trunk: Patch for labeled networking controls in 2.6.25 from Paul Moore.
This commit is contained in:
parent
0ecd829ab4
commit
308baad28c
@ -1,3 +1,4 @@
|
||||
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
|
||||
- Module loading now requires setsched on kernel threads.
|
||||
- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
|
||||
- X application data class from Eamon Walsh and Ted Toth.
|
||||
|
@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif { tcp_send tcp_recv };
|
||||
allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif udp_send;
|
||||
allow $1 netif_t:netif { udp_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netif_t:netif udp_send;
|
||||
dontaudit $1 netif_t:netif { udp_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif udp_recv;
|
||||
allow $1 netif_t:netif { udp_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netif_t:netif udp_recv;
|
||||
dontaudit $1 netif_t:netif { udp_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif rawip_send;
|
||||
allow $1 netif_t:netif { rawip_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_if',`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif rawip_recv;
|
||||
allow $1 netif_t:netif { rawip_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -328,7 +328,7 @@ interface(`corenet_tcp_sendrecv_all_if',`
|
||||
attribute netif_type;
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif { tcp_send tcp_recv };
|
||||
allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -346,7 +346,7 @@ interface(`corenet_udp_send_all_if',`
|
||||
attribute netif_type;
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif udp_send;
|
||||
allow $1 netif_type:netif { udp_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -364,7 +364,7 @@ interface(`corenet_udp_receive_all_if',`
|
||||
attribute netif_type;
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif udp_recv;
|
||||
allow $1 netif_type:netif { udp_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -397,7 +397,7 @@ interface(`corenet_raw_send_all_if',`
|
||||
attribute netif_type;
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif rawip_send;
|
||||
allow $1 netif_type:netif { rawip_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -415,7 +415,7 @@ interface(`corenet_raw_receive_all_if',`
|
||||
attribute netif_type;
|
||||
')
|
||||
|
||||
allow $1 netif_type:netif rawip_recv;
|
||||
allow $1 netif_type:netif { rawip_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_node',`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node { tcp_send tcp_recv };
|
||||
allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node',`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node udp_send;
|
||||
allow $1 node_t:node { udp_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_node',`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node udp_recv;
|
||||
allow $1 node_t:node { udp_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node',`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node rawip_send;
|
||||
allow $1 node_t:node { rawip_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_node',`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node rawip_recv;
|
||||
allow $1 node_t:node { rawip_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -604,7 +604,7 @@ interface(`corenet_tcp_sendrecv_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node { tcp_send tcp_recv };
|
||||
allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -622,7 +622,7 @@ interface(`corenet_udp_send_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node udp_send;
|
||||
allow $1 node_type:node { udp_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -641,7 +641,7 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
dontaudit $1 node_type:node udp_send;
|
||||
dontaudit $1 node_type:node { udp_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -659,7 +659,7 @@ interface(`corenet_udp_receive_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node udp_recv;
|
||||
allow $1 node_type:node { udp_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -678,7 +678,7 @@ interface(`corenet_dontaudit_udp_receive_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
dontaudit $1 node_type:node udp_recv;
|
||||
dontaudit $1 node_type:node { udp_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -727,7 +727,7 @@ interface(`corenet_raw_send_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node rawip_send;
|
||||
allow $1 node_type:node { rawip_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -745,7 +745,7 @@ interface(`corenet_raw_receive_all_nodes',`
|
||||
attribute node_type;
|
||||
')
|
||||
|
||||
allow $1 node_type:node rawip_recv;
|
||||
allow $1 node_type:node { rawip_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -1737,6 +1737,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
allow $1 netlabel_peer_t:peer recv;
|
||||
allow $1 netlabel_peer_t:tcp_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -1752,6 +1753,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_tcp_recvfrom_unlabeled',`
|
||||
kernel_tcp_recvfrom_unlabeled($1)
|
||||
kernel_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -1791,6 +1793,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netlabel_peer_t:peer recv;
|
||||
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -1807,6 +1810,7 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
|
||||
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -1844,6 +1848,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
allow $1 netlabel_peer_t:peer recv;
|
||||
allow $1 netlabel_peer_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -1859,6 +1864,7 @@ interface(`corenet_udp_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_udp_recvfrom_unlabeled',`
|
||||
kernel_udp_recvfrom_unlabeled($1)
|
||||
kernel_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -1898,6 +1904,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netlabel_peer_t:peer recv;
|
||||
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -1914,6 +1921,7 @@ interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
|
||||
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -1951,6 +1959,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
allow $1 netlabel_peer_t:peer recv;
|
||||
allow $1 netlabel_peer_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -1966,6 +1975,7 @@ interface(`corenet_raw_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_raw_recvfrom_unlabeled',`
|
||||
kernel_raw_recvfrom_unlabeled($1)
|
||||
kernel_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -2005,6 +2015,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netlabel_peer_t:peer recv;
|
||||
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
|
||||
')
|
||||
|
||||
@ -2021,6 +2032,7 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
|
||||
#
|
||||
interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
||||
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -2042,6 +2054,7 @@ interface(`corenet_all_recvfrom_unlabeled',`
|
||||
kernel_tcp_recvfrom_unlabeled($1)
|
||||
kernel_udp_recvfrom_unlabeled($1)
|
||||
kernel_raw_recvfrom_unlabeled($1)
|
||||
kernel_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -2064,6 +2077,7 @@ interface(`corenet_all_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
allow $1 netlabel_peer_t:peer recv;
|
||||
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
||||
')
|
||||
|
||||
@ -2081,6 +2095,7 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
|
||||
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
||||
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
||||
|
||||
# XXX - at some point the oubound/send access check will be removed
|
||||
# but for right now we need to keep this in place so as not to break
|
||||
@ -2104,6 +2119,7 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
||||
type netlabel_peer_t;
|
||||
')
|
||||
|
||||
dontaudit $1 netlabel_peer_t:peer recv;
|
||||
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
||||
')
|
||||
|
||||
@ -2135,8 +2151,10 @@ interface(`corenet_tcp_recvfrom_labeled',`
|
||||
allow $1 $2:{ association tcp_socket } recvfrom;
|
||||
allow $2 $1:{ association tcp_socket } recvfrom;
|
||||
|
||||
# Netlabel (CIPSO)-based labeled networking
|
||||
# currently only supports MLS portion of label
|
||||
allow $1 $2:peer recv;
|
||||
allow $2 $1:peer recv;
|
||||
|
||||
# allow receiving packets from MLS-only peers using NetLabel
|
||||
corenet_tcp_recvfrom_netlabel($1)
|
||||
corenet_tcp_recvfrom_netlabel($2)
|
||||
')
|
||||
@ -2160,8 +2178,9 @@ interface(`corenet_udp_recvfrom_labeled',`
|
||||
allow $2 self:association sendto;
|
||||
allow $1 $2:{ association udp_socket } recvfrom;
|
||||
|
||||
# Netlabel (CIPSO)-based labeled networking
|
||||
# currently only supports MLS portion of label
|
||||
allow $1 $2:peer recv;
|
||||
|
||||
# allow receiving packets from MLS-only peers using NetLabel
|
||||
corenet_udp_recvfrom_netlabel($1)
|
||||
')
|
||||
|
||||
@ -2184,8 +2203,9 @@ interface(`corenet_raw_recvfrom_labeled',`
|
||||
allow $2 self:association sendto;
|
||||
allow $1 $2:{ association rawip_socket } recvfrom;
|
||||
|
||||
# Netlabel (CIPSO)-based labeled networking
|
||||
# currently only supports MLS portion of label
|
||||
allow $1 $2:peer recv;
|
||||
|
||||
# allow receiving packets from MLS-only peers using NetLabel
|
||||
corenet_raw_recvfrom_netlabel($1)
|
||||
')
|
||||
|
||||
|
@ -28,7 +28,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif { tcp_send tcp_recv };
|
||||
allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -47,7 +47,7 @@ interface(`corenet_udp_send_$1_if',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif udp_send;
|
||||
allow dollarsone $1_$2:netif { udp_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -66,7 +66,7 @@ interface(`corenet_udp_receive_$1_if',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif udp_recv;
|
||||
allow dollarsone $1_$2:netif { udp_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -101,7 +101,7 @@ interface(`corenet_raw_send_$1_if',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif rawip_send;
|
||||
allow dollarsone $1_$2:netif { rawip_send egress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -120,7 +120,7 @@ interface(`corenet_raw_receive_$1_if',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:netif rawip_recv;
|
||||
allow dollarsone $1_$2:netif { rawip_recv ingress };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -163,7 +163,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:node { tcp_send tcp_recv };
|
||||
allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -182,7 +182,7 @@ interface(`corenet_udp_send_$1_node',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:node udp_send;
|
||||
allow dollarsone $1_$2:node { udp_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -201,7 +201,7 @@ interface(`corenet_udp_receive_$1_node',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:node udp_recv;
|
||||
allow dollarsone $1_$2:node { udp_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -236,7 +236,7 @@ interface(`corenet_raw_send_$1_node',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:node rawip_send;
|
||||
allow dollarsone $1_$2:node { rawip_send sendto };
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -255,7 +255,7 @@ interface(`corenet_raw_receive_$1_node',`
|
||||
$3 $1_$2;
|
||||
')
|
||||
|
||||
allow dollarsone $1_$2:node rawip_recv;
|
||||
allow dollarsone $1_$2:node { rawip_recv recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corenetwork,1.2.15)
|
||||
policy_module(corenetwork,1.2.16)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -2495,6 +2495,62 @@ interface(`kernel_sendrecv_unlabeled_packets',`
|
||||
allow $1 unlabeled_t:packet { send recv };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Receive packets from an unlabeled peer.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Receive packets from an unlabeled peer, these packets do not have any
|
||||
## peer labeling information present.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface corenet_recvfrom_unlabeled_peer() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_recvfrom_unlabeled_peer',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:peer recv;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to receive packets from an unlabeled peer.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to receive packets from an unlabeled peer,
|
||||
## these packets do not have any peer labeling information present.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled()
|
||||
## should be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
dontaudit $1 unlabeled_t:peer recv;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to kernel module resources.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.9.2)
|
||||
policy_module(kernel,1.9.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
|
||||
# connections with invalidated labels:
|
||||
allow kernel_t unlabeled_t:packet send;
|
||||
|
||||
# Forwarded network traffic
|
||||
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
|
||||
corenet_all_recvfrom_unlabeled(kernel_t)
|
||||
corenet_all_recvfrom_netlabel(kernel_t)
|
||||
# Kernel-generated traffic e.g., ICMP replies:
|
||||
|
Loading…
Reference in New Issue
Block a user