trunk: Enable network_peer_controls policy capability from Paul Moore.
This commit is contained in:
Chris PeBenito
parent
805f34ed09
commit
7722c29e88
|
|
@ -1,3 +1,4 @@
|
|||
- Enable network_peer_controls policy capability from Paul Moore.
|
||||
- Btrfs xattr support from Paul Moore.
|
||||
- Add db_procedure install permission from KaiGai Kohei.
|
||||
- Add support for network interfaces with access controlled by a Boolean
|
||||
|
|
|
|||
|
|
@ -313,6 +313,60 @@ interface(`corenet_raw_sendrecv_generic_if',`
|
|||
corenet_raw_receive_generic_if($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow outgoing network traffic on the generic interfaces.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the outgoing network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_out_generic_if',`
|
||||
gen_require(`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif egress;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow incoming traffic on the generic interfaces.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the incoming network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_in_generic_if',`
|
||||
gen_require(`
|
||||
type netif_t;
|
||||
')
|
||||
|
||||
allow $1 netif_t:netif ingress;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow incoming and outgoing network traffic on the generic interfaces.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_inout_generic_if',`
|
||||
corenet_in_generic_if($1)
|
||||
corenet_out_generic_if($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive TCP network traffic on all interfaces.
|
||||
|
|
@ -608,6 +662,60 @@ interface(`corenet_raw_bind_generic_node',`
|
|||
allow $1 node_t:rawip_socket node_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow outgoing network traffic to generic nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the outgoing network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_out_generic_node',`
|
||||
gen_require(`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node sendto;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow incoming network traffic from generic nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the incoming network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_in_generic_node',`
|
||||
gen_require(`
|
||||
type node_t;
|
||||
')
|
||||
|
||||
allow $1 node_t:node recvfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow incoming and outgoing network traffic with generic nodes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The peer label of the network traffic.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_inout_generic_node',`
|
||||
corenet_in_generic_node($1)
|
||||
corenet_out_generic_node($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive TCP network traffic on all nodes.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corenetwork, 1.11.2)
|
||||
policy_module(corenetwork, 1.11.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(kernel, 1.10.2)
|
||||
policy_module(kernel, 1.10.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
|
|||
# connections with invalidated labels:
|
||||
allow kernel_t unlabeled_t:packet send;
|
||||
|
||||
# Forwarded network traffic
|
||||
# Allow unlabeled network traffic
|
||||
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
|
||||
corenet_in_generic_if(unlabeled_t)
|
||||
corenet_in_generic_node(unlabeled_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(kernel_t)
|
||||
corenet_all_recvfrom_netlabel(kernel_t)
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@
|
|||
# netif: ingress egress
|
||||
# peer: recv
|
||||
#
|
||||
#policycap network_peer_controls;
|
||||
policycap network_peer_controls;
|
||||
|
||||
# Enable additional access controls for opening
|
||||
# a file (and similar objects).
|
||||
|
|
|
|||
Loading…
Reference in New Issue