From 3d03a4f40f6af5d6d3b86b49b4b033ed8ecbc6b6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 2 Jun 2006 15:06:45 +0000 Subject: [PATCH] packets --- .../policy/modules/services/automount.te | 3 ++- .../policy/modules/services/bluetooth.te | 4 ++-- refpolicy/policy/modules/services/djbdns.if | 2 ++ refpolicy/policy/modules/services/djbdns.te | 2 +- refpolicy/policy/modules/services/dovecot.te | 4 +++- .../policy/modules/services/fetchmail.te | 3 ++- refpolicy/policy/modules/services/mailman.if | 1 + refpolicy/policy/modules/services/mailman.te | 2 +- refpolicy/policy/modules/services/nis.te | 24 +++++++++---------- refpolicy/policy/modules/services/postfix.te | 17 ++++++------- refpolicy/policy/modules/services/razor.if | 3 +-- refpolicy/policy/modules/services/razor.te | 4 ++-- refpolicy/policy/modules/services/stunnel.te | 7 ++---- refpolicy/policy/modules/services/telnet.te | 8 ++----- refpolicy/policy/modules/services/ucspitcp.te | 14 +++++++++-- refpolicy/policy/modules/services/zebra.te | 4 +++- 16 files changed, 54 insertions(+), 48 deletions(-) diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index eebbb1dc..adc123fc 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -1,5 +1,5 @@ -policy_module(automount,1.2.4) +policy_module(automount,1.2.5) ######################################## # @@ -81,6 +81,7 @@ corenet_udp_bind_all_nodes(automount_t) corenet_tcp_connect_portmap_port(automount_t) corenet_tcp_connect_all_ports(automount_t) corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t) +corenet_sendrecv_all_client_packets(automount_t) # Automount execs showmount when you browse /net. This is required until # Someone writes a showmount policy corenet_tcp_bind_reserved_port(automount_t) diff --git a/refpolicy/policy/modules/services/bluetooth.te b/refpolicy/policy/modules/services/bluetooth.te index d2f4750d..2bb2b315 100644 --- a/refpolicy/policy/modules/services/bluetooth.te +++ b/refpolicy/policy/modules/services/bluetooth.te @@ -1,5 +1,5 @@ -policy_module(bluetooth,1.2.6) +policy_module(bluetooth,1.2.7) ######################################## # @@ -49,7 +49,7 @@ allow bluetooth_t self:shm create_shm_perms; allow bluetooth_t self:socket create_stream_socket_perms; allow bluetooth_t self:unix_dgram_socket create_socket_perms; allow bluetooth_t self:unix_stream_socket create_stream_socket_perms; -allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect }; +allow bluetooth_t self:tcp_socket create_stream_socket_perms; allow bluetooth_t self:udp_socket create_socket_perms; allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms; diff --git a/refpolicy/policy/modules/services/djbdns.if b/refpolicy/policy/modules/services/djbdns.if index dcafb95c..e8baf77b 100644 --- a/refpolicy/policy/modules/services/djbdns.if +++ b/refpolicy/policy/modules/services/djbdns.if @@ -44,6 +44,8 @@ template(`djbdns_daemontools_domain_template',` corenet_tcp_bind_dns_port(djbdns_$1_t) corenet_udp_bind_dns_port(djbdns_$1_t) corenet_udp_bind_generic_port(djbdns_$1_t) + corenet_sendrecv_dns_server_packets(djbdns_$1_t) + corenet_sendrecv_generic_server_packets(djbdns_$1_t) files_search_var(djbdns_$1_t) diff --git a/refpolicy/policy/modules/services/djbdns.te b/refpolicy/policy/modules/services/djbdns.te index a51e8c6a..0ca3670d 100644 --- a/refpolicy/policy/modules/services/djbdns.te +++ b/refpolicy/policy/modules/services/djbdns.te @@ -1,5 +1,5 @@ -policy_module(djbdns,1.0.0) +policy_module(djbdns,1.0.1) ######################################## # diff --git a/refpolicy/policy/modules/services/dovecot.te b/refpolicy/policy/modules/services/dovecot.te index f3b47a6d..630e27c1 100644 --- a/refpolicy/policy/modules/services/dovecot.te +++ b/refpolicy/policy/modules/services/dovecot.te @@ -1,5 +1,5 @@ -policy_module(dovecot,1.2.2) +policy_module(dovecot,1.2.3) ######################################## # @@ -78,6 +78,8 @@ corenet_tcp_bind_all_nodes(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) +corenet_sendrecv_pop_server_packets(dovecot_t) +corenet_sendrecv_all_client_packets(dovecot_t) dev_read_sysfs(dovecot_t) dev_read_urand(dovecot_t) diff --git a/refpolicy/policy/modules/services/fetchmail.te b/refpolicy/policy/modules/services/fetchmail.te index 2ef238f9..bac61a5c 100644 --- a/refpolicy/policy/modules/services/fetchmail.te +++ b/refpolicy/policy/modules/services/fetchmail.te @@ -1,5 +1,5 @@ -policy_module(fetchmail,1.1.1) +policy_module(fetchmail,1.1.2) ######################################## # @@ -57,6 +57,7 @@ corenet_udp_sendrecv_dns_port(fetchmail_t) corenet_tcp_sendrecv_pop_port(fetchmail_t) corenet_tcp_sendrecv_smtp_port(fetchmail_t) corenet_tcp_connect_all_ports(fetchmail_t) +corenet_sendrecv_all_client_packets(fetchmail_t) dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) diff --git a/refpolicy/policy/modules/services/mailman.if b/refpolicy/policy/modules/services/mailman.if index c6b2e650..8e3360f1 100644 --- a/refpolicy/policy/modules/services/mailman.if +++ b/refpolicy/policy/modules/services/mailman.if @@ -62,6 +62,7 @@ template(`mailman_domain_template', ` corenet_tcp_bind_all_nodes(mailman_$1_t) corenet_udp_bind_all_nodes(mailman_$1_t) corenet_tcp_connect_smtp_port(mailman_$1_t) + corenet_sendrecv_smtp_client_packets(mailman_$1_t) fs_getattr_xattr_fs(mailman_$1_t) diff --git a/refpolicy/policy/modules/services/mailman.te b/refpolicy/policy/modules/services/mailman.te index 4c298129..ad12df54 100644 --- a/refpolicy/policy/modules/services/mailman.te +++ b/refpolicy/policy/modules/services/mailman.te @@ -1,5 +1,5 @@ -policy_module(mailman,1.1.3) +policy_module(mailman,1.1.4) ######################################## # diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te index 738b863b..31dfc8f8 100644 --- a/refpolicy/policy/modules/services/nis.te +++ b/refpolicy/policy/modules/services/nis.te @@ -1,5 +1,5 @@ -policy_module(nis,1.1.3) +policy_module(nis,1.1.4) ######################################## # @@ -72,15 +72,13 @@ kernel_list_proc(ypbind_t) kernel_read_proc_symlinks(ypbind_t) kernel_tcp_recvfrom(ypbind_t) +corenet_non_ipsec_sendrecv(ypbind_t) corenet_tcp_sendrecv_all_if(ypbind_t) corenet_udp_sendrecv_all_if(ypbind_t) -corenet_raw_sendrecv_all_if(ypbind_t) corenet_tcp_sendrecv_all_nodes(ypbind_t) corenet_udp_sendrecv_all_nodes(ypbind_t) -corenet_raw_sendrecv_all_nodes(ypbind_t) corenet_tcp_sendrecv_all_ports(ypbind_t) corenet_udp_sendrecv_all_ports(ypbind_t) -corenet_non_ipsec_sendrecv(ypbind_t) corenet_tcp_bind_all_nodes(ypbind_t) corenet_udp_bind_all_nodes(ypbind_t) corenet_tcp_bind_generic_port(ypbind_t) @@ -91,6 +89,8 @@ corenet_tcp_bind_all_rpc_ports(ypbind_t) corenet_tcp_connect_all_ports(ypbind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t) +corenet_sendrecv_all_client_packets(ypbind_t) +corenet_sendrecv_generic_server_packets(ypbind_t) dev_read_sysfs(ypbind_t) @@ -167,21 +167,20 @@ kernel_read_proc_symlinks(yppasswdd_t) kernel_getattr_proc_files(yppasswdd_t) kernel_read_kernel_sysctls(yppasswdd_t) +corenet_non_ipsec_sendrecv(yppasswdd_t) corenet_tcp_sendrecv_generic_if(yppasswdd_t) corenet_udp_sendrecv_generic_if(yppasswdd_t) -corenet_raw_sendrecv_generic_if(yppasswdd_t) corenet_tcp_sendrecv_all_nodes(yppasswdd_t) corenet_udp_sendrecv_all_nodes(yppasswdd_t) -corenet_raw_sendrecv_all_nodes(yppasswdd_t) corenet_tcp_sendrecv_all_ports(yppasswdd_t) corenet_udp_sendrecv_all_ports(yppasswdd_t) -corenet_non_ipsec_sendrecv(yppasswdd_t) corenet_tcp_bind_all_nodes(yppasswdd_t) corenet_udp_bind_all_nodes(yppasswdd_t) corenet_tcp_bind_reserved_port(yppasswdd_t) corenet_udp_bind_reserved_port(yppasswdd_t) corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t) corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t) +corenet_sendrecv_generic_server_packets(yppasswdd_t) dev_read_sysfs(yppasswdd_t) @@ -273,21 +272,20 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) +corenet_non_ipsec_sendrecv(ypserv_t) corenet_tcp_sendrecv_all_if(ypserv_t) corenet_udp_sendrecv_all_if(ypserv_t) -corenet_raw_sendrecv_all_if(ypserv_t) corenet_tcp_sendrecv_all_nodes(ypserv_t) corenet_udp_sendrecv_all_nodes(ypserv_t) -corenet_raw_sendrecv_all_nodes(ypserv_t) corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) -corenet_non_ipsec_sendrecv(ypserv_t) corenet_tcp_bind_all_nodes(ypserv_t) corenet_udp_bind_all_nodes(ypserv_t) corenet_tcp_bind_reserved_port(ypserv_t) corenet_udp_bind_reserved_port(ypserv_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t) +corenet_sendrecv_generic_server_packets(ypserv_t) dev_read_sysfs(ypserv_t) @@ -343,15 +341,13 @@ optional_policy(` allow ypxfr_t self:unix_stream_socket create_stream_socket_perms; +corenet_non_ipsec_sendrecv(ypxfr_t) corenet_tcp_sendrecv_all_if(ypxfr_t) corenet_udp_sendrecv_all_if(ypxfr_t) -corenet_raw_sendrecv_all_if(ypxfr_t) corenet_tcp_sendrecv_all_nodes(ypxfr_t) corenet_udp_sendrecv_all_nodes(ypxfr_t) -corenet_raw_sendrecv_all_nodes(ypxfr_t) corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) -corenet_non_ipsec_sendrecv(ypxfr_t) corenet_tcp_bind_all_nodes(ypxfr_t) corenet_udp_bind_all_nodes(ypxfr_t) corenet_tcp_bind_reserved_port(ypxfr_t) @@ -359,5 +355,7 @@ corenet_udp_bind_reserved_port(ypxfr_t) corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) +corenet_sendrecv_generic_server_packets(ypxfr_t) +corenet_sendrecv_all_client_packets(ypxfr_t) files_read_etc_files(ypxfr_t) diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te index 1df67a9e..15167e7a 100644 --- a/refpolicy/policy/modules/services/postfix.te +++ b/refpolicy/policy/modules/services/postfix.te @@ -1,5 +1,5 @@ -policy_module(postfix,1.2.5) +policy_module(postfix,1.2.6) ######################################## # @@ -131,20 +131,20 @@ allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr }; kernel_read_all_sysctls(postfix_master_t) +corenet_non_ipsec_sendrecv(postfix_master_t) corenet_tcp_sendrecv_all_if(postfix_master_t) corenet_udp_sendrecv_all_if(postfix_master_t) -corenet_raw_sendrecv_all_if(postfix_master_t) corenet_tcp_sendrecv_all_nodes(postfix_master_t) corenet_udp_sendrecv_all_nodes(postfix_master_t) -corenet_raw_sendrecv_all_nodes(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) -corenet_non_ipsec_sendrecv(postfix_master_t) corenet_tcp_bind_all_nodes(postfix_master_t) -corenet_udp_bind_all_nodes(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) corenet_tcp_connect_all_ports(postfix_master_t) +corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) +corenet_sendrecv_smtp_server_packets(postfix_master_t) +corenet_sendrecv_all_client_packets(postfix_master_t) # for a find command selinux_dontaudit_search_fs(postfix_master_t) @@ -320,18 +320,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) +corenet_non_ipsec_sendrecv(postfix_map_t) corenet_tcp_sendrecv_all_if(postfix_map_t) corenet_udp_sendrecv_all_if(postfix_map_t) -corenet_raw_sendrecv_all_if(postfix_map_t) corenet_tcp_sendrecv_all_nodes(postfix_map_t) corenet_udp_sendrecv_all_nodes(postfix_map_t) -corenet_raw_sendrecv_all_nodes(postfix_map_t) corenet_tcp_sendrecv_all_ports(postfix_map_t) corenet_udp_sendrecv_all_ports(postfix_map_t) -corenet_non_ipsec_sendrecv(postfix_map_t) -corenet_tcp_bind_all_nodes(postfix_map_t) -corenet_udp_bind_all_nodes(postfix_map_t) corenet_tcp_connect_all_ports(postfix_map_t) +corenet_sendrecv_all_client_packets(postfix_map_t) corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) diff --git a/refpolicy/policy/modules/services/razor.if b/refpolicy/policy/modules/services/razor.if index f78608cb..26b3637f 100644 --- a/refpolicy/policy/modules/services/razor.if +++ b/refpolicy/policy/modules/services/razor.if @@ -64,13 +64,12 @@ template(`razor_common_domain_template',` corecmd_exec_bin($1_t) + corenet_non_ipsec_sendrecv($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_raw_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_all_nodes($1_t) corenet_raw_sendrecv_all_nodes($1_t) corenet_tcp_sendrecv_razor_port($1_t) - corenet_non_ipsec_sendrecv($1_t) - corenet_tcp_bind_all_nodes($1_t) # mktemp and other randoms dev_read_rand($1_t) diff --git a/refpolicy/policy/modules/services/razor.te b/refpolicy/policy/modules/services/razor.te index 8cddadde..08e7b72c 100644 --- a/refpolicy/policy/modules/services/razor.te +++ b/refpolicy/policy/modules/services/razor.te @@ -1,5 +1,5 @@ -policy_module(razor,1.0.0) +policy_module(razor,1.0.1) ######################################## # @@ -47,8 +47,8 @@ corenet_raw_sendrecv_generic_if(razor_t) corenet_tcp_sendrecv_all_nodes(razor_t) corenet_raw_sendrecv_all_nodes(razor_t) corenet_tcp_sendrecv_razor_port(razor_t) -corenet_tcp_bind_all_nodes(razor_t) corenet_tcp_connect_razor_port(razor_t) +corenet_sendrecv_razor_client_packets(razor_t) sysnet_read_config(razor_t) diff --git a/refpolicy/policy/modules/services/stunnel.te b/refpolicy/policy/modules/services/stunnel.te index 88bda4aa..783fad6e 100644 --- a/refpolicy/policy/modules/services/stunnel.te +++ b/refpolicy/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel,1.1.0) +policy_module(stunnel,1.1.1) ######################################## # @@ -55,17 +55,14 @@ kernel_read_kernel_sysctls(stunnel_t) kernel_read_system_state(stunnel_t) kernel_read_network_state(stunnel_t) +corenet_non_ipsec_sendrecv(stunnel_t) corenet_tcp_sendrecv_all_if(stunnel_t) corenet_udp_sendrecv_all_if(stunnel_t) -corenet_raw_sendrecv_all_if(stunnel_t) corenet_tcp_sendrecv_all_nodes(stunnel_t) corenet_udp_sendrecv_all_nodes(stunnel_t) -corenet_raw_sendrecv_all_nodes(stunnel_t) corenet_tcp_sendrecv_all_ports(stunnel_t) corenet_udp_sendrecv_all_ports(stunnel_t) -corenet_non_ipsec_sendrecv(stunnel_t) corenet_tcp_bind_all_nodes(stunnel_t) -corenet_udp_bind_all_nodes(stunnel_t) #corenet_tcp_bind_stunnel_port(stunnel_t) fs_getattr_all_fs(stunnel_t) diff --git a/refpolicy/policy/modules/services/telnet.te b/refpolicy/policy/modules/services/telnet.te index 3d4a2df7..005992d5 100644 --- a/refpolicy/policy/modules/services/telnet.te +++ b/refpolicy/policy/modules/services/telnet.te @@ -1,5 +1,5 @@ -policy_module(telnet,1.1.0) +policy_module(telnet,1.1.1) ######################################## # @@ -49,17 +49,13 @@ kernel_read_kernel_sysctls(telnetd_t) kernel_read_system_state(telnetd_t) kernel_read_network_state(telnetd_t) +corenet_non_ipsec_sendrecv(telnetd_t) corenet_tcp_sendrecv_all_if(telnetd_t) corenet_udp_sendrecv_all_if(telnetd_t) -corenet_raw_sendrecv_all_if(telnetd_t) corenet_tcp_sendrecv_all_nodes(telnetd_t) corenet_udp_sendrecv_all_nodes(telnetd_t) -corenet_raw_sendrecv_all_nodes(telnetd_t) corenet_tcp_sendrecv_all_ports(telnetd_t) corenet_udp_sendrecv_all_ports(telnetd_t) -corenet_non_ipsec_sendrecv(telnetd_t) -corenet_tcp_bind_all_nodes(telnetd_t) -corenet_udp_bind_all_nodes(telnetd_t) dev_read_urand(telnetd_t) diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te index 4689b488..26fed63f 100644 --- a/refpolicy/policy/modules/services/ucspitcp.te +++ b/refpolicy/policy/modules/services/ucspitcp.te @@ -1,5 +1,5 @@ -policy_module(ucspitcp,1.0.1) +policy_module(ucspitcp,1.0.2) ######################################## # @@ -60,15 +60,18 @@ allow ucspitcp_t self:udp_socket create_socket_perms; corecmd_search_bin(ucspitcp_t) corecmd_search_sbin(ucspitcp_t) +# base networking: +corenet_non_ipsec_sendrecv(ucspitcp_t) corenet_tcp_sendrecv_all_if(ucspitcp_t) corenet_udp_sendrecv_all_if(ucspitcp_t) corenet_tcp_sendrecv_all_nodes(ucspitcp_t) corenet_udp_sendrecv_all_nodes(ucspitcp_t) corenet_tcp_sendrecv_all_ports(ucspitcp_t) corenet_udp_sendrecv_all_ports(ucspitcp_t) -corenet_non_ipsec_sendrecv(ucspitcp_t) corenet_tcp_bind_all_nodes(ucspitcp_t) corenet_udp_bind_all_nodes(ucspitcp_t) + +# server ports: corenet_tcp_bind_ftp_port(ucspitcp_t) corenet_tcp_bind_ftp_data_port(ucspitcp_t) corenet_tcp_bind_http_port(ucspitcp_t) @@ -77,6 +80,13 @@ corenet_tcp_bind_dns_port(ucspitcp_t) corenet_udp_bind_dns_port(ucspitcp_t) corenet_udp_bind_generic_port(ucspitcp_t) +# server packets: +corenet_sendrecv_ftp_server_packets(ucspitcp_t) +corenet_sendrecv_http_server_packets(ucspitcp_t) +corenet_sendrecv_smtp_server_packets(ucspitcp_t) +corenet_sendrecv_dns_server_packets(ucspitcp_t) +corenet_sendrecv_generic_server_packets(ucspitcp_t) + files_search_var(ucspitcp_t) files_read_etc_files(ucspitcp_t) diff --git a/refpolicy/policy/modules/services/zebra.te b/refpolicy/policy/modules/services/zebra.te index 4ef0b02f..3d331a37 100644 --- a/refpolicy/policy/modules/services/zebra.te +++ b/refpolicy/policy/modules/services/zebra.te @@ -1,5 +1,5 @@ -policy_module(zebra,1.2.1) +policy_module(zebra,1.2.2) ######################################## # @@ -74,6 +74,8 @@ corenet_tcp_bind_all_nodes(zebra_t) corenet_udp_bind_all_nodes(zebra_t) corenet_tcp_bind_zebra_port(zebra_t) corenet_udp_bind_router_port(zebra_t) +corenet_sendrecv_zebra_server_packets(zebra_t) +corenet_sendrecv_router_server_packets(zebra_t) dev_associate_usbfs(zebra_var_run_t) dev_list_all_dev_nodes(zebra_t)