[selinux-policy: 2081/3172] trunk: Enable network_peer_controls policy capability from Paul Moore.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:04:39 UTC 2010 

commit 7722c29e881cbc626bae800f7675efd3371fd239
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Feb 3 15:45:30 2009 +0000

    trunk: Enable network_peer_controls policy capability from Paul Moore.

 Changelog                               |    1 +
 policy/modules/kernel/corenetwork.if.in |  108 +++++++++++++++++++++++++++++++
 policy/modules/kernel/corenetwork.te.in |    2 +-
 policy/modules/kernel/kernel.te         |    6 +-
 policy/policy_capabilities              |    2 +-
 5 files changed, 115 insertions(+), 4 deletions(-)
---
diff --git a/Changelog b/Changelog
index f3b2487..ab2d9d4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Enable network_peer_controls policy capability from Paul Moore.
 - Btrfs xattr support from Paul Moore.
 - Add db_procedure install permission from KaiGai Kohei.
 - Add support for network interfaces with access controlled by a Boolean
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index b138740..bb46175 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -315,6 +315,60 @@ interface(`corenet_raw_sendrecv_generic_if',`
 
 ########################################
 ## <summary>
+##	Allow outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif egress;
+')
+
+########################################
+## <summary>
+##	Allow incoming traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif ingress;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_if',`
+	corenet_in_generic_if($1)
+	corenet_out_generic_if($1)
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all interfaces.
 ## </summary>
 ## <param name="domain">
@@ -610,6 +664,60 @@ interface(`corenet_raw_bind_generic_node',`
 
 ########################################
 ## <summary>
+##	Allow outgoing network traffic to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node sendto;
+')
+
+########################################
+## <summary>
+##	Allow incoming network traffic from generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node recvfrom;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic with generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_node',`
+	corenet_in_generic_node($1)
+	corenet_out_generic_node($1)
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 49e3b43..e8fe376 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.11.2)
+policy_module(corenetwork, 1.11.3)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index fce1402..d3d685a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.10.2)
+policy_module(kernel, 1.10.3)
 
 ########################################
 #
@@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
 # connections with invalidated labels:
 allow kernel_t unlabeled_t:packet send;
 
-# Forwarded network traffic
+# Allow unlabeled network traffic
 allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+corenet_in_generic_if(unlabeled_t)
+corenet_in_generic_node(unlabeled_t)
 
 corenet_all_recvfrom_unlabeled(kernel_t)
 corenet_all_recvfrom_netlabel(kernel_t)
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 054cfbc..6f79d90 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -17,7 +17,7 @@
 # netif: ingress egress
 # peer: recv
 #
-#policycap network_peer_controls;
+policycap network_peer_controls;
 
 # Enable additional access controls for opening
 # a file (and similar objects).

More information about the scm-commits mailing list