[selinux-policy: 1945/3172] trunk: Patch for labeled networking controls in 2.6.25 from Paul Moore.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:53:04 UTC 2010
commit 308baad28c1468408977e1f4c4e74676c72bd7ac
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon May 26 18:38:06 2008 +0000
trunk: Patch for labeled networking controls in 2.6.25 from Paul Moore.
Changelog | 1 +
policy/modules/kernel/corenetwork.if.in | 80 +++++++++++++++++++------------
policy/modules/kernel/corenetwork.if.m4 | 20 ++++----
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/kernel/kernel.if | 56 +++++++++++++++++++++
policy/modules/kernel/kernel.te | 5 ++-
6 files changed, 122 insertions(+), 42 deletions(-)
---
diff --git a/Changelog b/Changelog
index 4674ce5..3502a8c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for labeled networking controls in 2.6.25 from Paul Moore.
- Module loading now requires setsched on kernel threads.
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
- X application data class from Eamon Walsh and Ted Toth.
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 7dfaa8d..2b473b3 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_if',`
type netif_t;
')
- allow $1 netif_t:netif { tcp_send tcp_recv };
+ allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',`
type netif_t;
')
- allow $1 netif_t:netif udp_send;
+ allow $1 netif_t:netif { udp_send egress };
')
########################################
@@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_generic_if',`
type netif_t;
')
- dontaudit $1 netif_t:netif udp_send;
+ dontaudit $1 netif_t:netif { udp_send egress };
')
########################################
@@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_if',`
type netif_t;
')
- allow $1 netif_t:netif udp_recv;
+ allow $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive_generic_if',`
type netif_t;
')
- dontaudit $1 netif_t:netif udp_recv;
+ dontaudit $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',`
type netif_t;
')
- allow $1 netif_t:netif rawip_send;
+ allow $1 netif_t:netif { rawip_send egress };
')
########################################
@@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_if',`
type netif_t;
')
- allow $1 netif_t:netif rawip_recv;
+ allow $1 netif_t:netif { rawip_recv ingress };
')
########################################
@@ -328,7 +328,7 @@ interface(`corenet_tcp_sendrecv_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif { tcp_send tcp_recv };
+ allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -346,7 +346,7 @@ interface(`corenet_udp_send_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif udp_send;
+ allow $1 netif_type:netif { udp_send egress };
')
########################################
@@ -364,7 +364,7 @@ interface(`corenet_udp_receive_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif udp_recv;
+ allow $1 netif_type:netif { udp_recv ingress };
')
########################################
@@ -397,7 +397,7 @@ interface(`corenet_raw_send_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif rawip_send;
+ allow $1 netif_type:netif { rawip_send egress };
')
########################################
@@ -415,7 +415,7 @@ interface(`corenet_raw_receive_all_if',`
attribute netif_type;
')
- allow $1 netif_type:netif rawip_recv;
+ allow $1 netif_type:netif { rawip_recv ingress };
')
########################################
@@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_node',`
type node_t;
')
- allow $1 node_t:node { tcp_send tcp_recv };
+ allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node',`
type node_t;
')
- allow $1 node_t:node udp_send;
+ allow $1 node_t:node { udp_send sendto };
')
########################################
@@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_node',`
type node_t;
')
- allow $1 node_t:node udp_recv;
+ allow $1 node_t:node { udp_recv recvfrom };
')
########################################
@@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node',`
type node_t;
')
- allow $1 node_t:node rawip_send;
+ allow $1 node_t:node { rawip_send sendto };
')
########################################
@@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_node',`
type node_t;
')
- allow $1 node_t:node rawip_recv;
+ allow $1 node_t:node { rawip_recv recvfrom };
')
########################################
@@ -604,7 +604,7 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node { tcp_send tcp_recv };
+ allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -622,7 +622,7 @@ interface(`corenet_udp_send_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node udp_send;
+ allow $1 node_type:node { udp_send sendto };
')
########################################
@@ -641,7 +641,7 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
attribute node_type;
')
- dontaudit $1 node_type:node udp_send;
+ dontaudit $1 node_type:node { udp_send sendto };
')
########################################
@@ -659,7 +659,7 @@ interface(`corenet_udp_receive_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node udp_recv;
+ allow $1 node_type:node { udp_recv recvfrom };
')
########################################
@@ -678,7 +678,7 @@ interface(`corenet_dontaudit_udp_receive_all_nodes',`
attribute node_type;
')
- dontaudit $1 node_type:node udp_recv;
+ dontaudit $1 node_type:node { udp_recv recvfrom };
')
########################################
@@ -727,7 +727,7 @@ interface(`corenet_raw_send_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node rawip_send;
+ allow $1 node_type:node { rawip_send sendto };
')
########################################
@@ -745,7 +745,7 @@ interface(`corenet_raw_receive_all_nodes',`
attribute node_type;
')
- allow $1 node_type:node rawip_recv;
+ allow $1 node_type:node { rawip_recv recvfrom };
')
########################################
@@ -1737,6 +1737,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1752,6 +1753,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
#
interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1791,6 +1793,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1807,6 +1810,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
#
interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1844,6 +1848,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1859,6 +1864,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
#
interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1898,6 +1904,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1914,6 +1921,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
#
interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -1951,6 +1959,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -1966,6 +1975,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
#
interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2005,6 +2015,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -2021,6 +2032,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
#
interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2042,6 +2054,7 @@ interface(`corenet_all_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
kernel_udp_recvfrom_unlabeled($1)
kernel_raw_recvfrom_unlabeled($1)
+ kernel_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2064,6 +2077,7 @@ interface(`corenet_all_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2081,6 +2095,7 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+ kernel_dontaudit_recvfrom_unlabeled_peer($1)
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
@@ -2104,6 +2119,7 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2135,8 +2151,10 @@ interface(`corenet_tcp_recvfrom_labeled',`
allow $1 $2:{ association tcp_socket } recvfrom;
allow $2 $1:{ association tcp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_tcp_recvfrom_netlabel($1)
corenet_tcp_recvfrom_netlabel($2)
')
@@ -2160,8 +2178,9 @@ interface(`corenet_udp_recvfrom_labeled',`
allow $2 self:association sendto;
allow $1 $2:{ association udp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_udp_recvfrom_netlabel($1)
')
@@ -2184,8 +2203,9 @@ interface(`corenet_raw_recvfrom_labeled',`
allow $2 self:association sendto;
allow $1 $2:{ association rawip_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_raw_recvfrom_netlabel($1)
')
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index c20c7a4..a83e89f 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -28,7 +28,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif { tcp_send tcp_recv };
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -47,7 +47,7 @@ interface(`corenet_udp_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_send;
+ allow dollarsone $1_$2:netif { udp_send egress };
')
########################################
@@ -66,7 +66,7 @@ interface(`corenet_udp_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_recv;
+ allow dollarsone $1_$2:netif { udp_recv ingress };
')
########################################
@@ -101,7 +101,7 @@ interface(`corenet_raw_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_send;
+ allow dollarsone $1_$2:netif { rawip_send egress };
')
########################################
@@ -120,7 +120,7 @@ interface(`corenet_raw_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_recv;
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
')
########################################
@@ -163,7 +163,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node { tcp_send tcp_recv };
+ allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -182,7 +182,7 @@ interface(`corenet_udp_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_send;
+ allow dollarsone $1_$2:node { udp_send sendto };
')
########################################
@@ -201,7 +201,7 @@ interface(`corenet_udp_receive_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_recv;
+ allow dollarsone $1_$2:node { udp_recv recvfrom };
')
########################################
@@ -236,7 +236,7 @@ interface(`corenet_raw_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_send;
+ allow dollarsone $1_$2:node { rawip_send sendto };
')
########################################
@@ -255,7 +255,7 @@ interface(`corenet_raw_receive_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_recv;
+ allow dollarsone $1_$2:node { rawip_recv recvfrom };
')
########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index a181185..8ccf467 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.15)
+policy_module(corenetwork,1.2.16)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 34e6292..6142c2d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2497,6 +2497,62 @@ interface(`kernel_sendrecv_unlabeled_packets',`
########################################
## <summary>
+## Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Receive packets from an unlabeled peer, these packets do not have any
+## peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive packets from an unlabeled peer,
+## these packets do not have any peer labeling information present.
+## </p>
+## <p>
+## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
+## should be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d95440..3714169 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.9.2)
+policy_module(kernel,1.9.3)
########################################
#
@@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+# Forwarded network traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+
corenet_all_recvfrom_unlabeled(kernel_t)
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
More information about the scm-commits
mailing list