trunk: More complete labeled networking infrastructure from KaiGai Kohei.

2007-11-26 16:44:57 +00:00 · 2007-11-26 16:44:57 +00:00 · 0b6acad1bb
parent 8d1f9d9e14
commit 0b6acad1bb
8 changed files with 143 additions and 16 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- More complete labeled networking infrastructure from KaiGai Kohei.
 - Add interface for libselinux constructor, for libselinux-linked
  SELinux-enabled programs.
 - Patch to restructure user role templates to create restricted user roles
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -2056,6 +2056,118 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
 	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
 ')

+########################################
+## <summary>
+##	Rules for receiving labeled TCP packets.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled TCP packets.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, this is bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:{ association tcp_socket } recvfrom;
+	allow $2 $1:{ association tcp_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_tcp_recvfrom_netlabel($1)
+	corenet_tcp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled UDP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association udp_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled raw IP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_labeled',`
+	allow $2 self:association sendto;
+	allow $1 $2:{ association rawip_socket } recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+## </summary>
+## <desc>
+##	<p>
+##	Rules for receiving labeled packets via TCP, UDP and raw IP.
+##	</p>
+##	<p>
+##	Due to the nature of TCP, the rules (for TCP
+##	networking only) are bidirectional.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_labeled',`
+	corenet_tcp_recvfrom_labeled($1,$2)
+	corenet_udp_recvfrom_labeled($1,$2)
+	corenet_raw_recvfrom_labeled($1,$2)
+')
+
 ########################################
 ## <summary>
 ##	Send generic client packets.
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@ -1269,12 +1269,7 @@ interface(`domain_all_recvfrom_all_domains',`
 		attribute domain;
 	')

-	# IPSEC-based labeled networking 
-	allow $1 domain:association recvfrom;
-
-	# Netlabel (CIPSO)-based labeled networking
-	# currently only supports MLS portion of label
-	corenet_all_recvfrom_netlabel($1)
+	corenet_all_recvfrom_labeled($1,domain)
 ')

 ########################################
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -369,14 +369,6 @@ tunable_policy(`httpd_can_network_connect',`
 	corenet_tcp_connect_all_ports(httpd_t)
 ')

-tunable_policy(`httpd_can_network_connect_db',`
-	# allow httpd to connect to mysql/posgresql
-	corenet_tcp_connect_postgresql_port(httpd_t)
-	corenet_tcp_connect_mysqld_port(httpd_t)
-	corenet_sendrecv_postgresql_client_packets(httpd_t)
-	corenet_sendrecv_mysqld_client_packets(httpd_t)
-')
-
 tunable_policy(`httpd_can_network_relay',`
 	# allow httpd to work as a relay
 	corenet_tcp_connect_gopher_port(httpd_t)
@ -457,8 +449,14 @@ optional_policy(`
 ')

 optional_policy(`
+	# Allow httpd to work with mysql
 	mysql_stream_connect(httpd_t)
 	mysql_rw_db_sockets(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		corenet_tcp_connect_mysqld_port(httpd_t)
+		corenet_sendrecv_mysqld_client_packets(httpd_t)
+	')
 ')

 optional_policy(`
@ -476,6 +474,10 @@ optional_policy(`
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
+
+	tunable_policy(`httpd_can_network_connect_db',`
+		postgresql_tcp_connect(httpd_t)
+	')
 ')

 optional_policy(`
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@ -79,7 +79,7 @@ interface(`postgresql_read_config',`

 ########################################
 ## <summary>
-##	Allow the specified domain to connect to postgresql with a tcp socket.  (Deprecated)
+##	Allow the specified domain to connect to postgresql with a tcp socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -88,7 +88,14 @@ interface(`postgresql_read_config',`
 ## </param>
 #
 interface(`postgresql_tcp_connect',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	gen_require(`
+		type postgresql_t;
+	')
+
+	corenet_tcp_recvfrom_labeled($1,postgresql_t)
+	corenet_tcp_sendrecv_postgresql_port($1)
+	corenet_tcp_connect_postgresql_port($1)
+	corenet_sendrecv_postgresql_client_packets($1)
 ')

 ########################################
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@ -153,6 +153,10 @@ optional_policy(`
 	hostname_exec(postgresql_t)
 ')

+optional_policy(`
+	ipsec_match_default_spd(postgresql_t)
+')
+
 optional_policy(`
 	kerberos_use(postgresql_t)
 ')
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@ -109,6 +109,7 @@ interface(`ipsec_match_default_spd',`
 	')

 	allow $1 ipsec_spd_t:association polmatch;
+	allow $1 self:association sendto;
 ')

 ########################################
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -548,6 +548,10 @@ template(`userdom_basic_networking_template',`
 	corenet_udp_sendrecv_all_ports($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
+
+	optional_policy(`
+		ipsec_match_default_spd($1_t)
+	')
 ')

 #######################################
@ -840,6 +844,7 @@ template(`userdom_common_user_template',`
 	optional_policy(`
 		tunable_policy(`allow_user_postgresql_connect',`
 			postgresql_stream_connect($1_t)
+			postgresql_tcp_connect($1_t)
 		')
 	')