From 005841801767fd25cee8d0f28d0b506e6e2e3dda Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 23 Sep 2005 15:37:41 +0000 Subject: [PATCH] remove classes from gen_requires, and disable net_raw for now --- .../policy/modules/kernel/corenetwork.if.in | 70 +++---------------- .../policy/modules/kernel/corenetwork.if.m4 | 34 ++------- 2 files changed, 13 insertions(+), 91 deletions(-) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index c4fbafc1..8e8e2a03 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -15,7 +15,6 @@ interface(`corenet_tcp_sendrecv_generic_if',` gen_require(` type netif_t; - class netif { tcp_send tcp_recv }; ') allow $1 netif_t:netif { tcp_send tcp_recv }; @@ -32,7 +31,6 @@ interface(`corenet_tcp_sendrecv_generic_if',` interface(`corenet_udp_send_generic_if',` gen_require(` type netif_t; - class netif udp_send; ') allow $1 netif_t:netif udp_send; @@ -49,7 +47,6 @@ interface(`corenet_udp_send_generic_if',` interface(`corenet_udp_receive_generic_if',` gen_require(` type netif_t; - class netif udp_recv; ') allow $1 netif_t:netif udp_recv; @@ -79,12 +76,13 @@ interface(`corenet_udp_sendrecv_generic_if',` interface(`corenet_raw_send_generic_if',` gen_require(` type netif_t; - class netif rawip_send; - class capability net_raw; ') allow $1 netif_t:netif rawip_send; - allow $1 self:capability net_raw; + + # cjp: comment out until raw access is + # is fixed for network users + #allow $1 self:capability net_raw; ') ######################################## @@ -98,7 +96,6 @@ interface(`corenet_raw_send_generic_if',` interface(`corenet_raw_receive_generic_if',` gen_require(` type netif_t; - class netif rawip_recv; ') allow $1 netif_t:netif rawip_recv; @@ -128,7 +125,6 @@ interface(`corenet_raw_sendrecv_generic_if',` interface(`corenet_tcp_sendrecv_all_if',` gen_require(` attribute netif_type; - class netif { tcp_send tcp_recv }; ') allow $1 netif_type:netif { tcp_send tcp_recv }; @@ -145,7 +141,6 @@ interface(`corenet_tcp_sendrecv_all_if',` interface(`corenet_udp_send_all_if',` gen_require(` attribute netif_type; - class netif udp_send; ') allow $1 netif_type:netif udp_send; @@ -162,7 +157,6 @@ interface(`corenet_udp_send_all_if',` interface(`corenet_udp_receive_all_if',` gen_require(` attribute netif_type; - class netif udp_recv; ') allow $1 netif_type:netif udp_recv; @@ -192,12 +186,13 @@ interface(`corenet_udp_sendrecv_all_if',` interface(`corenet_raw_send_all_if',` gen_require(` attribute netif_type; - class netif rawip_send; - class capability net_raw; ') allow $1 netif_type:netif rawip_send; - allow $1 self:capability net_raw; + + # cjp: comment out until raw access is + # is fixed for network users + #allow $1 self:capability net_raw; ') ######################################## @@ -211,7 +206,6 @@ interface(`corenet_raw_send_all_if',` interface(`corenet_raw_receive_all_if',` gen_require(` attribute netif_type; - class netif rawip_recv; ') allow $1 netif_type:netif rawip_recv; @@ -241,7 +235,6 @@ interface(`corenet_raw_sendrecv_all_if',` interface(`corenet_tcp_sendrecv_generic_node',` gen_require(` type node_t; - class node { tcp_send tcp_recv }; ') allow $1 node_t:node { tcp_send tcp_recv }; @@ -258,7 +251,6 @@ interface(`corenet_tcp_sendrecv_generic_node',` interface(`corenet_udp_send_generic_node',` gen_require(` type node_t; - class node udp_send; ') allow $1 node_t:node udp_send; @@ -275,7 +267,6 @@ interface(`corenet_udp_send_generic_node',` interface(`corenet_udp_receive_generic_node',` gen_require(` type node_t; - class node udp_recv; ') allow $1 node_t:node udp_recv; @@ -305,7 +296,6 @@ interface(`corenet_udp_sendrecv_generic_node',` interface(`corenet_raw_send_generic_node',` gen_require(` type node_t; - class node rawip_send; ') allow $1 node_t:node rawip_send; @@ -322,7 +312,6 @@ interface(`corenet_raw_send_generic_node',` interface(`corenet_raw_receive_generic_node',` gen_require(` type node_t; - class node rawip_recv; ') allow $1 node_t:node rawip_recv; @@ -352,7 +341,6 @@ interface(`corenet_raw_sendrecv_generic_node',` interface(`corenet_tcp_bind_generic_node',` gen_require(` type node_t; - class tcp_socket node_bind; ') allow $1 node_t:tcp_socket node_bind; @@ -369,7 +357,6 @@ interface(`corenet_tcp_bind_generic_node',` interface(`corenet_udp_bind_generic_node',` gen_require(` type node_t; - class udp_socket node_bind; ') allow $1 node_t:udp_socket node_bind; @@ -386,7 +373,6 @@ interface(`corenet_udp_bind_generic_node',` interface(`corenet_tcp_sendrecv_all_nodes',` gen_require(` attribute node_type; - class node { tcp_send tcp_recv }; ') allow $1 node_type:node { tcp_send tcp_recv }; @@ -403,7 +389,6 @@ interface(`corenet_tcp_sendrecv_all_nodes',` interface(`corenet_udp_send_all_nodes',` gen_require(` attribute node_type; - class node udp_send; ') allow $1 node_type:node udp_send; @@ -420,7 +405,6 @@ interface(`corenet_udp_send_all_nodes',` interface(`corenet_udp_receive_all_nodes',` gen_require(` attribute node_type; - class node udp_recv; ') allow $1 node_type:node udp_recv; @@ -450,7 +434,6 @@ interface(`corenet_udp_sendrecv_all_nodes',` interface(`corenet_raw_send_all_nodes',` gen_require(` attribute node_type; - class node rawip_send; ') allow $1 node_type:node rawip_send; @@ -467,7 +450,6 @@ interface(`corenet_raw_send_all_nodes',` interface(`corenet_raw_receive_all_nodes',` gen_require(` attribute node_type; - class node rawip_recv; ') allow $1 node_type:node rawip_recv; @@ -497,7 +479,6 @@ interface(`corenet_raw_sendrecv_all_nodes',` interface(`corenet_tcp_bind_all_nodes',` gen_require(` attribute node_type; - class tcp_socket node_bind; ') allow $1 node_type:tcp_socket node_bind; @@ -514,7 +495,6 @@ interface(`corenet_tcp_bind_all_nodes',` interface(`corenet_udp_bind_all_nodes',` gen_require(` attribute node_type; - class udp_socket node_bind; ') allow $1 node_type:udp_socket node_bind; @@ -531,7 +511,6 @@ interface(`corenet_udp_bind_all_nodes',` interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` type port_t; - class tcp_socket { send_msg recv_msg }; ') allow $1 port_t:tcp_socket { send_msg recv_msg }; @@ -548,7 +527,6 @@ interface(`corenet_tcp_sendrecv_generic_port',` interface(`corenet_udp_send_generic_port',` gen_require(` type port_t; - class udp_socket send_msg; ') allow $1 port_t:udp_socket send_msg; @@ -565,7 +543,6 @@ interface(`corenet_udp_send_generic_port',` interface(`corenet_udp_receive_generic_port',` gen_require(` type port_t; - class udp_socket recv_msg; ') allow $1 port_t:udp_socket recv_msg; @@ -595,7 +572,6 @@ interface(`corenet_udp_sendrecv_generic_port',` interface(`corenet_tcp_bind_generic_port',` gen_require(` type port_t; - class tcp_socket name_bind; ') allow $1 port_t:tcp_socket name_bind; @@ -612,7 +588,6 @@ interface(`corenet_tcp_bind_generic_port',` interface(`corenet_udp_bind_generic_port',` gen_require(` type port_t; - class udp_socket name_bind; ') allow $1 port_t:udp_socket name_bind; @@ -629,7 +604,6 @@ interface(`corenet_udp_bind_generic_port',` interface(`corenet_tcp_connect_generic_port',` gen_require(` type port_t; - class tcp_socket name_connect; ') allow $1 port_t:tcp_socket name_connect; @@ -646,7 +620,6 @@ interface(`corenet_tcp_connect_generic_port',` interface(`corenet_tcp_sendrecv_all_ports',` gen_require(` attribute port_type; - class tcp_socket { send_msg recv_msg }; ') allow $1 port_type:tcp_socket { send_msg recv_msg }; @@ -663,7 +636,6 @@ interface(`corenet_tcp_sendrecv_all_ports',` interface(`corenet_udp_send_all_ports',` gen_require(` attribute port_type; - class udp_socket send_msg; ') allow $1 port_type:udp_socket send_msg; @@ -680,7 +652,6 @@ interface(`corenet_udp_send_all_ports',` interface(`corenet_udp_receive_all_ports',` gen_require(` attribute port_type; - class udp_socket recv_msg; ') allow $1 port_type:udp_socket recv_msg; @@ -710,7 +681,6 @@ interface(`corenet_udp_sendrecv_all_ports',` interface(`corenet_tcp_bind_all_ports',` gen_require(` attribute port_type; - class tcp_socket name_bind; ') allow $1 port_type:tcp_socket name_bind; @@ -727,7 +697,6 @@ interface(`corenet_tcp_bind_all_ports',` interface(`corenet_udp_bind_all_ports',` gen_require(` attribute port_type; - class udp_socket name_bind; ') allow $1 port_type:udp_socket name_bind; @@ -744,7 +713,6 @@ interface(`corenet_udp_bind_all_ports',` interface(`corenet_tcp_connect_all_ports',` gen_require(` attribute port_type; - class tcp_socket name_connect; ') allow $1 port_type:tcp_socket name_connect; @@ -761,7 +729,6 @@ interface(`corenet_tcp_connect_all_ports',` interface(`corenet_tcp_sendrecv_reserved_port',` gen_require(` type reserved_port_t; - class tcp_socket { send_msg recv_msg }; ') allow $1 reserved_port_t:tcp_socket { send_msg recv_msg }; @@ -778,7 +745,6 @@ interface(`corenet_tcp_sendrecv_reserved_port',` interface(`corenet_udp_send_reserved_port',` gen_require(` type reserved_port_t; - class udp_socket send_msg; ') allow $1 reserved_port_t:udp_socket send_msg; @@ -795,7 +761,6 @@ interface(`corenet_udp_send_reserved_port',` interface(`corenet_udp_receive_reserved_port',` gen_require(` type reserved_port_t; - class udp_socket recv_msg; ') allow $1 reserved_port_t:udp_socket recv_msg; @@ -825,8 +790,6 @@ interface(`corenet_udp_sendrecv_reserved_port',` interface(`corenet_tcp_bind_reserved_port',` gen_require(` type reserved_port_t; - class tcp_socket name_bind; - class capability net_bind_service; ') allow $1 reserved_port_t:tcp_socket name_bind; @@ -844,8 +807,6 @@ interface(`corenet_tcp_bind_reserved_port',` interface(`corenet_udp_bind_reserved_port',` gen_require(` type reserved_port_t; - class udp_socket name_bind; - class capability net_bind_service; ') allow $1 reserved_port_t:udp_socket name_bind; @@ -863,7 +824,6 @@ interface(`corenet_udp_bind_reserved_port',` interface(`corenet_tcp_connect_reserved_port',` gen_require(` type reserved_port_t; - class tcp_socket name_connect; ') allow $1 reserved_port_t:tcp_socket name_connect; @@ -880,7 +840,6 @@ interface(`corenet_tcp_connect_reserved_port',` interface(`corenet_tcp_sendrecv_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class tcp_socket { send_msg recv_msg }; ') allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; @@ -897,7 +856,6 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` interface(`corenet_udp_send_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class udp_socket send_msg; ') allow $1 reserved_port_type:udp_socket send_msg; @@ -914,7 +872,6 @@ interface(`corenet_udp_send_all_reserved_ports',` interface(`corenet_udp_receive_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class udp_socket recv_msg; ') allow $1 reserved_port_type:udp_socket recv_msg; @@ -944,8 +901,6 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` interface(`corenet_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class tcp_socket name_bind; - class capability net_bind_service; ') allow $1 reserved_port_type:tcp_socket name_bind; @@ -963,7 +918,6 @@ interface(`corenet_tcp_bind_all_reserved_ports',` interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class tcp_socket name_bind; ') dontaudit $1 reserved_port_type:tcp_socket name_bind; @@ -980,8 +934,6 @@ interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` interface(`corenet_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class udp_socket name_bind; - class self:capability net_bind_service; ') allow $1 reserved_port_type:udp_socket name_bind; @@ -999,7 +951,6 @@ interface(`corenet_udp_bind_all_reserved_ports',` interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class udp_socket name_bind; ') dontaudit $1 reserved_port_type:udp_socket name_bind; @@ -1017,7 +968,6 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; - class tcp_socket name_connect; ') dontaudit $1 reserved_port_type:tcp_socket name_connect; @@ -1034,7 +984,6 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` interface(`corenet_use_tun_tap_device',` gen_require(` type tun_tap_device_t; - class chr_file { read write ioctl }; ') dev_list_all_dev_nodes($1) @@ -1052,9 +1001,6 @@ interface(`corenet_use_tun_tap_device',` interface(`corenet_unconfined',` gen_require(` attribute node_type, netif_type, port_type; - class tcp_socket { send_msg recv_msg node_bind name_bind name_connect }; - class udp_socket { send_msg recv_msg node_bind name_bind }; - class rawip_socket node_bind; ') allow $1 node_type:node *; diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index d6401ba6..3c67f722 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -17,7 +17,6 @@ define(`create_netif_interfaces',`` interface(`corenet_tcp_sendrecv_$1',` gen_require(` type $1_netif_t; - class netif { tcp_send tcp_recv }; ') allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; @@ -35,7 +34,6 @@ interface(`corenet_tcp_sendrecv_$1',` interface(`corenet_udp_send_$1',` gen_require(` type $1_netif_t; - class netif udp_send; ') allow dollarsone $1_netif_t:netif udp_send; @@ -53,7 +51,6 @@ interface(`corenet_udp_send_$1',` interface(`corenet_udp_receive_$1',` gen_require(` type $1_netif_t; - class netif udp_recv; ') allow dollarsone $1_netif_t:netif udp_recv; @@ -85,12 +82,13 @@ interface(`corenet_udp_sendrecv_$1',` interface(`corenet_raw_send_$1',` gen_require(` type $1_netif_t; - class netif rawip_send; - class capability net_raw; ') allow dollarsone $1_netif_t:netif rawip_send; - allow dollarsone self:capability net_raw; + + # cjp: comment out until raw access is + # is fixed for network users + #allow dollarsone self:capability net_raw; ') ######################################## @@ -105,7 +103,6 @@ interface(`corenet_raw_send_$1',` interface(`corenet_raw_receive_$1',` gen_require(` type $1_netif_t; - class netif rawip_recv; ') allow dollarsone $1_netif_t:netif rawip_recv; @@ -145,7 +142,6 @@ define(`create_node_interfaces',`` interface(`corenet_tcp_sendrecv_$1_node',` gen_require(` type $1_node_t; - class node { tcp_send tcp_recv }; ') allow dollarsone $1_node_t:node { tcp_send tcp_recv }; @@ -163,7 +159,6 @@ interface(`corenet_tcp_sendrecv_$1_node',` interface(`corenet_udp_send_$1_node',` gen_require(` type $1_node_t; - class node udp_send; ') allow dollarsone $1_node_t:node udp_send; @@ -181,7 +176,6 @@ interface(`corenet_udp_send_$1_node',` interface(`corenet_udp_receive_$1_node',` gen_require(` type $1_node_t; - class node udp_recv; ') allow dollarsone $1_node_t:node udp_recv; @@ -213,7 +207,6 @@ interface(`corenet_udp_sendrecv_$1_node',` interface(`corenet_raw_send_$1_node',` gen_require(` type $1_node_t; - class node rawip_send; ') allow dollarsone $1_node_t:node rawip_send; @@ -231,7 +224,6 @@ interface(`corenet_raw_send_$1_node',` interface(`corenet_raw_receive_$1_node',` gen_require(` type $1_node_t; - class node rawip_recv; ') allow dollarsone $1_node_t:node rawip_recv; @@ -263,7 +255,6 @@ interface(`corenet_raw_sendrecv_$1_node',` interface(`corenet_tcp_bind_$1_node',` gen_require(` type $1_node_t; - class tcp_socket node_bind; ') allow dollarsone $1_node_t:tcp_socket node_bind; @@ -281,7 +272,6 @@ interface(`corenet_tcp_bind_$1_node',` interface(`corenet_udp_bind_$1_node',` gen_require(` type $1_node_t; - class udp_socket node_bind; ') allow dollarsone $1_node_t:udp_socket node_bind; @@ -307,7 +297,6 @@ define(`create_port_interfaces',`` interface(`corenet_tcp_sendrecv_$1_port',` gen_require(` type $1_port_t; - class tcp_socket { send_msg recv_msg }; ') allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; @@ -325,7 +314,6 @@ interface(`corenet_tcp_sendrecv_$1_port',` interface(`corenet_udp_send_$1_port',` gen_require(` type $1_port_t; - class udp_socket send_msg; ') allow dollarsone $1_port_t:udp_socket send_msg; @@ -343,7 +331,6 @@ interface(`corenet_udp_send_$1_port',` interface(`corenet_udp_receive_$1_port',` gen_require(` type $1_port_t; - class udp_socket recv_msg; ') allow dollarsone $1_port_t:udp_socket recv_msg; @@ -375,8 +362,6 @@ interface(`corenet_udp_sendrecv_$1_port',` interface(`corenet_tcp_bind_$1_port',` gen_require(` type $1_port_t; - class tcp_socket name_bind; - $3 ') allow dollarsone $1_port_t:tcp_socket name_bind; @@ -395,8 +380,6 @@ interface(`corenet_tcp_bind_$1_port',` interface(`corenet_udp_bind_$1_port',` gen_require(` type $1_port_t; - class udp_socket name_bind; - $3 ') allow dollarsone $1_port_t:udp_socket name_bind; @@ -414,7 +397,6 @@ interface(`corenet_udp_bind_$1_port',` interface(`corenet_tcp_connect_$1_port',` gen_require(` type $1_port_t; - class tcp_socket name_connect; ') allow dollarsone $1_port_t:tcp_socket name_connect; @@ -442,12 +424,6 @@ ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifel ')dnl end outer ifelse ') dnl end determine reserved capability -define(`determine_reserved_capability_depend',`dnl -ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl -ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse -')dnl end outer ifelse -') dnl end determine reserved capability depend - define(`declare_ports',`dnl ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') portcon $2 $3 context_template(system_u:object_r:$1,$4) @@ -458,5 +434,5 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) # define(`network_port',` -create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*))) +create_port_interfaces($1,determine_reserved_capability(shift($*))) ')