[selinux-policy: 1624/3172] merge netlabel stuff from labeled-networking branch

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:25:30 UTC 2010 

commit 130f8a4aa5f591998d6f1f5718e011cc0a091cfe
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Oct 17 16:58:17 2006 +0000

    merge netlabel stuff from labeled-networking branch

 Changelog                               |    1 +
 policy/mls                              |    8 ++-
 policy/modules/kernel/corenetwork.if.in |   58 +++++++++++++++
 policy/modules/kernel/corenetwork.te.in |    2 +-
 policy/modules/kernel/kernel.if         |  122 +++++++++++++++++++++++++++++++
 policy/modules/kernel/kernel.te         |    2 +-
 policy/modules/system/netlabel.fc       |    1 +
 policy/modules/system/netlabel.if       |   55 ++++++++++++++
 policy/modules/system/netlabel.te       |   28 +++++++
 policy/modules/system/userdomain.if     |    6 ++
 policy/modules/system/userdomain.te     |    3 +-
 11 files changed, 282 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index 597655e..2ded877 100644
--- a/Changelog
+++ b/Changelog
@@ -109,6 +109,7 @@
 	munin
 	nagios
 	nessus
+	netlabel (Paul Moore)
 	nsd
 	ntop
 	nx
diff --git a/policy/mls b/policy/mls
index 9398d84..26b3ef0 100644
--- a/policy/mls
+++ b/policy/mls
@@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	( h1 dom h2 );
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket } recvfrom
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 9f65efa..51492bb 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1436,6 +1436,64 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
 
 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+	kernel_tcp_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recv_netlabel',`
+	kernel_udp_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
 ##	Send generic client packets.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 610cd10..31e961f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.18)
+policy_module(corenetwork,1.1.19)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13da037..14194f2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2205,6 +2205,128 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
 
 ########################################
 ## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive TCP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+##	<p>
+##	The corenetwork interface
+##	corenet_tcp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_tcp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+##	<p>
+##	The corenetwork interface
+##	corenet_dontaudit_tcp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <desc>
+##	<p>
+##      Receive UDP packets from a NetLabel connection, NetLabel is an
+##      explicit packet labeling framework which implements CIPSO and
+##      similar protocols.
+##      </p>
+##	<p>
+##	The corenetwork interface
+##	corenet_udp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_udp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <desc>
+##	<p>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.  NetLabel is an explicit packet labeling framework
+##      which implements CIPSO and similar protocols.
+##      </p>
+##	<p>
+##	The corenetwork interface
+##	corenet_dontaudit_udp_recv_netlabel() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
 ##	Send and receive unlabeled packets.
 ## </summary>
 ## <desc>
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6a79f9a..b25eaac 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.17)
+policy_module(kernel,1.3.18)
 
 ########################################
 #
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
new file mode 100644
index 0000000..b263a8a
--- /dev/null
+++ b/policy/modules/system/netlabel.fc
@@ -0,0 +1 @@
+/sbin/netlabelctl	--	gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
new file mode 100644
index 0000000..2cb4b55
--- /dev/null
+++ b/policy/modules/system/netlabel.if
@@ -0,0 +1,55 @@
+## <summary>NetLabel/CIPSO labeled networking management</summary>
+
+########################################
+## <summary>
+##      Execute netlabel_mgmt in the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`netlabel_domtrans_mgmt',`
+        gen_require(`
+                type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+        ')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
+	allow netlabel_mgmt_t $1:fd use;
+	allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
+	allow netlabel_mgmt_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##      Execute netlabel_mgmt in the netlabel_mgmt domain, and
+##      allow the specified role the netlabel_mgmt domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the netlabel_mgmt domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the netlabel_mgmt domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`netlabel_run_mgmt',`
+	gen_require(`
+		type netlabel_mgmt_t;
+	')
+
+	netlabel_domtrans_mgmt($1)
+	role $2 types netlabel_mgmt_t;
+	allow netlabel_mgmt_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
new file mode 100644
index 0000000..464fb5b
--- /dev/null
+++ b/policy/modules/system/netlabel.te
@@ -0,0 +1,28 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+domain_type(netlabel_mgmt_t)
+domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# modify the network subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+kernel_read_network_state(netlabel_mgmt_t)
+
+libs_use_ld_so(netlabel_mgmt_t)
+libs_use_shared_libs(netlabel_mgmt_t)
+
+seutil_use_newrole_fds(netlabel_mgmt_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6497d33..87137bc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -514,6 +514,12 @@ template(`userdom_basic_networking_template',`
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
+
+	ifdef(`enable_mls',`
+		# netlabel/CIPSO labeled networking 
+		corenet_tcp_recv_netlabel($1_t)
+		corenet_udp_recv_netlabel($1_t)
+	')
 ')
 
 #######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b07abb6..1bbcaf1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.36)
+policy_module(userdomain,1.3.37)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -155,6 +155,7 @@ ifdef(`strict_policy',`
 	        logging_read_generic_logs(secadm_t)
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
 		userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+		netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
 	',`
 		logging_manage_audit_log(sysadm_t)
 		logging_manage_audit_config(sysadm_t)

More information about the scm-commits mailing list