break packet_t into server_packet_t client_packet_t, and cover add packets to system modules where they make sense.

This commit is contained in:
Chris PeBenito 2006-05-29 15:04:49 +00:00
parent 5afdf0bca6
commit 35a4b349f0
15 changed files with 129 additions and 59 deletions

View File

@ -1310,7 +1310,7 @@ interface(`corenet_non_ipsec_sendrecv',`
######################################## ########################################
## <summary> ## <summary>
## Send generic packets. ## Send generic client packets.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1318,17 +1318,17 @@ interface(`corenet_non_ipsec_sendrecv',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`corenet_send_generic_packets',` interface(`corenet_send_generic_client_packets',`
gen_require(` gen_require(`
type packet_t; type client_packet_t;
') ')
allow $1 packet_t:packet send; allow $1 client_packet_t:packet send;
') ')
######################################## ########################################
## <summary> ## <summary>
## Receive generic packets. ## Receive generic client packets.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1336,17 +1336,17 @@ interface(`corenet_send_generic_packets',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`corenet_receive_generic_packets',` interface(`corenet_receive_generic_client_packets',`
gen_require(` gen_require(`
type packet_t; type client_packet_t;
') ')
allow $1 packet_t:packet recv; allow $1 client_packet_t:packet recv;
') ')
######################################## ########################################
## <summary> ## <summary>
## Send and receive generic packets. ## Send and receive generic client packets.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1354,14 +1354,14 @@ interface(`corenet_receive_generic_packets',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`corenet_sendrecv_generic_packets',` interface(`corenet_sendrecv_generic_client_packets',`
corenet_send_generic_packets($1) corenet_send_generic_client_packets($1)
corenet_receive_generic_packets($1) corenet_receive_generic_client_packets($1)
') ')
######################################## ########################################
## <summary> ## <summary>
## Relabel packets to the generic packet type. ## Relabel packets to the generic client packet type.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -1369,12 +1369,81 @@ interface(`corenet_sendrecv_generic_packets',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`corenet_relabelto_generic_packets',` interface(`corenet_relabelto_generic_client_packets',`
gen_require(` gen_require(`
type packet_t; type client_packet_t;
') ')
allow $1 packet_t:packet relabelto; allow $1 client_packet_t:packet relabelto;
')
########################################
## <summary>
## Send generic server packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_send_generic_server_packets',`
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet send;
')
########################################
## <summary>
## Receive generic server packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_receive_generic_server_packets',`
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet recv;
')
########################################
## <summary>
## Send and receive generic server packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_sendrecv_generic_server_packets',`
corenet_send_generic_server_packets($1)
corenet_receive_generic_server_packets($1)
')
########################################
## <summary>
## Relabel packets to the generic server packet type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_relabelto_generic_server_packets',`
gen_require(`
type server_packet_t;
')
allow $1 server_packet_t:packet relabelto;
') ')
######################################## ########################################

View File

@ -1,5 +1,5 @@
policy_module(corenetwork,1.1.10) policy_module(corenetwork,1.1.11)
######################################## ########################################
# #
@ -32,9 +32,9 @@ dev_node(tun_tap_device_t)
# #
# #
# packet_t is the default type of IPv4 and IPv6 packets. # client_packet_t is the default type of IPv4 and IPv6 client packets.
# #
type packet_t, packet_type; type client_packet_t, packet_type, client_packet_type;
# #
# port_t is the default type of INET port numbers. # port_t is the default type of INET port numbers.
@ -47,6 +47,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
# #
type reserved_port_t, port_type, reserved_port_type; type reserved_port_t, port_type, reserved_port_type;
#
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0) network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0) network_port(afs_ka, udp,7004,s0)

View File

@ -1,5 +1,5 @@
policy_module(kernel,1.3.9) policy_module(kernel,1.3.10)
######################################## ########################################
# #
@ -288,7 +288,7 @@ optional_policy(`
corenet_udp_sendrecv_all_ports(kernel_t) corenet_udp_sendrecv_all_ports(kernel_t)
corenet_udp_bind_all_nodes(kernel_t) corenet_udp_bind_all_nodes(kernel_t)
corenet_sendrecv_portmap_client_packets(kernel_t) corenet_sendrecv_portmap_client_packets(kernel_t)
corenet_sendrecv_generic_packets(kernel_t) corenet_sendrecv_generic_server_packets(kernel_t)
auth_dontaudit_getattr_shadow(kernel_t) auth_dontaudit_getattr_shadow(kernel_t)

View File

@ -72,7 +72,7 @@ template(`rpc_domain_template', `
corenet_tcp_bind_generic_port($1_t) corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t)
corenet_udp_bind_reserved_port($1_t) corenet_udp_bind_reserved_port($1_t)
corenet_sendrecv_generic_packets($1_t) corenet_sendrecv_generic_server_packets($1_t)
fs_search_auto_mountpoints($1_t) fs_search_auto_mountpoints($1_t)

View File

@ -1,5 +1,5 @@
policy_module(rpc,1.2.6) policy_module(rpc,1.2.7)
######################################## ########################################
# #

View File

@ -1,5 +1,5 @@
policy_module(hotplug,1.2.0) policy_module(hotplug,1.2.1)
######################################## ########################################
# #
@ -52,17 +52,13 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t) files_read_kernel_modules(hotplug_t)
corenet_non_ipsec_sendrecv(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t) corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t) corenet_udp_sendrecv_all_if(hotplug_t)
corenet_raw_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t) corenet_tcp_sendrecv_all_nodes(hotplug_t)
corenet_udp_sendrecv_all_nodes(hotplug_t) corenet_udp_sendrecv_all_nodes(hotplug_t)
corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t) corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_udp_sendrecv_all_ports(hotplug_t) corenet_udp_sendrecv_all_ports(hotplug_t)
corenet_non_ipsec_sendrecv(hotplug_t)
corenet_tcp_bind_all_nodes(hotplug_t)
corenet_udp_bind_all_nodes(hotplug_t)
dev_rw_sysfs(hotplug_t) dev_rw_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t) dev_read_usbfs(hotplug_t)

View File

@ -1,5 +1,5 @@
policy_module(init,1.3.15) policy_module(init,1.3.16)
gen_require(` gen_require(`
class passwd rootok; class passwd rootok;
@ -249,18 +249,15 @@ kernel_dontaudit_getattr_message_if(initrc_t)
files_read_kernel_symbol_table(initrc_t) files_read_kernel_symbol_table(initrc_t)
corenet_non_ipsec_sendrecv(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t) corenet_tcp_sendrecv_all_if(initrc_t)
corenet_raw_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t) corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t) corenet_tcp_sendrecv_all_nodes(initrc_t)
corenet_raw_sendrecv_all_nodes(initrc_t)
corenet_udp_sendrecv_all_nodes(initrc_t) corenet_udp_sendrecv_all_nodes(initrc_t)
corenet_tcp_sendrecv_all_ports(initrc_t) corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t)
corenet_non_ipsec_sendrecv(initrc_t)
corenet_tcp_bind_all_nodes(initrc_t)
corenet_udp_bind_all_nodes(initrc_t)
corenet_tcp_connect_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t)
corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t) dev_read_rand(initrc_t)
dev_read_urand(initrc_t) dev_read_urand(initrc_t)

View File

@ -1,5 +1,5 @@
policy_module(ipsec,1.1.0) policy_module(ipsec,1.1.1)
######################################## ########################################
# #
@ -83,15 +83,17 @@ kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t) kernel_getattr_message_if(ipsec_t)
# Pluto needs network access # Pluto needs network access
corenet_non_ipsec_sendrecv(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t) corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t) corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t) corenet_tcp_sendrecv_all_nodes(ipsec_t)
corenet_raw_sendrecv_all_nodes(ipsec_t) corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t) corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_non_ipsec_sendrecv(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t) corenet_tcp_bind_all_nodes(ipsec_t)
corenet_udp_bind_reserved_port(ipsec_t) corenet_tcp_bind_reserved_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t) corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
dev_read_sysfs(ipsec_t) dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t) dev_read_rand(ipsec_t)

View File

@ -1,5 +1,5 @@
policy_module(logging,1.3.4) policy_module(logging,1.3.5)
######################################## ########################################
# #
@ -260,7 +260,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms; allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket { connected_socket_perms connect }; allow syslogd_t self:udp_socket create_socket_perms;
# Create and bind to /dev/log or /var/run/log. # Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms; allow syslogd_t devlog_t:sock_file create_file_perms;
@ -306,15 +306,15 @@ init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t) term_write_all_user_ttys(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t) corenet_non_ipsec_sendrecv(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t) corenet_udp_sendrecv_all_if(syslogd_t)
corenet_raw_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t) corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t) corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_non_ipsec_sendrecv(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t) corenet_udp_bind_all_nodes(syslogd_t)
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t) corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
fs_getattr_all_fs(syslogd_t) fs_getattr_all_fs(syslogd_t)

View File

@ -1,5 +1,5 @@
policy_module(lvm,1.3.2) policy_module(lvm,1.3.3)
######################################## ########################################
# #
@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(clvmd_t)
kernel_list_proc(clvmd_t) kernel_list_proc(clvmd_t)
kernel_read_proc_symlinks(clvmd_t) kernel_read_proc_symlinks(clvmd_t)
corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t) corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t) corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t) corenet_raw_sendrecv_all_if(clvmd_t)
@ -69,11 +70,10 @@ corenet_udp_sendrecv_all_nodes(clvmd_t)
corenet_raw_sendrecv_all_nodes(clvmd_t) corenet_raw_sendrecv_all_nodes(clvmd_t)
corenet_tcp_sendrecv_all_ports(clvmd_t) corenet_tcp_sendrecv_all_ports(clvmd_t)
corenet_udp_sendrecv_all_ports(clvmd_t) corenet_udp_sendrecv_all_ports(clvmd_t)
corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_bind_all_nodes(clvmd_t) corenet_tcp_bind_all_nodes(clvmd_t)
corenet_udp_bind_all_nodes(clvmd_t)
corenet_tcp_bind_reserved_port(clvmd_t) corenet_tcp_bind_reserved_port(clvmd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t) dev_read_sysfs(clvmd_t)

View File

@ -1,5 +1,5 @@
policy_module(mount,1.3.5) policy_module(mount,1.3.6)
######################################## ########################################
# #
@ -35,9 +35,6 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t) kernel_read_system_state(mount_t)
kernel_dontaudit_getattr_core_if(mount_t) kernel_dontaudit_getattr_core_if(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
dev_getattr_all_blk_files(mount_t) dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t) dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t) dev_rw_lvm_control(mount_t)
@ -136,6 +133,8 @@ optional_policy(`
corenet_udp_bind_reserved_port(mount_t) corenet_udp_bind_reserved_port(mount_t)
corenet_tcp_bind_all_rpc_ports(mount_t) corenet_tcp_bind_all_rpc_ports(mount_t)
corenet_udp_bind_all_rpc_ports(mount_t) corenet_udp_bind_all_rpc_ports(mount_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
corenet_tcp_connect_all_ports(mount_t) corenet_tcp_connect_all_ports(mount_t)
fs_search_rpc(mount_t) fs_search_rpc(mount_t)

View File

@ -176,7 +176,6 @@ template(`base_user_template',`
corenet_udp_bind_all_nodes($1_t) corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t) corenet_udp_bind_generic_port($1_t)
corenet_tcp_connect_all_ports($1_t) corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_generic_packets($1_t)
corenet_sendrecv_all_client_packets($1_t) corenet_sendrecv_all_client_packets($1_t)
dev_read_input($1_t) dev_read_input($1_t)

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.25) policy_module(userdomain,1.3.26)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;

View File

@ -1,5 +1,5 @@
policy_module(xen,1.0.4) policy_module(xen,1.0.5)
######################################## ########################################
# #
@ -113,12 +113,14 @@ corecmd_exec_sbin(xend_t)
corecmd_exec_bin(xend_t) corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t) corecmd_exec_shell(xend_t)
corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_sendrecv_all_if(xend_t) corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t) corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t) corenet_tcp_sendrecv_all_ports(xend_t)
corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_bind_xen_port(xend_t) corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t) corenet_tcp_bind_soundd_port(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
dev_read_urand(xend_t) dev_read_urand(xend_t)
dev_manage_xen(xend_t) dev_manage_xen(xend_t)

View File

@ -11,7 +11,8 @@ import sys,string,getopt,re
NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)") NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
DEFAULT_PACKET = "packet_t" DEFAULT_INPUT_PACKET = "server_packet_t"
DEFAULT_OUTPUT_PACKET = "client_packet_t"
DEFAULT_MCS = "s0" DEFAULT_MCS = "s0"
DEFAULT_MLS = "s0" DEFAULT_MLS = "s0"
@ -42,7 +43,7 @@ class Packet:
self.ports = ports self.ports = ports
def print_input_rules(packets,mls,mcs): def print_input_rules(packets,mls,mcs):
line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
if mls: if mls:
line += ":"+DEFAULT_MLS line += ":"+DEFAULT_MLS
elif mcs: elif mcs:
@ -63,7 +64,7 @@ def print_input_rules(packets,mls,mcs):
print "-A selinux_new_input -j RETURN" print "-A selinux_new_input -j RETURN"
def print_output_rules(packets,mls,mcs): def print_output_rules(packets,mls,mcs):
line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
if mls: if mls:
line += ":"+DEFAULT_MLS line += ":"+DEFAULT_MLS
elif mcs: elif mcs: