corenetwork_send_udp_on_general_node($1,$2)
+corenetwork_receive_udp_on_general_node($1,$2)
+')
+
+define(`corenetwork_network_udp_on_general_node_depend',`
+corenetwork_send_udp_on_general_node_depend
+corenetwork_receive_udp_on_general_node_depend
+')
+
+#######################################
+#
+# corenetwork_network_raw_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_network_raw_on_general_node',`
+requires_block_template(`corenetwork_network_raw_on_general_node_depend',$2)
+corenetwork_send_raw_on_general_node($1,$2)
+corenetwork_receive_raw_on_general_node($1,$2)
+')
+
+define(`corenetwork_network_raw_on_general_node_depend',`
+corenetwork_send_raw_on_general_node_depend
+corenetwork_receive_raw_on_general_node_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_general_node',`
+requires_block_template(`corenetwork_send_udp_on_general_node_depend',$2)
+allow $1 node_t:node udp_send;
+')
+
+define(`corenetwork_send_udp_on_general_node_depend',`
+type node_t;
+class node udp_send;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_general_node',`
+requires_block_template(`corenetwork_receive_udp_on_general_node_depend',$2)
+allow $1 node_t:node udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_general_node_depend',`
+type node_t;
+class node udp_recv;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_general_node',`
+requires_block_template(`corenetwork_send_raw_on_general_node_depend',$2)
+allow $1 node_t:node rawip_send;
+allow $1 self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_general_node_depend',`
+type node_t;
+class node rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_general_node',`
+requires_block_template(`corenetwork_receive_raw_on_general_node_depend',$2)
+allow $1 node_t:node rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_general_node_depend',`
+type node_t;
+class node rawip_recv;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_general_node',`
+requires_block_template(`corenetwork_bind_tcp_on_general_node_depend',$2)
+allow $1 node_t:tcp_socket node_bind;
+')
+
+define(`corenetwork_bind_udp_on_general_node_depend',`
+type node_t;
+class tcp_socket node_bind;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_general_node(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_general_node',`
+requires_block_template(`corenetwork_bind_udp_on_general_node_depend',$2)
+allow $1 node_t:udp_socket node_bind;
+')
+
+define(`corenetwork_bind_udp_on_general_node_depend',`
+type node_t;
+class udp_socket node_bind;
+')
+
+#######################################
+#
+# corenetwork_network_tcp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_all_nodes',`
+requires_block_template(`corenetwork_network_tcp_on_all_nodes_depend',$2)
+allow $1 node_type:node { tcp_send tcp_recv };
+')
+
+define(`corenetwork_network_tcp_on_all_nodes_depend',`
+attribute node_type;
+class node { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_all_nodes',`
+requires_block_template(`corenetwork_network_udp_on_all_nodes_depend',$2)
+corenetwork_send_udp_on_all_nodes($1,optional)
+corenetwork_receive_udp_on_all_nodes($1,optional)
+')
+
+define(`corenetwork_network_udp_on_all_nodes_depend',`
+corenetwork_send_udp_on_all_nodes_depend
+corenetwork_receive_udp_on_all_nodes_depend
+')
+
+#######################################
+#
+# corenetwork_network_raw_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_network_raw_on_all_nodes',`
+requires_block_template(`corenetwork_network_raw_on_all_nodes_depend',$2)
+corenetwork_send_raw_on_all_nodes($1,optional)
+corenetwork_receive_raw_on_all_nodes($1,optional)
+')
+
+define(`corenetwork_network_raw_on_all_nodes_depend',`
+corenetwork_send_raw_on_all_nodes_depend
+corenetwork_receive_raw_on_all_nodes_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_all_nodes',`
+requires_block_template(`corenetwork_send_udp_on_all_nodes_depend',$2)
+allow $1 node_type:node udp_send;
+')
+
+define(`corenetwork_send_udp_on_all_nodes_depend',`
+attribute node_type;
+class node udp_send;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_all_nodes',`
+requires_block_template(`corenetwork_receive_udp_on_all_nodes_depend',$2)
+allow $1 node_type:node udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_all_nodes_depend',`
+attribute node_type;
+class node udp_recv;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_all_nodes',`
+requires_block_template(`corenetwork_send_raw_on_all_nodes_depend',$2)
+allow $1 node_type:node rawip_send;
+allow $1 self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_all_nodes_depend',`
+attribute node_type;
+class node rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_all_nodes',`
+requires_block_template(`corenetwork_receive_raw_on_all_nodes_depend',$2)
+allow $1 node_type:node rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_all_nodes_depend',`
+attribute node_type;
+class node rawip_recv;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_all_nodes',`
+requires_block_template(`corenetwork_bind_tcp_on_all_nodes_depend',$2)
+allow $1 node_type:tcp_socket node_bind;
+')
+
+define(`corenetwork_bind_udp_on_all_nodes_depend',`
+type node_type;
+class tcp_socket node_bind;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_all_nodes(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_all_nodes',`
+requires_block_template(`corenetwork_bind_udp_on_all_nodes_depend',$2)
+allow $1 node_type:udp_socket node_bind;
+')
+
+define(`corenetwork_bind_udp_on_all_nodes_depend',`
+type node_type;
+class udp_socket node_bind;
+')
+
+#######################################
+#
+# corenetwork_network_tcp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_general_port',`
+requires_block_template(`corenetwork_network_tcp_on_general_port_depend',$2)
+allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenetwork_network_tcp_on_general_port_depend',`
+type port_t;
+class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_general_port',`
+requires_block_template(`corenetwork_network_udp_on_general_port_depend',$2)
+corenetwork_send_udp_on_general_port($1,$2)
+corenetwork_receive_udp_on_general_port($1,$2)
+')
+
+define(`corenetwork_network_udp_on_general_port_depend',`
+corenetwork_send_udp_on_general_port_depend
+corenetwork_receive_udp_on_general_port_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_general_port',`
+requires_block_template(`corenetwork_send_udp_on_general_port_depend',$2)
+allow $1 port_t:udp_socket send_msg;
+')
+
+define(`corenetwork_send_udp_on_general_port_depend',`
+type port_t;
+class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_general_port',`
+requires_block_template(`corenetwork_receive_udp_on_general_port_depend',$2)
+allow $1 port_t:udp_socket recv_msg;
+')
+
+define(`corenetwork_receive_udp_on_general_port_depend',`
+type port_t;
+class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_general_port',`
+requires_block_template(`corenetwork_bind_tcp_on_general_port_depend',$2)
+allow $1 port_t:tcp_socket name_bind;
+')
+
+define(`corenetwork_bind_udp_on_general_port_depend',`
+type port_t;
+class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_general_port(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_general_port',`
+requires_block_template(`corenetwork_bind_udp_on_general_port_depend',$2)
+allow $1 port_t:udp_socket name_bind;
+')
+
+define(`corenetwork_bind_udp_on_general_port_depend',`
+type port_t;
+class udp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_network_tcp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_all_ports',`
+requires_block_template(`corenetwork_network_tcp_on_all_ports_depend',$2)
+allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenetwork_network_tcp_on_all_ports_depend',`
+attribute port_type;
+class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_all_ports',`
+requires_block_template(`corenetwork_network_udp_on_all_ports_depend',$2)
+corenetwork_send_udp_on_all_ports($1,optional)
+corenetwork_receive_udp_on_all_ports($1,optional)
+')
+
+define(`corenetwork_network_udp_on_all_ports_depend',`
+corenetwork_send_udp_on_all_ports_depend
+corenetwork_receive_udp_on_all_ports_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_all_ports',`
+requires_block_template(`corenetwork_send_udp_on_all_ports_depend',$2)
+allow $1 port_type:udp_socket send_msg;
+')
+
+define(`corenetwork_send_udp_on_all_ports_depend',`
+attribute port_type;
+class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_all_ports',`
+requires_block_template(`corenetwork_receive_udp_on_all_ports_depend',$2)
+allow $1 port_type:udp_socket recv_msg;
+')
+
+define(`corenetwork_receive_udp_on_all_ports_depend',`
+attribute port_type;
+class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_all_ports',`
+requires_block_template(`corenetwork_bind_tcp_on_all_ports_depend',$2)
+allow $1 port_type:tcp_socket name_bind;
+')
+
+define(`corenetwork_bind_udp_on_all_ports_depend',`
+type port_type;
+class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_all_ports(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_all_ports',`
+requires_block_template(`corenetwork_bind_udp_on_all_ports_depend',$2)
+allow $1 port_type:udp_socket name_bind;
+')
+
+define(`corenetwork_bind_udp_on_all_ports_depend',`
+type port_type;
+class udp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_network_tcp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_reserved_port',`
+requires_block_template(`corenetwork_network_tcp_on_reserved_port_depend',$2)
+allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenetwork_network_tcp_on_reserved_port_depend',`
+type reserved_port_t;
+class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_reserved_port',`
+requires_block_template(`corenetwork_network_udp_on_reserved_port_depend',$2)
+corenetwork_send_udp_on_reserved_port($1,$2)
+corenetwork_receive_udp_on_reserved_port($1,$2)
+')
+
+define(`corenetwork_network_udp_on_reserved_port_depend',`
+corenetwork_send_udp_on_reserved_port_depend
+corenetwork_receive_udp_on_reserved_port_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_reserved_port',`
+requires_block_template(`corenetwork_send_udp_on_reserved_port_depend',$2)
+allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+define(`corenetwork_send_udp_on_reserved_port_depend',`
+type reserved_port_t;
+class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_reserved_port',`
+requires_block_template(`corenetwork_receive_udp_on_reserved_port_depend',$2)
+allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+define(`corenetwork_receive_udp_on_reserved_port_depend',`
+type reserved_port_t;
+class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_reserved_port',`
+requires_block_template(`corenetwork_bind_tcp_on_reserved_port_depend',$2)
+allow $1 reserved_port_t:tcp_socket name_bind;
+allow $1 self:capability net_bind_service;
+')
+
+define(`corenetwork_bind_udp_on_reserved_port_depend',`
+type reserved_port_t;
+class tcp_socket name_bind;
+class capability net_bind_service;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_reserved_port(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_reserved_port',`
+requires_block_template(`corenetwork_bind_udp_on_reserved_port_depend',$2)
+allow $1 reserved_port_t:udp_socket name_bind;
+allow $1 self:capability net_bind_service;
+')
+
+define(`corenetwork_bind_udp_on_reserved_port_depend',`
+type reserved_port_t;
+class udp_socket name_bind;
+class capability net_bind_service;
+')
+
+#######################################
+#
+# corenetwork_network_tcp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_network_tcp_on_all_reserved_ports_depend',$2)
+allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenetwork_network_tcp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_network_udp_on_all_reserved_ports_depend',$2)
+corenetwork_send_udp_on_all_reserved_ports($1,optional)
+corenetwork_receive_udp_on_all_reserved_ports($1,optional)
+')
+
+define(`corenetwork_network_udp_on_all_reserved_ports_depend',`
+corenetwork_send_udp_on_all_reserved_ports_depend
+corenetwork_receive_udp_on_all_reserved_ports_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_send_udp_on_all_reserved_ports_depend',$2)
+allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+define(`corenetwork_send_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_receive_udp_on_all_reserved_ports_depend',$2)
+allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+define(`corenetwork_receive_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_bind_tcp_on_all_reserved_ports_depend',$2)
+allow $1 reserved_port_type:tcp_socket name_bind;
+allow $1 self:capability net_bind_service;
+')
+
+define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
+type reserved_port_type;
+class tcp_socket name_bind;
+class capability net_bind_service;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_bind_udp_on_all_reserved_ports_depend',$2)
+allow $1 reserved_port_type:udp_socket name_bind;
+allow $1 self:capability net_bind_service;
+')
+
+define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
+type reserved_port_type;
+class udp_socket name_bind;
+class self:capability net_bind_service;
+')
+
########################################
#
# This section is processed through m4 to create real interfaces
@@ -187,46 +827,96 @@ define(`portcon',`dnl')
define(`devices_make_device_node',`dnl')
')
+########################################
+#
+# Network Interface generated macros
+#
+########################################
+
define(`create_netif_interfaces',``
#######################################
#
-# corenetwork_send_tcp_on_interface_$1(domain,[`optional'])
+# corenetwork_network_tcp_on_$1_interface(domain,[`optional'])
#
-define(`corenetwork_send_tcp_on_interface_$1',`
-requires_block_template(`corenetwork_send_tcp_on_interface_$1_depend',dollarstwo)
-allow dollarsone $1_netif_t:netif tcp_send;
+define(`corenetwork_network_tcp_on_$1_interface',`
+requires_block_template(`corenetwork_network_tcp_on_$1_interface_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif { tcp_send tcp_recv };
')
-define(`corenetwork_send_tcp_on_interface_$1_depend',`
+define(`corenetwork_network_tcp_on_$1_interface_depend',`
type $1_netif_t;
-class netif tcp_send;
+class netif { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_$1_interface(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_$1_interface',`
+requires_block_template(`corenetwork_network_udp_on_$1_interface_depend',dollarstwo)
+corenetwork_send_udp_on_$1_interface(dollarsone,dollarstwo)
+corenetwork_receive_udp_on_$1_interface(dollarsone,dollarstwo)
+')
+
+define(`corenetwork_network_udp_on_$1_interface_depend',`
+corenetwork_send_udp_on_$1_interface_depend
+corenetwork_receive_udp_on_$1_interface_depend
+')
+
+#######################################
+#
+# corenetwork_network_raw_on_$1_interface(domain,[`optional'])
+#
+define(`corenetwork_network_raw_on_$1_interface',`
+requires_block_template(`corenetwork_network_raw_on_$1_interface_depend',dollarstwo)
+corenetwork_send_raw_on_$1_interface(dollarsone,dollarstwo)
+corenetwork_receive_raw_on_$1_interface(dollarsone,dollarstwo)
+')
+
+define(`corenetwork_network_raw_on_$1_interface_depend',`
+corenetwork_send_raw_on_$1_interface_depend
+corenetwork_receive_raw_on_$1_interface_depend
')
#######################################
#
-# corenetwork_send_udp_on_interface_$1(domain,[`optional'])
+# corenetwork_send_udp_on_$1_interface(domain,[`optional'])
#
-define(`corenetwork_send_udp_on_interface_$1',`
-requires_block_template(`corenetwork_send_udp_on_interface_$1_depend',dollarstwo)
+define(`corenetwork_send_udp_on_$1_interface',`
+requires_block_template(`corenetwork_send_udp_on_$1_interface_depend',dollarstwo)
allow dollarsone $1_netif_t:netif udp_send;
')
-define(`corenetwork_send_udp_on_interface_$1_depend',`
+define(`corenetwork_send_udp_on_$1_interface_depend',`
type $1_netif_t;
class netif udp_send;
')
#######################################
#
-# corenetwork_send_raw_on_interface_$1(domain,[`optional'])
+# corenetwork_receive_udp_on_$1_interface(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_$1_interface',`
+requires_block_template(`corenetwork_receive_udp_on_$1_interface_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_$1_interface_depend',`
+type $1_netif_t;
+class netif udp_recv;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_$1_interface(domain,[`optional'])
#
-define(`corenetwork_send_raw_on_interface_$1',`
-requires_block_template(`corenetwork_send_raw_on_interface_$1_depend',dollarstwo)
+define(`corenetwork_send_raw_on_$1_interface',`
+requires_block_template(`corenetwork_send_raw_on_$1_interface_depend',dollarstwo)
allow dollarsone $1_netif_t:netif rawip_send;
allow dollarsone self:capability net_raw;
')
-define(`corenetwork_send_raw_on_interface_$1_depend',`
+define(`corenetwork_send_raw_on_$1_interface_depend',`
type $1_netif_t;
class netif rawip_send;
class capability net_raw;
@@ -234,46 +924,253 @@ class capability net_raw;
#######################################
#
-# corenetwork_receive_tcp_on_interface_$1(domain,[`optional'])
+# corenetwork_receive_raw_on_$1_interface(domain,[`optional'])
#
-define(`corenetwork_receive_tcp_on_interface_$1',`
-requires_block_template(`corenetwork_receive_tcp_on_interface_$1_depend',dollarstwo)
-allow dollarsone $1_netif_t:netif tcp_recv;
+define(`corenetwork_receive_raw_on_$1_interface',`
+requires_block_template(`corenetwork_receive_raw_on_$1_interface_depend',dollarstwo)
+allow dollarsone $1_netif_t:netif rawip_recv;
')
-define(`corenetwork_receive_tcp_on_interface_$1_depend',`
+define(`corenetwork_receive_raw_on_$1_interface_depend',`
type $1_netif_t;
-class netif tcp_recv;
+class netif rawip_recv;
')
+'') dnl end create_netif_interfaces
+########################################
+#
+# Network node generated macros
+#
+########################################
+
+define(`create_node_interfaces',``
#######################################
#
-# corenetwork_receive_udp_on_interface_$1(domain,[`optional'])
+# corenetwork_network_tcp_on_$1_node(domain,[`optional'])
#
-define(`corenetwork_receive_udp_on_interface_$1',`
-requires_block_template(`corenetwork_receive_udp_on_interface_$1_depend',dollarstwo)
-allow dollarsone $1_netif_t:netif udp_recv;
+define(`corenetwork_network_tcp_on_$1_node',`
+requires_block_template(`corenetwork_network_tcp_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:node { tcp_send tcp_recv };
')
-define(`corenetwork_receive_udp_on_interface_$1_depend',`
-type $1_netif_t;
-class netif udp_recv;
+define(`corenetwork_network_tcp_on_$1_node_depend',`
+type $1_node_t;
+class node { tcp_send tcp_recv };
')
#######################################
#
-# corenetwork_receive_raw_on_interface_$1(domain,[`optional'])
+# corenetwork_network_udp_on_$1_node(domain,[`optional'])
#
-define(`corenetwork_receive_raw_on_interface_$1',`
-requires_block_template(`corenetwork_receive_raw_on_interface_$1_depend',dollarstwo)
-allow dollarsone $1_netif_t:netif rawip_recv;
+define(`corenetwork_network_udp_on_$1_node',`
+requires_block_template(`corenetwork_network_udp_on_$1_node_depend',dollarstwo)
+corenetwork_send_udp_on_$1_node(dollarsone,dollarstwo)
+corenetwork_receive_udp_on_$1_node(dollarsone,dollarstwo)
')
-define(`corenetwork_receive_raw_on_interface_$1_depend',`
-type $1_netif_t;
-class netif rawip_recv;
+define(`corenetwork_network_udp_on_$1_node_depend',`
+corenetwork_send_udp_on_$1_node_depend
+corenetwork_receive_udp_on_$1_node_depend
+')
+
+#######################################
+#
+# corenetwork_network_raw_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_network_raw_on_$1_node',`
+requires_block_template(`corenetwork_network_raw_on_$1_node_depend',dollarstwo)
+corenetwork_send_raw_on_$1_node(dollarsone,dollarstwo)
+corenetwork_receive_raw_on_$1_node(dollarsone,dollarstwo)
+')
+
+define(`corenetwork_network_raw_on_$1_node_depend',`
+corenetwork_send_raw_on_$1_node_depend
+corenetwork_receive_raw_on_$1_node_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_$1_node',`
+requires_block_template(`corenetwork_send_udp_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:node udp_send;
+')
+
+define(`corenetwork_send_udp_on_$1_node_depend',`
+type $1_node_t;
+class node udp_send;
+')
+
+#######################################
+#
+# corenetwork_receive_udp_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_$1_node',`
+requires_block_template(`corenetwork_receive_udp_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:node udp_recv;
+')
+
+define(`corenetwork_receive_udp_on_$1_node_depend',`
+type $1_node_t;
+class node udp_recv;
+')
+
+#######################################
+#
+# corenetwork_send_raw_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_send_raw_on_$1_node',`
+requires_block_template(`corenetwork_send_raw_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:node rawip_send;
+allow dollarsone self:capability net_raw;
+')
+
+define(`corenetwork_send_raw_on_$1_node_depend',`
+type $1_node_t;
+class node rawip_send;
+class capability net_raw;
+')
+
+#######################################
+#
+# corenetwork_receive_raw_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_receive_raw_on_$1_node',`
+requires_block_template(`corenetwork_receive_raw_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:node rawip_recv;
+')
+
+define(`corenetwork_receive_raw_on_$1_node_depend',`
+type $1_node_t;
+class node rawip_recv;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_$1_node',`
+requires_block_template(`corenetwork_bind_tcp_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:tcp_socket node_bind;
+')
+
+define(`corenetwork_bind_tcp_on_$1_node_depend',`
+type $1_node_t;
+class tcp_socket node_bind;
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_$1_node(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_$1_node',`
+requires_block_template(`corenetwork_bind_udp_on_$1_node_depend',dollarstwo)
+allow dollarsone $1_node_t:udp_socket node_bind;
+')
+
+define(`corenetwork_bind_udp_on_$1_node_depend',`
+type $1_node_t;
+class udp_socket node_bind;
+')
+'') dnl end create_node_interfaces
+
+########################################
+#
+# Network port generated macros
+#
+########################################
+
+define(`create_port_interfaces',``
+#######################################
+#
+# corenetwork_network_tcp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_network_tcp_on_$1_port',`
+requires_block_template(`corenetwork_network_tcp_on_$1_port_depend',dollarstwo)
+allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenetwork_network_tcp_on_$1_port_depend',`
+type $1_port_t;
+class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenetwork_network_udp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_network_udp_on_$1_port',`
+requires_block_template(`corenetwork_network_udp_on_$1_port_depend',dollarstwo)
+corenetwork_send_udp_on_$1_port(dollarsone,dollarstwo)
+corenetwork_receive_udp_on_$1_port(dollarsone,dollarstwo)
+')
+
+define(`corenetwork_network_udp_on_$1_port_depend',`
+corenetwork_send_udp_on_$1_port_depend
+corenetwork_receive_udp_on_$1_port_depend
+')
+
+#######################################
+#
+# corenetwork_send_udp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_send_udp_on_$1_port',`
+requires_block_template(`corenetwork_send_udp_on_$1_port_depend',dollarstwo)
+allow dollarsone $1_port_t:udp_socket send_msg;
+')
+
+define(`corenetwork_send_udp_on_$1_port_depend',`
+type $1_port_t;
+class udp_socket send_msg;
')
-'') dnl end create_interfaces
+
+#######################################
+#
+# corenetwork_receive_udp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_receive_udp_on_$1_port',`
+requires_block_template(`corenetwork_receive_udp_on_$1_port_depend',dollarstwo)
+allow dollarsone $1_port_t:udp recv_msg;
+')
+
+define(`corenetwork_receive_udp_on_$1_port_depend',`
+type $1_port_t;
+class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenetwork_bind_tcp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_bind_tcp_on_$1_port',`
+requires_block_template(`corenetwork_bind_tcp_on_$1_port_depend',dollarstwo)
+allow dollarsone $1_port_t:tcp_socket name_bind;
+$2
+')
+
+define(`corenetwork_bind_tcp_on_$1_port_depend',`
+type $1_port_t;
+class tcp_socket name_bind;
+$3
+')
+
+#######################################
+#
+# corenetwork_bind_udp_on_$1_port(domain,[`optional'])
+#
+define(`corenetwork_bind_udp_on_$1_port',`
+requires_block_template(`corenetwork_bind_udp_on_$1_port_depend',dollarstwo)
+allow dollarsone $1_port_t:udp_socket name_bind;
+$2
+')
+
+define(`corenetwork_bind_udp_on_$1_port_depend',`
+type $1_port_t;
+class udp_socket name_bind;
+$3
+')
+'') dnl end create_port_interfaces
#
# network_interface(linux_interfacename)
@@ -293,13 +1190,25 @@ netifcon $1 system_u:object_r:$1_netif_t system_u:object_r:unlabeled_t
#
define(`network_node',`
ifdef(`interface_pass',`
-#create_node_interfaces($1)
+create_node_interfaces($1)
',`
type $1_node_t alias node_$1_t, node_type;
nodecon $2 $3 system_u:object_r:$1_node_t
')
')
+define(`determine_reserved_capability',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+ifelse($3,`',`',`determine_reserved_capability(shiftn(2,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+define(`determine_reserved_capability_depend',`dnl
+ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
+ifelse($3,`',`',`determine_reserved_capability_depend(shiftn(2,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability depend
+
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
portcon $2 $3 system_u:object_r:$1
@@ -311,7 +1220,7 @@ ifelse(`$4',`',`',`declare_ports($1,shiftn(3,$*))')dnl
#
define(`network_port',`
ifdef(`interface_pass',`
-#create_port_interfaces($1)
+create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*)))
',`
type $1_port_t, port_type;
declare_ports($1_port_t,shift($*))
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 677f382..523805e 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -26,12 +26,12 @@ allow kernel_t unlabeled_t:dir mounton;
#can_exec(kernel_t, bin_t.sys)
# Kernel-generated traffic, e.g. ICMP replies.
-corenetwork_send_raw_on_all_interfaces(kernel_t)
-corenetwork_receive_raw_on_all_interfaces(kernel_t)
+corenetwork_network_raw_on_all_interfaces(kernel_t)
+corenetwork_network_raw_on_all_nodes(kernel_t)
# Kernel-generated traffic, e.g. TCP resets.
-corenetwork_send_tcp_on_all_interfaces(kernel_t)
-corenetwork_receive_tcp_on_all_interfaces(kernel_t)
+corenetwork_network_tcp_on_all_interfaces(kernel_t)
+corenetwork_network_tcp_on_all_nodes(kernel_t)
########################################
#
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index d6453cc..ff0d139 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -187,24 +187,16 @@ filesystem_unmount_all_filesystems(initrc_t)
# can_network(initrc_t):
allow initrc_t self:tcp_socket { connect listen accept create ioctl read getattr write setattr append bind getopt setopt shutdown };
allow initrc_t self:udp_socket { connect create ioctl read getattr write setattr append bind getopt setopt shutdown };
-corenetwork_send_tcp_on_all_interfaces(initrc_t)
-corenetwork_send_raw_on_all_interfaces(initrc_t)
-corenetwork_send_udp_on_all_interfaces(initrc_t)
-#corenetwork_send_tcp_on_all_nodes(initrc_t)
-#corenetwork_send_raw_on_all_nodes(initrc_t)
-#corenetwork_send_udp_on_all_nodes(initrc_t)
-#corenetwork_send_tcp_on_all_ports(initrc_t)
-#corenetwork_send_udp_on_all_ports(initrc_t)
-corenetwork_receive_tcp_on_all_interfaces(initrc_t)
-corenetwork_receive_raw_on_all_interfaces(initrc_t)
-corenetwork_receive_udp_on_all_interfaces(initrc_t)
-#corenetwork_receive_tcp_on_all_nodes(initrc_t)
-#corenetwork_receive_raw_on_all_nodes(initrc_t)
-#corenetwork_receive_udp_on_all_nodes(initrc_t)
-#corenetwork_receive_tcp_on_all_ports(initrc_t)
-#corenetwork_receive_udp_on_all_ports(initrc_t)
-#corenetwork_bind_tcp_on_all_nodes(initrc_t)
-#corenetwork_bind_udp_on_all_nodes(initrc_t)
+corenetwork_network_tcp_on_all_interfaces(initrc_t)
+corenetwork_network_raw_on_all_interfaces(initrc_t)
+corenetwork_network_udp_on_all_interfaces(initrc_t)
+corenetwork_network_tcp_on_all_nodes(initrc_t)
+corenetwork_network_raw_on_all_nodes(initrc_t)
+corenetwork_network_udp_on_all_nodes(initrc_t)
+corenetwork_network_tcp_on_all_ports(initrc_t)
+corenetwork_network_udp_on_all_ports(initrc_t)
+corenetwork_bind_tcp_on_all_nodes(initrc_t)
+corenetwork_bind_udp_on_all_nodes(initrc_t)
#allow initrc_t net_conf_t:file r_file_perms;
#sysnetwork_read_network_config(initrc_t)
More information about the scm-commits
mailing list