[selinux-policy: 1560/3172] add support for netfilter_contexts
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:20:02 UTC 2010
commit 5a7c06fdd15ae5088607dc8a6055e05d66e11efb
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Aug 7 17:25:09 2006 +0000
add support for netfilter_contexts
Makefile | 1 +
Rules.modular | 4 +-
Rules.monolithic | 10 ++++++++-
support/gennetfilter.py | 50 +++++++++++++++++++++++-----------------------
4 files changed, 37 insertions(+), 28 deletions(-)
---
diff --git a/Makefile b/Makefile
index 51304e9..bd1cd4c 100644
--- a/Makefile
+++ b/Makefile
@@ -146,6 +146,7 @@ SRCPATH = $(INSTALLDIR)/src
USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
FCPATH = $(CONTEXTPATH)/files/file_contexts
+NCPATH = $(CONTEXTPATH)/netfilter_contexts
SHAREDIR = $(PREFIX)/share/selinux
MODPKGDIR = $(SHAREDIR)/$(NAME)
HEADERDIR = $(MODPKGDIR)/include
diff --git a/Rules.modular b/Rules.modular
index 9962498..d58d27d 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -89,10 +89,10 @@ $(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
#
# Create a base module package
#
-$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS)
+$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) $(net_contexts)
@echo "Creating $(NAME) base module package"
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
- $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) -n $(net_contexts)
$(BASE_MOD): $(BASE_CONF)
@echo "Compiling $(NAME) base module"
diff --git a/Rules.monolithic b/Rules.monolithic
index b066653..303d0d7 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -42,7 +42,7 @@ default: policy
policy: $(POLVER)
-install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+install: $(LOADPATH) $(FCPATH) $(NCPATH) $(APPFILES) $(USERPATH)/local.users
load: $(TMPDIR)/load
@@ -201,6 +201,14 @@ endif
########################################
#
+# Intall netfilter_contexts
+#
+$(NCPATH): $(net_contexts)
+ @echo "Installing $(NAME) netfilter_contexts."
+ $(verbose) install -m 0644 $^ $@
+
+########################################
+#
# Run policy source checks
#
check: $(BUILDDIR)check.res
diff --git a/support/gennetfilter.py b/support/gennetfilter.py
index 1821b62..866db91 100644
--- a/support/gennetfilter.py
+++ b/support/gennetfilter.py
@@ -43,7 +43,7 @@ class Packet:
self.ports = ports
def print_input_rules(packets,mls,mcs):
- line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
+ line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
@@ -53,18 +53,18 @@ def print_input_rules(packets,mls,mcs):
for i in packets:
for j in i.ports:
- line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+ line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
if mls:
line += ":"+j.mls_sens
elif mcs:
line += ":"+j.mcs_cats
print line
- print "-A selinux_new_input -j CONNSECMARK --save"
- print "-A selinux_new_input -j RETURN"
+ print "post -A selinux_new_input -j CONNSECMARK --save"
+ print "post -A selinux_new_input -j RETURN"
def print_output_rules(packets,mls,mcs):
- line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
+ line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
@@ -73,15 +73,15 @@ def print_output_rules(packets,mls,mcs):
for i in packets:
for j in i.ports:
- line = "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+ line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
if mls:
line += ":"+j.mls_sens
elif mcs:
line += ":"+j.mcs_cats
print line
- print "-A selinux_new_output -j CONNSECMARK --save"
- print "-A selinux_new_output -j RETURN"
+ print "post -A selinux_new_output -j CONNSECMARK --save"
+ print "post -A selinux_new_output -j RETURN"
def parse_corenet(file_name):
packets = []
@@ -118,25 +118,25 @@ def parse_corenet(file_name):
return packets
def print_netfilter_config(packets,mls,mcs):
- print "*mangle"
- print ":PREROUTING ACCEPT [0:0]"
- print ":INPUT ACCEPT [0:0]"
- print ":FORWARD ACCEPT [0:0]"
- print ":OUTPUT ACCEPT [0:0]"
- print ":POSTROUTING ACCEPT [0:0]"
- print ":selinux_input - [0:0]"
- print ":selinux_output - [0:0]"
- print ":selinux_new_input - [0:0]"
- print ":selinux_new_output - [0:0]"
- print "-A INPUT -j selinux_input"
- print "-A OUTPUT -j selinux_output"
- print "-A selinux_input -m state --state NEW -j selinux_new_input"
- print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
- print "-A selinux_output -m state --state NEW -j selinux_new_output"
- print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print "pre *mangle"
+ print "pre :PREROUTING ACCEPT [0:0]"
+ print "pre :INPUT ACCEPT [0:0]"
+ print "pre :FORWARD ACCEPT [0:0]"
+ print "pre :OUTPUT ACCEPT [0:0]"
+ print "pre :POSTROUTING ACCEPT [0:0]"
+ print "pre :selinux_input - [0:0]"
+ print "pre :selinux_output - [0:0]"
+ print "pre :selinux_new_input - [0:0]"
+ print "pre :selinux_new_output - [0:0]"
+ print "pre -A INPUT -j selinux_input"
+ print "pre -A OUTPUT -j selinux_output"
+ print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
+ print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
+ print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
print_input_rules(packets,mls,mcs)
print_output_rules(packets,mls,mcs)
- print "COMMIT"
+ print "post COMMIT"
mls = False
mcs = False
More information about the scm-commits
mailing list