trunk: More complete labeled networking infrastructure from KaiGai Kohei.
This commit is contained in:
parent
8d1f9d9e14
commit
0b6acad1bb
|
@ -1,3 +1,4 @@
|
||||||
|
- More complete labeled networking infrastructure from KaiGai Kohei.
|
||||||
- Add interface for libselinux constructor, for libselinux-linked
|
- Add interface for libselinux constructor, for libselinux-linked
|
||||||
SELinux-enabled programs.
|
SELinux-enabled programs.
|
||||||
- Patch to restructure user role templates to create restricted user roles
|
- Patch to restructure user role templates to create restricted user roles
|
||||||
|
|
|
@ -2056,6 +2056,118 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
||||||
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Rules for receiving labeled TCP packets.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Rules for receiving labeled TCP packets.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Due to the nature of TCP, this is bidirectional.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="peer_domain">
|
||||||
|
## <summary>
|
||||||
|
## Peer domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_tcp_recvfrom_labeled',`
|
||||||
|
allow { $1 $2 } self:association sendto;
|
||||||
|
allow $1 $2:{ association tcp_socket } recvfrom;
|
||||||
|
allow $2 $1:{ association tcp_socket } recvfrom;
|
||||||
|
|
||||||
|
# Netlabel (CIPSO)-based labeled networking
|
||||||
|
# currently only supports MLS portion of label
|
||||||
|
corenet_tcp_recvfrom_netlabel($1)
|
||||||
|
corenet_tcp_recvfrom_netlabel($2)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Rules for receiving labeled UDP packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="peer_domain">
|
||||||
|
## <summary>
|
||||||
|
## Peer domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_udp_recvfrom_labeled',`
|
||||||
|
allow $2 self:association sendto;
|
||||||
|
allow $1 $2:{ association udp_socket } recvfrom;
|
||||||
|
|
||||||
|
# Netlabel (CIPSO)-based labeled networking
|
||||||
|
# currently only supports MLS portion of label
|
||||||
|
corenet_udp_recvfrom_netlabel($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Rules for receiving labeled raw IP packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="peer_domain">
|
||||||
|
## <summary>
|
||||||
|
## Peer domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_raw_recvfrom_labeled',`
|
||||||
|
allow $2 self:association sendto;
|
||||||
|
allow $1 $2:{ association rawip_socket } recvfrom;
|
||||||
|
|
||||||
|
# Netlabel (CIPSO)-based labeled networking
|
||||||
|
# currently only supports MLS portion of label
|
||||||
|
corenet_raw_recvfrom_netlabel($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Rules for receiving labeled packets via TCP, UDP and raw IP.
|
||||||
|
## </summary>
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Rules for receiving labeled packets via TCP, UDP and raw IP.
|
||||||
|
## </p>
|
||||||
|
## <p>
|
||||||
|
## Due to the nature of TCP, the rules (for TCP
|
||||||
|
## networking only) are bidirectional.
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="peer_domain">
|
||||||
|
## <summary>
|
||||||
|
## Peer domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_all_recvfrom_labeled',`
|
||||||
|
corenet_tcp_recvfrom_labeled($1,$2)
|
||||||
|
corenet_udp_recvfrom_labeled($1,$2)
|
||||||
|
corenet_raw_recvfrom_labeled($1,$2)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send generic client packets.
|
## Send generic client packets.
|
||||||
|
|
|
@ -1269,12 +1269,7 @@ interface(`domain_all_recvfrom_all_domains',`
|
||||||
attribute domain;
|
attribute domain;
|
||||||
')
|
')
|
||||||
|
|
||||||
# IPSEC-based labeled networking
|
corenet_all_recvfrom_labeled($1,domain)
|
||||||
allow $1 domain:association recvfrom;
|
|
||||||
|
|
||||||
# Netlabel (CIPSO)-based labeled networking
|
|
||||||
# currently only supports MLS portion of label
|
|
||||||
corenet_all_recvfrom_netlabel($1)
|
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -369,14 +369,6 @@ tunable_policy(`httpd_can_network_connect',`
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
|
||||||
# allow httpd to connect to mysql/posgresql
|
|
||||||
corenet_tcp_connect_postgresql_port(httpd_t)
|
|
||||||
corenet_tcp_connect_mysqld_port(httpd_t)
|
|
||||||
corenet_sendrecv_postgresql_client_packets(httpd_t)
|
|
||||||
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_relay',`
|
tunable_policy(`httpd_can_network_relay',`
|
||||||
# allow httpd to work as a relay
|
# allow httpd to work as a relay
|
||||||
corenet_tcp_connect_gopher_port(httpd_t)
|
corenet_tcp_connect_gopher_port(httpd_t)
|
||||||
|
@ -457,8 +449,14 @@ optional_policy(`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
# Allow httpd to work with mysql
|
||||||
mysql_stream_connect(httpd_t)
|
mysql_stream_connect(httpd_t)
|
||||||
mysql_rw_db_sockets(httpd_t)
|
mysql_rw_db_sockets(httpd_t)
|
||||||
|
|
||||||
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
|
corenet_tcp_connect_mysqld_port(httpd_t)
|
||||||
|
corenet_sendrecv_mysqld_client_packets(httpd_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -476,6 +474,10 @@ optional_policy(`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
|
|
||||||
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
|
postgresql_tcp_connect(httpd_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
|
|
@ -79,7 +79,7 @@ interface(`postgresql_read_config',`
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to connect to postgresql with a tcp socket. (Deprecated)
|
## Allow the specified domain to connect to postgresql with a tcp socket.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
|
@ -88,7 +88,14 @@ interface(`postgresql_read_config',`
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`postgresql_tcp_connect',`
|
interface(`postgresql_tcp_connect',`
|
||||||
refpolicywarn(`$0($*) has been deprecated.')
|
gen_require(`
|
||||||
|
type postgresql_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corenet_tcp_recvfrom_labeled($1,postgresql_t)
|
||||||
|
corenet_tcp_sendrecv_postgresql_port($1)
|
||||||
|
corenet_tcp_connect_postgresql_port($1)
|
||||||
|
corenet_sendrecv_postgresql_client_packets($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -153,6 +153,10 @@ optional_policy(`
|
||||||
hostname_exec(postgresql_t)
|
hostname_exec(postgresql_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
ipsec_match_default_spd(postgresql_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
kerberos_use(postgresql_t)
|
kerberos_use(postgresql_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -109,6 +109,7 @@ interface(`ipsec_match_default_spd',`
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 ipsec_spd_t:association polmatch;
|
allow $1 ipsec_spd_t:association polmatch;
|
||||||
|
allow $1 self:association sendto;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -548,6 +548,10 @@ template(`userdom_basic_networking_template',`
|
||||||
corenet_udp_sendrecv_all_ports($1_t)
|
corenet_udp_sendrecv_all_ports($1_t)
|
||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
corenet_sendrecv_all_client_packets($1_t)
|
corenet_sendrecv_all_client_packets($1_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
ipsec_match_default_spd($1_t)
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -840,6 +844,7 @@ template(`userdom_common_user_template',`
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
tunable_policy(`allow_user_postgresql_connect',`
|
tunable_policy(`allow_user_postgresql_connect',`
|
||||||
postgresql_stream_connect($1_t)
|
postgresql_stream_connect($1_t)
|
||||||
|
postgresql_tcp_connect($1_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue