break packet_t into server_packet_t client_packet_t, and cover add packets to system modules where they make sense.
This commit is contained in:
parent
5afdf0bca6
commit
35a4b349f0
@ -1310,7 +1310,7 @@ interface(`corenet_non_ipsec_sendrecv',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send generic packets.
|
## Send generic client packets.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -1318,17 +1318,17 @@ interface(`corenet_non_ipsec_sendrecv',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`corenet_send_generic_packets',`
|
interface(`corenet_send_generic_client_packets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type packet_t;
|
type client_packet_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 packet_t:packet send;
|
allow $1 client_packet_t:packet send;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Receive generic packets.
|
## Receive generic client packets.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -1336,17 +1336,17 @@ interface(`corenet_send_generic_packets',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`corenet_receive_generic_packets',`
|
interface(`corenet_receive_generic_client_packets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type packet_t;
|
type client_packet_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 packet_t:packet recv;
|
allow $1 client_packet_t:packet recv;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Send and receive generic packets.
|
## Send and receive generic client packets.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -1354,14 +1354,14 @@ interface(`corenet_receive_generic_packets',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`corenet_sendrecv_generic_packets',`
|
interface(`corenet_sendrecv_generic_client_packets',`
|
||||||
corenet_send_generic_packets($1)
|
corenet_send_generic_client_packets($1)
|
||||||
corenet_receive_generic_packets($1)
|
corenet_receive_generic_client_packets($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Relabel packets to the generic packet type.
|
## Relabel packets to the generic client packet type.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -1369,12 +1369,81 @@ interface(`corenet_sendrecv_generic_packets',`
|
|||||||
## </summary>
|
## </summary>
|
||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`corenet_relabelto_generic_packets',`
|
interface(`corenet_relabelto_generic_client_packets',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type packet_t;
|
type client_packet_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1 packet_t:packet relabelto;
|
allow $1 client_packet_t:packet relabelto;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send generic server packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_send_generic_server_packets',`
|
||||||
|
gen_require(`
|
||||||
|
type server_packet_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 server_packet_t:packet send;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Receive generic server packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_receive_generic_server_packets',`
|
||||||
|
gen_require(`
|
||||||
|
type server_packet_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 server_packet_t:packet recv;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send and receive generic server packets.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_sendrecv_generic_server_packets',`
|
||||||
|
corenet_send_generic_server_packets($1)
|
||||||
|
corenet_receive_generic_server_packets($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Relabel packets to the generic server packet type.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`corenet_relabelto_generic_server_packets',`
|
||||||
|
gen_require(`
|
||||||
|
type server_packet_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 server_packet_t:packet relabelto;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corenetwork,1.1.10)
|
policy_module(corenetwork,1.1.11)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -32,9 +32,9 @@ dev_node(tun_tap_device_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# packet_t is the default type of IPv4 and IPv6 packets.
|
# client_packet_t is the default type of IPv4 and IPv6 client packets.
|
||||||
#
|
#
|
||||||
type packet_t, packet_type;
|
type client_packet_t, packet_type, client_packet_type;
|
||||||
|
|
||||||
#
|
#
|
||||||
# port_t is the default type of INET port numbers.
|
# port_t is the default type of INET port numbers.
|
||||||
@ -47,6 +47,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
|
|||||||
#
|
#
|
||||||
type reserved_port_t, port_type, reserved_port_type;
|
type reserved_port_t, port_type, reserved_port_type;
|
||||||
|
|
||||||
|
#
|
||||||
|
# server_packet_t is the default type of IPv4 and IPv6 server packets.
|
||||||
|
#
|
||||||
|
type server_packet_t, packet_type, server_packet_type;
|
||||||
|
|
||||||
network_port(afs_bos, udp,7007,s0)
|
network_port(afs_bos, udp,7007,s0)
|
||||||
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
|
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
|
||||||
network_port(afs_ka, udp,7004,s0)
|
network_port(afs_ka, udp,7004,s0)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(kernel,1.3.9)
|
policy_module(kernel,1.3.10)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -288,7 +288,7 @@ optional_policy(`
|
|||||||
corenet_udp_sendrecv_all_ports(kernel_t)
|
corenet_udp_sendrecv_all_ports(kernel_t)
|
||||||
corenet_udp_bind_all_nodes(kernel_t)
|
corenet_udp_bind_all_nodes(kernel_t)
|
||||||
corenet_sendrecv_portmap_client_packets(kernel_t)
|
corenet_sendrecv_portmap_client_packets(kernel_t)
|
||||||
corenet_sendrecv_generic_packets(kernel_t)
|
corenet_sendrecv_generic_server_packets(kernel_t)
|
||||||
|
|
||||||
auth_dontaudit_getattr_shadow(kernel_t)
|
auth_dontaudit_getattr_shadow(kernel_t)
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ template(`rpc_domain_template', `
|
|||||||
corenet_tcp_bind_generic_port($1_t)
|
corenet_tcp_bind_generic_port($1_t)
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
corenet_udp_bind_reserved_port($1_t)
|
corenet_udp_bind_reserved_port($1_t)
|
||||||
corenet_sendrecv_generic_packets($1_t)
|
corenet_sendrecv_generic_server_packets($1_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints($1_t)
|
fs_search_auto_mountpoints($1_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(rpc,1.2.6)
|
policy_module(rpc,1.2.7)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(hotplug,1.2.0)
|
policy_module(hotplug,1.2.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -52,17 +52,13 @@ kernel_read_net_sysctls(hotplug_t)
|
|||||||
|
|
||||||
files_read_kernel_modules(hotplug_t)
|
files_read_kernel_modules(hotplug_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(hotplug_t)
|
||||||
corenet_tcp_sendrecv_all_if(hotplug_t)
|
corenet_tcp_sendrecv_all_if(hotplug_t)
|
||||||
corenet_udp_sendrecv_all_if(hotplug_t)
|
corenet_udp_sendrecv_all_if(hotplug_t)
|
||||||
corenet_raw_sendrecv_all_if(hotplug_t)
|
|
||||||
corenet_tcp_sendrecv_all_nodes(hotplug_t)
|
corenet_tcp_sendrecv_all_nodes(hotplug_t)
|
||||||
corenet_udp_sendrecv_all_nodes(hotplug_t)
|
corenet_udp_sendrecv_all_nodes(hotplug_t)
|
||||||
corenet_raw_sendrecv_all_nodes(hotplug_t)
|
|
||||||
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
corenet_tcp_sendrecv_all_ports(hotplug_t)
|
||||||
corenet_udp_sendrecv_all_ports(hotplug_t)
|
corenet_udp_sendrecv_all_ports(hotplug_t)
|
||||||
corenet_non_ipsec_sendrecv(hotplug_t)
|
|
||||||
corenet_tcp_bind_all_nodes(hotplug_t)
|
|
||||||
corenet_udp_bind_all_nodes(hotplug_t)
|
|
||||||
|
|
||||||
dev_rw_sysfs(hotplug_t)
|
dev_rw_sysfs(hotplug_t)
|
||||||
dev_read_usbfs(hotplug_t)
|
dev_read_usbfs(hotplug_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(init,1.3.15)
|
policy_module(init,1.3.16)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -249,18 +249,15 @@ kernel_dontaudit_getattr_message_if(initrc_t)
|
|||||||
|
|
||||||
files_read_kernel_symbol_table(initrc_t)
|
files_read_kernel_symbol_table(initrc_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(initrc_t)
|
||||||
corenet_tcp_sendrecv_all_if(initrc_t)
|
corenet_tcp_sendrecv_all_if(initrc_t)
|
||||||
corenet_raw_sendrecv_all_if(initrc_t)
|
|
||||||
corenet_udp_sendrecv_all_if(initrc_t)
|
corenet_udp_sendrecv_all_if(initrc_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
corenet_tcp_sendrecv_all_nodes(initrc_t)
|
||||||
corenet_raw_sendrecv_all_nodes(initrc_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(initrc_t)
|
corenet_udp_sendrecv_all_nodes(initrc_t)
|
||||||
corenet_tcp_sendrecv_all_ports(initrc_t)
|
corenet_tcp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_udp_sendrecv_all_ports(initrc_t)
|
corenet_udp_sendrecv_all_ports(initrc_t)
|
||||||
corenet_non_ipsec_sendrecv(initrc_t)
|
|
||||||
corenet_tcp_bind_all_nodes(initrc_t)
|
|
||||||
corenet_udp_bind_all_nodes(initrc_t)
|
|
||||||
corenet_tcp_connect_all_ports(initrc_t)
|
corenet_tcp_connect_all_ports(initrc_t)
|
||||||
|
corenet_sendrecv_all_client_packets(initrc_t)
|
||||||
|
|
||||||
dev_read_rand(initrc_t)
|
dev_read_rand(initrc_t)
|
||||||
dev_read_urand(initrc_t)
|
dev_read_urand(initrc_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(ipsec,1.1.0)
|
policy_module(ipsec,1.1.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -83,15 +83,17 @@ kernel_getattr_core_if(ipsec_t)
|
|||||||
kernel_getattr_message_if(ipsec_t)
|
kernel_getattr_message_if(ipsec_t)
|
||||||
|
|
||||||
# Pluto needs network access
|
# Pluto needs network access
|
||||||
|
corenet_non_ipsec_sendrecv(ipsec_t)
|
||||||
corenet_tcp_sendrecv_all_if(ipsec_t)
|
corenet_tcp_sendrecv_all_if(ipsec_t)
|
||||||
corenet_raw_sendrecv_all_if(ipsec_t)
|
corenet_raw_sendrecv_all_if(ipsec_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(ipsec_t)
|
corenet_tcp_sendrecv_all_nodes(ipsec_t)
|
||||||
corenet_raw_sendrecv_all_nodes(ipsec_t)
|
corenet_raw_sendrecv_all_nodes(ipsec_t)
|
||||||
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
corenet_tcp_sendrecv_all_ports(ipsec_t)
|
||||||
corenet_non_ipsec_sendrecv(ipsec_t)
|
|
||||||
corenet_tcp_bind_all_nodes(ipsec_t)
|
corenet_tcp_bind_all_nodes(ipsec_t)
|
||||||
corenet_udp_bind_reserved_port(ipsec_t)
|
corenet_tcp_bind_reserved_port(ipsec_t)
|
||||||
corenet_udp_bind_isakmp_port(ipsec_t)
|
corenet_tcp_bind_isakmp_port(ipsec_t)
|
||||||
|
corenet_sendrecv_generic_server_packets(ipsec_t)
|
||||||
|
corenet_sendrecv_isakmp_server_packets(ipsec_t)
|
||||||
|
|
||||||
dev_read_sysfs(ipsec_t)
|
dev_read_sysfs(ipsec_t)
|
||||||
dev_read_rand(ipsec_t)
|
dev_read_rand(ipsec_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(logging,1.3.4)
|
policy_module(logging,1.3.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -260,7 +260,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
|
|||||||
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow syslogd_t self:unix_dgram_socket sendto;
|
allow syslogd_t self:unix_dgram_socket sendto;
|
||||||
allow syslogd_t self:fifo_file rw_file_perms;
|
allow syslogd_t self:fifo_file rw_file_perms;
|
||||||
allow syslogd_t self:udp_socket { connected_socket_perms connect };
|
allow syslogd_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
# Create and bind to /dev/log or /var/run/log.
|
# Create and bind to /dev/log or /var/run/log.
|
||||||
allow syslogd_t devlog_t:sock_file create_file_perms;
|
allow syslogd_t devlog_t:sock_file create_file_perms;
|
||||||
@ -306,15 +306,15 @@ init_read_utmp(syslogd_t)
|
|||||||
init_dontaudit_write_utmp(syslogd_t)
|
init_dontaudit_write_utmp(syslogd_t)
|
||||||
term_write_all_user_ttys(syslogd_t)
|
term_write_all_user_ttys(syslogd_t)
|
||||||
|
|
||||||
corenet_raw_sendrecv_all_if(syslogd_t)
|
corenet_non_ipsec_sendrecv(syslogd_t)
|
||||||
corenet_udp_sendrecv_all_if(syslogd_t)
|
corenet_udp_sendrecv_all_if(syslogd_t)
|
||||||
corenet_raw_sendrecv_all_nodes(syslogd_t)
|
|
||||||
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
corenet_udp_sendrecv_all_nodes(syslogd_t)
|
||||||
corenet_udp_sendrecv_all_ports(syslogd_t)
|
corenet_udp_sendrecv_all_ports(syslogd_t)
|
||||||
corenet_non_ipsec_sendrecv(syslogd_t)
|
|
||||||
corenet_udp_bind_all_nodes(syslogd_t)
|
corenet_udp_bind_all_nodes(syslogd_t)
|
||||||
corenet_tcp_bind_syslogd_port(syslogd_t)
|
|
||||||
corenet_udp_bind_syslogd_port(syslogd_t)
|
corenet_udp_bind_syslogd_port(syslogd_t)
|
||||||
|
# syslog-ng can send or receive logs
|
||||||
|
corenet_sendrecv_syslogd_client_packets(syslogd_t)
|
||||||
|
corenet_sendrecv_syslogd_server_packets(syslogd_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(syslogd_t)
|
fs_getattr_all_fs(syslogd_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(lvm,1.3.2)
|
policy_module(lvm,1.3.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(clvmd_t)
|
|||||||
kernel_list_proc(clvmd_t)
|
kernel_list_proc(clvmd_t)
|
||||||
kernel_read_proc_symlinks(clvmd_t)
|
kernel_read_proc_symlinks(clvmd_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(clvmd_t)
|
||||||
corenet_tcp_sendrecv_all_if(clvmd_t)
|
corenet_tcp_sendrecv_all_if(clvmd_t)
|
||||||
corenet_udp_sendrecv_all_if(clvmd_t)
|
corenet_udp_sendrecv_all_if(clvmd_t)
|
||||||
corenet_raw_sendrecv_all_if(clvmd_t)
|
corenet_raw_sendrecv_all_if(clvmd_t)
|
||||||
@ -69,11 +70,10 @@ corenet_udp_sendrecv_all_nodes(clvmd_t)
|
|||||||
corenet_raw_sendrecv_all_nodes(clvmd_t)
|
corenet_raw_sendrecv_all_nodes(clvmd_t)
|
||||||
corenet_tcp_sendrecv_all_ports(clvmd_t)
|
corenet_tcp_sendrecv_all_ports(clvmd_t)
|
||||||
corenet_udp_sendrecv_all_ports(clvmd_t)
|
corenet_udp_sendrecv_all_ports(clvmd_t)
|
||||||
corenet_non_ipsec_sendrecv(clvmd_t)
|
|
||||||
corenet_tcp_bind_all_nodes(clvmd_t)
|
corenet_tcp_bind_all_nodes(clvmd_t)
|
||||||
corenet_udp_bind_all_nodes(clvmd_t)
|
|
||||||
corenet_tcp_bind_reserved_port(clvmd_t)
|
corenet_tcp_bind_reserved_port(clvmd_t)
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
|
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
|
||||||
|
corenet_sendrecv_generic_server_packets(clvmd_t)
|
||||||
|
|
||||||
dev_read_sysfs(clvmd_t)
|
dev_read_sysfs(clvmd_t)
|
||||||
|
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mount,1.3.5)
|
policy_module(mount,1.3.6)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -35,9 +35,6 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
|
|||||||
kernel_read_system_state(mount_t)
|
kernel_read_system_state(mount_t)
|
||||||
kernel_dontaudit_getattr_core_if(mount_t)
|
kernel_dontaudit_getattr_core_if(mount_t)
|
||||||
|
|
||||||
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
|
||||||
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
|
||||||
|
|
||||||
dev_getattr_all_blk_files(mount_t)
|
dev_getattr_all_blk_files(mount_t)
|
||||||
dev_list_all_dev_nodes(mount_t)
|
dev_list_all_dev_nodes(mount_t)
|
||||||
dev_rw_lvm_control(mount_t)
|
dev_rw_lvm_control(mount_t)
|
||||||
@ -136,6 +133,8 @@ optional_policy(`
|
|||||||
corenet_udp_bind_reserved_port(mount_t)
|
corenet_udp_bind_reserved_port(mount_t)
|
||||||
corenet_tcp_bind_all_rpc_ports(mount_t)
|
corenet_tcp_bind_all_rpc_ports(mount_t)
|
||||||
corenet_udp_bind_all_rpc_ports(mount_t)
|
corenet_udp_bind_all_rpc_ports(mount_t)
|
||||||
|
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
|
||||||
|
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
|
||||||
corenet_tcp_connect_all_ports(mount_t)
|
corenet_tcp_connect_all_ports(mount_t)
|
||||||
|
|
||||||
fs_search_rpc(mount_t)
|
fs_search_rpc(mount_t)
|
||||||
|
@ -176,7 +176,6 @@ template(`base_user_template',`
|
|||||||
corenet_udp_bind_all_nodes($1_t)
|
corenet_udp_bind_all_nodes($1_t)
|
||||||
corenet_udp_bind_generic_port($1_t)
|
corenet_udp_bind_generic_port($1_t)
|
||||||
corenet_tcp_connect_all_ports($1_t)
|
corenet_tcp_connect_all_ports($1_t)
|
||||||
corenet_sendrecv_generic_packets($1_t)
|
|
||||||
corenet_sendrecv_all_client_packets($1_t)
|
corenet_sendrecv_all_client_packets($1_t)
|
||||||
|
|
||||||
dev_read_input($1_t)
|
dev_read_input($1_t)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(userdomain,1.3.25)
|
policy_module(userdomain,1.3.26)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
role sysadm_r, staff_r, user_r;
|
role sysadm_r, staff_r, user_r;
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(xen,1.0.4)
|
policy_module(xen,1.0.5)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -113,12 +113,14 @@ corecmd_exec_sbin(xend_t)
|
|||||||
corecmd_exec_bin(xend_t)
|
corecmd_exec_bin(xend_t)
|
||||||
corecmd_exec_shell(xend_t)
|
corecmd_exec_shell(xend_t)
|
||||||
|
|
||||||
|
corenet_non_ipsec_sendrecv(xend_t)
|
||||||
corenet_tcp_sendrecv_all_if(xend_t)
|
corenet_tcp_sendrecv_all_if(xend_t)
|
||||||
corenet_tcp_sendrecv_all_nodes(xend_t)
|
corenet_tcp_sendrecv_all_nodes(xend_t)
|
||||||
corenet_tcp_sendrecv_all_ports(xend_t)
|
corenet_tcp_sendrecv_all_ports(xend_t)
|
||||||
corenet_non_ipsec_sendrecv(xend_t)
|
|
||||||
corenet_tcp_bind_xen_port(xend_t)
|
corenet_tcp_bind_xen_port(xend_t)
|
||||||
corenet_tcp_bind_soundd_port(xend_t)
|
corenet_tcp_bind_soundd_port(xend_t)
|
||||||
|
corenet_sendrecv_xen_server_packets(xend_t)
|
||||||
|
corenet_sendrecv_soundd_server_packets(xend_t)
|
||||||
|
|
||||||
dev_read_urand(xend_t)
|
dev_read_urand(xend_t)
|
||||||
dev_manage_xen(xend_t)
|
dev_manage_xen(xend_t)
|
||||||
|
@ -11,7 +11,8 @@ import sys,string,getopt,re
|
|||||||
|
|
||||||
NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
|
NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
|
||||||
|
|
||||||
DEFAULT_PACKET = "packet_t"
|
DEFAULT_INPUT_PACKET = "server_packet_t"
|
||||||
|
DEFAULT_OUTPUT_PACKET = "client_packet_t"
|
||||||
DEFAULT_MCS = "s0"
|
DEFAULT_MCS = "s0"
|
||||||
DEFAULT_MLS = "s0"
|
DEFAULT_MLS = "s0"
|
||||||
|
|
||||||
@ -42,7 +43,7 @@ class Packet:
|
|||||||
self.ports = ports
|
self.ports = ports
|
||||||
|
|
||||||
def print_input_rules(packets,mls,mcs):
|
def print_input_rules(packets,mls,mcs):
|
||||||
line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
|
line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
|
||||||
if mls:
|
if mls:
|
||||||
line += ":"+DEFAULT_MLS
|
line += ":"+DEFAULT_MLS
|
||||||
elif mcs:
|
elif mcs:
|
||||||
@ -63,7 +64,7 @@ def print_input_rules(packets,mls,mcs):
|
|||||||
print "-A selinux_new_input -j RETURN"
|
print "-A selinux_new_input -j RETURN"
|
||||||
|
|
||||||
def print_output_rules(packets,mls,mcs):
|
def print_output_rules(packets,mls,mcs):
|
||||||
line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
|
line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
|
||||||
if mls:
|
if mls:
|
||||||
line += ":"+DEFAULT_MLS
|
line += ":"+DEFAULT_MLS
|
||||||
elif mcs:
|
elif mcs:
|
||||||
|
Loading…
Reference in New Issue
Block a user