rpms/selinux-policy
6
0
Fork 0
Code Issues Pull Requests Releases Activity

merge netlabel stuff from labeled-networking branch

Browse Source
This commit is contained in:
Chris PeBenito 2006-10-17 16:58:17 +00:00
parent aeaae5185e
commit 130f8a4aa5
11 changed files with 282 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -109,6 +109,7 @@
munin munin
nagios nagios
nessus nessus
netlabel (Paul Moore)
nsd nsd
ntop ntop
nx nx

8
policy/mls
View File

@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
( h1 dom h2 ); ( h1 dom h2 );
# the socket "read" ops (note the check is dominance of the low level) # the socket "read" ops (note the check is dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg } mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or (( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )); ( t1 == mlsnetread ));
@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite )); ( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# these access vectors have no MLS restrictions # these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
# #

58
policy/modules/kernel/corenetwork.if.in
View File

@ -1434,6 +1434,64 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
kernel_dontaudit_sendrecv_unlabeled_association($1) kernel_dontaudit_sendrecv_unlabeled_association($1)
') ')
########################################
## <summary>
## Receive TCP packets from a NetLabel connection.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_tcp_recv_netlabel',`
kernel_tcp_recvfrom_unlabeled($1)
')
########################################
## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`corenet_dontaudit_tcp_recv_netlabel',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
')
########################################
## <summary>
## Receive UDP packets from a NetLabel connection.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_udp_recv_netlabel',`
kernel_udp_recvfrom_unlabeled($1)
')
########################################
## <summary>
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`corenet_dontaudit_udp_recv_netlabel',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
')
######################################## ########################################
## <summary> ## <summary>
## Send generic client packets. ## Send generic client packets.

2
policy/modules/kernel/corenetwork.te.in
View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.1.18) policy_module(corenetwork,1.1.19)
######################################## ########################################
# #

122
policy/modules/kernel/kernel.if
View File

@ -2203,6 +2203,128 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
dontaudit $1 unlabeled_t:association { sendto recvfrom }; dontaudit $1 unlabeled_t:association { sendto recvfrom };
') ')
########################################
## <summary>
## Receive TCP packets from a NetLabel connection.
## </summary>
## <desc>
## <p>
## Receive TCP packets from a NetLabel connection, NetLabel is an
## explicit packet labeling framework which implements CIPSO and
## similar protocols.
## </p>
## <p>
## The corenetwork interface
## corenet_tcp_recv_netlabel() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_tcp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:tcp_socket recvfrom;
')
########################################
## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
## connection.
## </summary>
## <desc>
## <p>
## Do not audit attempts to receive TCP packets from a NetLabel
## connection. NetLabel is an explicit packet labeling framework
## which implements CIPSO and similar protocols.
## </p>
## <p>
## The corenetwork interface
## corenet_dontaudit_tcp_recv_netlabel() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:tcp_socket recvfrom;
')
########################################
## <summary>
## Receive UDP packets from a NetLabel connection.
## </summary>
## <desc>
## <p>
## Receive UDP packets from a NetLabel connection, NetLabel is an
## explicit packet labeling framework which implements CIPSO and
## similar protocols.
## </p>
## <p>
## The corenetwork interface
## corenet_udp_recv_netlabel() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kernel_udp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
allow $1 unlabeled_t:udp_socket recvfrom;
')
########################################
## <summary>
## Do not audit attempts to receive UDP packets from a NetLabel
## connection.
## </summary>
## <desc>
## <p>
## Do not audit attempts to receive UDP packets from a NetLabel
## connection. NetLabel is an explicit packet labeling framework
## which implements CIPSO and similar protocols.
## </p>
## <p>
## The corenetwork interface
## corenet_dontaudit_udp_recv_netlabel() should
## be used instead of this one.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
gen_require(`
type unlabeled_t;
')
dontaudit $1 unlabeled_t:udp_socket recvfrom;
')
######################################## ########################################
## <summary> ## <summary>
## Send and receive unlabeled packets. ## Send and receive unlabeled packets.

2
policy/modules/kernel/kernel.te
View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.17) policy_module(kernel,1.3.18)
######################################## ########################################
# #

1
policy/modules/system/netlabel.fc Normal file
View File

@ -0,0 +1 @@
/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)

55
policy/modules/system/netlabel.if Normal file
View File

@ -0,0 +1,55 @@
## <summary>NetLabel/CIPSO labeled networking management</summary>
########################################
## <summary>
## Execute netlabel_mgmt in the netlabel_mgmt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`netlabel_domtrans_mgmt',`
gen_require(`
type netlabel_mgmt_t, netlabel_mgmt_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
allow netlabel_mgmt_t $1:fd use;
allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
allow netlabel_mgmt_t $1:process sigchld;
')
########################################
## <summary>
## Execute netlabel_mgmt in the netlabel_mgmt domain, and
## allow the specified role the netlabel_mgmt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the netlabel_mgmt domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the netlabel_mgmt domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`netlabel_run_mgmt',`
gen_require(`
type netlabel_mgmt_t;
')
netlabel_domtrans_mgmt($1)
role $2 types netlabel_mgmt_t;
allow netlabel_mgmt_t $3:chr_file rw_term_perms;
')

28
policy/modules/system/netlabel.te Normal file
View File

@ -0,0 +1,28 @@
policy_module(netlabel,1.0.0)
########################################
#
# Declarations
#
type netlabel_mgmt_t;
type netlabel_mgmt_exec_t;
domain_type(netlabel_mgmt_t)
domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
########################################
#
# NetLabel Management Tools Local policy
#
# modify the network subsystem configuration
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
kernel_read_network_state(netlabel_mgmt_t)
libs_use_ld_so(netlabel_mgmt_t)
libs_use_shared_libs(netlabel_mgmt_t)
seutil_use_newrole_fds(netlabel_mgmt_t)

6
policy/modules/system/userdomain.if
View File

@ -514,6 +514,12 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t) corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t) corenet_sendrecv_all_client_packets($1_t)
ifdef(`enable_mls',`
# netlabel/CIPSO labeled networking
corenet_tcp_recv_netlabel($1_t)
corenet_udp_recv_netlabel($1_t)
')
') ')
####################################### #######################################

3
policy/modules/system/userdomain.te
View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.36) policy_module(userdomain,1.3.37)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;
@ -155,6 +155,7 @@ ifdef(`strict_policy',`
logging_read_generic_logs(secadm_t) logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t) userdom_dontaudit_append_staff_home_content_files(secadm_t)
userdom_dontaudit_read_sysadm_home_content_files(secadm_t) userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
',` ',`
logging_manage_audit_log(sysadm_t) logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t) logging_manage_audit_config(sysadm_t)