merge netlabel stuff from labeled-networking branch
This commit is contained in:
Chris PeBenito
parent
aeaae5185e
commit
130f8a4aa5
@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||
( h1 dom h2 );
|
||||
|
||||
# the socket "read" ops (note the check is dominance of the low level)
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
|
||||
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsnetread ));
|
||||
@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
( t1 == mlsnetwrite ));
|
||||
|
||||
# used by netlabel to restrict normal domains to same level connections
|
||||
mlsconstrain { tcp_socket udp_socket } recvfrom
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsnetread ));
|
||||
|
||||
# these access vectors have no MLS restrictions
|
||||
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
|
||||
#
|
||||
|
||||
@ -1434,6 +1434,64 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
|
||||
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive TCP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_tcp_recv_netlabel',`
|
||||
kernel_tcp_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive TCP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_tcp_recv_netlabel',`
|
||||
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive UDP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_udp_recv_netlabel',`
|
||||
kernel_udp_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive UDP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_dontaudit_udp_recv_netlabel',`
|
||||
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send generic client packets.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.1.18)
|
||||
policy_module(corenetwork,1.1.19)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -2203,6 +2203,128 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
|
||||
dontaudit $1 unlabeled_t:association { sendto recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive TCP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Receive TCP packets from a NetLabel connection, NetLabel is an
|
||||
## explicit packet labeling framework which implements CIPSO and
|
||||
## similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_tcp_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_tcp_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:tcp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive TCP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to receive TCP packets from a NetLabel
|
||||
## connection. NetLabel is an explicit packet labeling framework
|
||||
## which implements CIPSO and similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_dontaudit_tcp_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unlabeled_t:tcp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive UDP packets from a NetLabel connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Receive UDP packets from a NetLabel connection, NetLabel is an
|
||||
## explicit packet labeling framework which implements CIPSO and
|
||||
## similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_udp_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_udp_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive UDP packets from a NetLabel
|
||||
## connection.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to receive UDP packets from a NetLabel
|
||||
## connection. NetLabel is an explicit packet labeling framework
|
||||
## which implements CIPSO and similar protocols.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_dontaudit_udp_recv_netlabel() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unlabeled_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive unlabeled packets.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.3.17)
|
||||
policy_module(kernel,1.3.18)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
1
policy/modules/system/netlabel.fc
Normal file
1
policy/modules/system/netlabel.fc
Normal file
@ -0,0 +1 @@
|
||||
/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
|
||||
55
policy/modules/system/netlabel.if
Normal file
55
policy/modules/system/netlabel.if
Normal file
@ -0,0 +1,55 @@
|
||||
## <summary>NetLabel/CIPSO labeled networking management</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute netlabel_mgmt in the netlabel_mgmt domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`netlabel_domtrans_mgmt',`
|
||||
gen_require(`
|
||||
type netlabel_mgmt_t, netlabel_mgmt_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_sbin($1)
|
||||
domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
|
||||
allow netlabel_mgmt_t $1:fd use;
|
||||
allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
|
||||
allow netlabel_mgmt_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute netlabel_mgmt in the netlabel_mgmt domain, and
|
||||
## allow the specified role the netlabel_mgmt domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the netlabel_mgmt domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the netlabel_mgmt domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`netlabel_run_mgmt',`
|
||||
gen_require(`
|
||||
type netlabel_mgmt_t;
|
||||
')
|
||||
|
||||
netlabel_domtrans_mgmt($1)
|
||||
role $2 types netlabel_mgmt_t;
|
||||
allow netlabel_mgmt_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
28
policy/modules/system/netlabel.te
Normal file
28
policy/modules/system/netlabel.te
Normal file
@ -0,0 +1,28 @@
|
||||
|
||||
policy_module(netlabel,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type netlabel_mgmt_t;
|
||||
type netlabel_mgmt_exec_t;
|
||||
domain_type(netlabel_mgmt_t)
|
||||
domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# NetLabel Management Tools Local policy
|
||||
#
|
||||
|
||||
# modify the network subsystem configuration
|
||||
allow netlabel_mgmt_t self:capability net_admin;
|
||||
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
|
||||
|
||||
kernel_read_network_state(netlabel_mgmt_t)
|
||||
|
||||
libs_use_ld_so(netlabel_mgmt_t)
|
||||
libs_use_shared_libs(netlabel_mgmt_t)
|
||||
|
||||
seutil_use_newrole_fds(netlabel_mgmt_t)
|
||||
@ -514,6 +514,12 @@ template(`userdom_basic_networking_template',`
|
||||
corenet_udp_sendrecv_all_ports($1_t)
|
||||
corenet_tcp_connect_all_ports($1_t)
|
||||
corenet_sendrecv_all_client_packets($1_t)
|
||||
|
||||
ifdef(`enable_mls',`
|
||||
# netlabel/CIPSO labeled networking
|
||||
corenet_tcp_recv_netlabel($1_t)
|
||||
corenet_udp_recv_netlabel($1_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.36)
|
||||
policy_module(userdomain,1.3.37)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
@ -155,6 +155,7 @@ ifdef(`strict_policy',`
|
||||
logging_read_generic_logs(secadm_t)
|
||||
userdom_dontaudit_append_staff_home_content_files(secadm_t)
|
||||
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
|
||||
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
|
||||
',`
|
||||
logging_manage_audit_log(sysadm_t)
|
||||
logging_manage_audit_config(sysadm_t)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user