[selinux-policy: 1848/3172] trunk: add labeled networking support to unconfined.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:44:51 UTC 2010 

commit bdccbacdd62c3b57887fbde5ac56a0349ac13de6
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Nov 14 14:38:45 2007 +0000

    trunk: add labeled networking support to unconfined.

 policy/modules/kernel/domain.te     |    5 ++++-
 policy/modules/system/ipsec.if      |   18 ++++++++++++++++++
 policy/modules/system/ipsec.te      |   12 ++++++------
 policy/modules/system/unconfined.if |    4 ++++
 policy/modules/system/unconfined.te |    2 +-
 5 files changed, 33 insertions(+), 8 deletions(-)
---
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 17231cd..63a2b19 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.4.3)
+policy_module(domain,1.4.4)
 
 ########################################
 #
@@ -145,3 +145,6 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
+
+# receive from all domains over labeled networking
+domain_all_recvfrom_all_domains(unconfined_domain_type)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index dbb2b6e..433abf4 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -114,6 +114,24 @@ interface(`ipsec_manage_pid',`
 
 ########################################
 ## <summary>
+##      Allow to set an default security context of IPsec Policy.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ipsec_setcontext_default_spd',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+## <summary>
 ##	Execute racoon in the racoon domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 8005483..80f58e6 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.4.2)
+policy_module(ipsec,1.4.3)
 
 ########################################
 #
@@ -297,8 +297,6 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 
-allow racoon_t ipsec_spd_t:association setcontext;
-
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
@@ -315,6 +313,8 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
+ipsec_setcontext_default_spd(racoon_t)
+
 libs_use_ld_so(racoon_t)
 libs_use_shared_libs(racoon_t)
 
@@ -338,9 +338,6 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 
-# allow setkey to set the context for ipsec SAs and policy.
-allow setkey_t ipsec_spd_t:association setcontext;
-
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)
 
@@ -348,6 +345,9 @@ files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
 
+# allow setkey to set the context for ipsec SAs and policy.
+ipsec_setcontext_default_spd(setkey_t)
+
 locallogin_use_fds(setkey_t)
 
 libs_use_ld_so(setkey_t)
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index a49911f..695ea51 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -73,6 +73,10 @@ interface(`unconfined_domain_noaudit',`
 	')
 
 	optional_policy(`
+		ipsec_setcontext_default_spd($1)
+	')
+
+	optional_policy(`
 		# this is to handle execmod on shared
 		# libs with text relocations
 		libs_use_shared_libs($1)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index f202cde..95a9fc8 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined,2.0.0)
+policy_module(unconfined,2.0.1)
 
 ########################################
 #

More information about the scm-commits mailing list