From 7722c29e881cbc626bae800f7675efd3371fd239 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 3 Feb 2009 15:45:30 +0000
Subject: [PATCH] trunk: Enable network_peer_controls policy capability from
 Paul Moore.

---
 Changelog                               |   1 +
 policy/modules/kernel/corenetwork.if.in | 108 ++++++++++++++++++++++++
 policy/modules/kernel/corenetwork.te.in |   2 +-
 policy/modules/kernel/kernel.te         |   6 +-
 policy/policy_capabilities              |   2 +-
 5 files changed, 115 insertions(+), 4 deletions(-)

diff --git a/Changelog b/Changelog
index f3b24874..ab2d9d4e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Enable network_peer_controls policy capability from Paul Moore.
 - Btrfs xattr support from Paul Moore.
 - Add db_procedure install permission from KaiGai Kohei.
 - Add support for network interfaces with access controlled by a Boolean
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index b1387402..bb46175a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -313,6 +313,60 @@ interface(`corenet_raw_sendrecv_generic_if',`
 	corenet_raw_receive_generic_if($1)
 ')
 
+########################################
+## <summary>
+##	Allow outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif egress;
+')
+
+########################################
+## <summary>
+##	Allow incoming traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_if',`
+	gen_require(`
+		type netif_t;
+	')
+
+	allow $1 netif_t:netif ingress;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic on the generic interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_if',`
+	corenet_in_generic_if($1)
+	corenet_out_generic_if($1)
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all interfaces.
@@ -608,6 +662,60 @@ interface(`corenet_raw_bind_generic_node',`
 	allow $1 node_t:rawip_socket node_bind;
 ')
 
+########################################
+## <summary>
+##	Allow outgoing network traffic to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the outgoing network traffic.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_out_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node sendto;
+')
+
+########################################
+## <summary>
+##	Allow incoming network traffic from generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the incoming network traffic.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_in_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node recvfrom;
+')
+
+########################################
+## <summary>
+##	Allow incoming and outgoing network traffic with generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The peer label of the network traffic.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_inout_generic_node',`
+	corenet_in_generic_node($1)
+	corenet_out_generic_node($1)
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all nodes.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 49e3b431..e8fe3769 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.11.2)
+policy_module(corenetwork, 1.11.3)
 
 ########################################
 #
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index fce14027..d3d685aa 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel, 1.10.2)
+policy_module(kernel, 1.10.3)
 
 ########################################
 #
@@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
 # connections with invalidated labels:
 allow kernel_t unlabeled_t:packet send;
 
-# Forwarded network traffic
+# Allow unlabeled network traffic
 allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+corenet_in_generic_if(unlabeled_t)
+corenet_in_generic_node(unlabeled_t)
 
 corenet_all_recvfrom_unlabeled(kernel_t)
 corenet_all_recvfrom_netlabel(kernel_t)
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 054cfbc3..6f79d90c 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -17,7 +17,7 @@
 # netif: ingress egress
 # peer: recv
 #
-#policycap network_peer_controls;
+policycap network_peer_controls;
 
 # Enable additional access controls for opening
 # a file (and similar objects).