rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: More complete labeled networking infrastructure from KaiGai Kohei.

This commit is contained in:
Chris PeBenito 2007-11-26 16:44:57 +00:00
parent 8d1f9d9e14
commit 0b6acad1bb
8 changed files with 143 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- More complete labeled networking infrastructure from KaiGai Kohei.
- Add interface for libselinux constructor, for libselinux-linked - Add interface for libselinux constructor, for libselinux-linked
SELinux-enabled programs. SELinux-enabled programs.
- Patch to restructure user role templates to create restricted user roles - Patch to restructure user role templates to create restricted user roles

112
policy/modules/kernel/corenetwork.if.in
View File

@ -2056,6 +2056,118 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
') ')
########################################
## <summary>
## Rules for receiving labeled TCP packets.
## </summary>
## <desc>
## <p>
## Rules for receiving labeled TCP packets.
## </p>
## <p>
## Due to the nature of TCP, this is bidirectional.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="peer_domain">
## <summary>
## Peer domain.
## </summary>
## </param>
#
interface(`corenet_tcp_recvfrom_labeled',`
allow { $1 $2 } self:association sendto;
allow $1 $2:{ association tcp_socket } recvfrom;
allow $2 $1:{ association tcp_socket } recvfrom;
# Netlabel (CIPSO)-based labeled networking
# currently only supports MLS portion of label
corenet_tcp_recvfrom_netlabel($1)
corenet_tcp_recvfrom_netlabel($2)
')
########################################
## <summary>
## Rules for receiving labeled UDP packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="peer_domain">
## <summary>
## Peer domain.
## </summary>
## </param>
#
interface(`corenet_udp_recvfrom_labeled',`
allow $2 self:association sendto;
allow $1 $2:{ association udp_socket } recvfrom;
# Netlabel (CIPSO)-based labeled networking
# currently only supports MLS portion of label
corenet_udp_recvfrom_netlabel($1)
')
########################################
## <summary>
## Rules for receiving labeled raw IP packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="peer_domain">
## <summary>
## Peer domain.
## </summary>
## </param>
#
interface(`corenet_raw_recvfrom_labeled',`
allow $2 self:association sendto;
allow $1 $2:{ association rawip_socket } recvfrom;
# Netlabel (CIPSO)-based labeled networking
# currently only supports MLS portion of label
corenet_raw_recvfrom_netlabel($1)
')
########################################
## <summary>
## Rules for receiving labeled packets via TCP, UDP and raw IP.
## </summary>
## <desc>
## <p>
## Rules for receiving labeled packets via TCP, UDP and raw IP.
## </p>
## <p>
## Due to the nature of TCP, the rules (for TCP
## networking only) are bidirectional.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="peer_domain">
## <summary>
## Peer domain.
## </summary>
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
corenet_tcp_recvfrom_labeled($1,$2)
corenet_udp_recvfrom_labeled($1,$2)
corenet_raw_recvfrom_labeled($1,$2)
')
######################################## ########################################
## <summary> ## <summary>
## Send generic client packets. ## Send generic client packets.

7
policy/modules/kernel/domain.if
View File

@ -1269,12 +1269,7 @@ interface(`domain_all_recvfrom_all_domains',`
attribute domain; attribute domain;
') ')
# IPSEC-based labeled networking corenet_all_recvfrom_labeled($1,domain)
allow $1 domain:association recvfrom;
# Netlabel (CIPSO)-based labeled networking
# currently only supports MLS portion of label
corenet_all_recvfrom_netlabel($1)
') ')
######################################## ########################################

18
policy/modules/services/apache.te
View File

@ -369,14 +369,6 @@ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t) corenet_tcp_connect_all_ports(httpd_t)
') ')
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
corenet_tcp_connect_mysqld_port(httpd_t)
corenet_sendrecv_postgresql_client_packets(httpd_t)
corenet_sendrecv_mysqld_client_packets(httpd_t)
')
tunable_policy(`httpd_can_network_relay',` tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay # allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t) corenet_tcp_connect_gopher_port(httpd_t)
@ -457,8 +449,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
# Allow httpd to work with mysql
mysql_stream_connect(httpd_t) mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t) mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
corenet_tcp_connect_mysqld_port(httpd_t)
corenet_sendrecv_mysqld_client_packets(httpd_t)
')
') ')
optional_policy(` optional_policy(`
@ -476,6 +474,10 @@ optional_policy(`
optional_policy(` optional_policy(`
# Allow httpd to work with postgresql # Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t) postgresql_stream_connect(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
')
') ')
optional_policy(` optional_policy(`

11
policy/modules/services/postgresql.if
View File

@ -79,7 +79,7 @@ interface(`postgresql_read_config',`
######################################## ########################################
## <summary> ## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated) ## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -88,7 +88,14 @@ interface(`postgresql_read_config',`
## </param> ## </param>
# #
interface(`postgresql_tcp_connect',` interface(`postgresql_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.') gen_require(`
type postgresql_t;
')
corenet_tcp_recvfrom_labeled($1,postgresql_t)
corenet_tcp_sendrecv_postgresql_port($1)
corenet_tcp_connect_postgresql_port($1)
corenet_sendrecv_postgresql_client_packets($1)
') ')
######################################## ########################################

4
policy/modules/services/postgresql.te
View File

@ -153,6 +153,10 @@ optional_policy(`
hostname_exec(postgresql_t) hostname_exec(postgresql_t)
') ')
optional_policy(`
ipsec_match_default_spd(postgresql_t)
')
optional_policy(` optional_policy(`
kerberos_use(postgresql_t) kerberos_use(postgresql_t)
') ')

1
policy/modules/system/ipsec.if
View File

@ -109,6 +109,7 @@ interface(`ipsec_match_default_spd',`
') ')
allow $1 ipsec_spd_t:association polmatch; allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
') ')
######################################## ########################################

5
policy/modules/system/userdomain.if
View File

@ -548,6 +548,10 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t) corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t) corenet_sendrecv_all_client_packets($1_t)
optional_policy(`
ipsec_match_default_spd($1_t)
')
') ')
####################################### #######################################
@ -840,6 +844,7 @@ template(`userdom_common_user_template',`
optional_policy(` optional_policy(`
tunable_policy(`allow_user_postgresql_connect',` tunable_policy(`allow_user_postgresql_connect',`
postgresql_stream_connect($1_t) postgresql_stream_connect($1_t)
postgresql_tcp_connect($1_t)
') ')
') ')