[selinux-policy: 2078/3172] trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:04:23 UTC 2010
commit 019dfaf9dc94322a0b359a2c60099e4fe26b6b10
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Jan 15 20:31:06 2009 +0000
trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project.
Changelog | 2 +
Makefile | 2 +-
policy/modules/kernel/corenetwork.if.m4 | 151 +++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/kernel/corenetwork.te.m4 | 15 +++
5 files changed, 170 insertions(+), 2 deletions(-)
---
diff --git a/Changelog b/Changelog
index 88188c3..63055c9 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Add support for network interfaces with access controlled by a Boolean
+ from the CLIP project.
- Several fixes from the CLIP project.
- Add support for labeled Booleans.
- Remove node definitions and change node usage to generic nodes.
diff --git a/Makefile b/Makefile
index 12c9128..8beede9 100644
--- a/Makefile
+++ b/Makefile
@@ -397,7 +397,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $< \
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
| $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
diff --git a/policy/modules/kernel/corenetwork.if.m4 b/policy/modules/kernel/corenetwork.if.m4
index a83e89f..8e0f9cd 100644
--- a/policy/modules/kernel/corenetwork.if.m4
+++ b/policy/modules/kernel/corenetwork.if.m4
@@ -140,6 +140,147 @@ interface(`corenet_raw_sendrecv_$1_if',`
')
'') dnl end create_netif_interfaces
+# create confined network interfaces controlled by the network_enabled boolean
+# do not call this macro for loop back
+define(`create_netif_interfaces_controlled',``
+########################################
+## <summary>
+## Send and receive TCP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { udp_send egress };
+ }
+')
+
+########################################
+## <summary>
+## Receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { udp_recv ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send and receive UDP network traffic on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_$1_if',`
+ corenet_udp_send_$1_if(dollarsone)
+ corenet_udp_receive_$1_if(dollarsone)
+')
+
+########################################
+## <summary>
+## Send raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_raw_send_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { rawip_send egress };
+ }
+')
+
+########################################
+## <summary>
+## Receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_raw_receive_$1_if',`
+ gen_require(`
+ $3 $1_$2;
+ ')
+
+ if (network_enabled) {
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
+ }
+')
+
+########################################
+## <summary>
+## Send and receive raw IP packets on the $1 interface.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_raw_sendrecv_$1_if',`
+ corenet_raw_send_$1_if(dollarsone)
+ corenet_raw_receive_$1_if(dollarsone)
+')
+'') dnl end create_netif_interfaces_controlled
+
########################################
#
# Network node generated macros
@@ -641,9 +782,15 @@ interface(`corenet_relabelto_$1_packets',`
define(`create_netif_type_interfaces',`
create_netif_interfaces($1,netif_t,type)
')
+define(`create_netif_type_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif_t,type)
+')
define(`create_netif_attrib_interfaces',`
create_netif_interfaces($1,netif,attribute)
')
+define(`create_netif_attrib_interfaces_controlled',`
+create_netif_interfaces_controlled($1,netif,attribute)
+')
#
# network_interface(linux_interfacename,mls_sensitivity)
@@ -652,6 +799,10 @@ define(`network_interface',`
create_netif_type_interfaces($1)
')
+define(`network_interface_controlled',`
+create_netif_type_interfaces_controlled($1)
+')
+
#
# create_node_*_interfaces(node_name)
#
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index ab1a321..49e3b43 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.1)
+policy_module(corenetwork, 1.11.2)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
index c8ed292..27b4bb6 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
@@ -39,6 +39,21 @@ type $1_netif_t alias netif_$1_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')
+define(`network_interface_controlled',`
+ifdef(`__network_enabled_declared__',`',`
+## <desc>
+## <p>
+## Enable network traffic on all controlled interfaces.
+## </p>
+## </desc>
+gen_bool(network_enabled, true)
+define(`__network_enabled_declared__')
+')
+gen_require(``type unlabeled_t;'')
+type $1_netif_t alias netif_$1_t, netif_type;
+declare_netifs($1_netif_t,shift($*))
+')
+
define(`declare_nodes',`dnl
nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
More information about the scm-commits
mailing list