rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

trunk: Enable network_peer_controls policy capability from Paul Moore.

Browse Source
This commit is contained in:
Chris PeBenito 2009-02-03 15:45:30 +00:00
parent 805f34ed09
commit 7722c29e88
5 changed files with 115 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- Enable network_peer_controls policy capability from Paul Moore.
- Btrfs xattr support from Paul Moore. - Btrfs xattr support from Paul Moore.
- Add db_procedure install permission from KaiGai Kohei. - Add db_procedure install permission from KaiGai Kohei.
- Add support for network interfaces with access controlled by a Boolean - Add support for network interfaces with access controlled by a Boolean

108
policy/modules/kernel/corenetwork.if.in
View File

@ -313,6 +313,60 @@ interface(`corenet_raw_sendrecv_generic_if',`
corenet_raw_receive_generic_if($1) corenet_raw_receive_generic_if($1)
') ')
########################################
## <summary>
## Allow outgoing network traffic on the generic interfaces.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the outgoing network traffic.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_out_generic_if',`
gen_require(`
type netif_t;
')
allow $1 netif_t:netif egress;
')
########################################
## <summary>
## Allow incoming traffic on the generic interfaces.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the incoming network traffic.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_in_generic_if',`
gen_require(`
type netif_t;
')
allow $1 netif_t:netif ingress;
')
########################################
## <summary>
## Allow incoming and outgoing network traffic on the generic interfaces.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the network traffic.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_inout_generic_if',`
corenet_in_generic_if($1)
corenet_out_generic_if($1)
')
######################################## ########################################
## <summary> ## <summary>
## Send and receive TCP network traffic on all interfaces. ## Send and receive TCP network traffic on all interfaces.
@ -608,6 +662,60 @@ interface(`corenet_raw_bind_generic_node',`
allow $1 node_t:rawip_socket node_bind; allow $1 node_t:rawip_socket node_bind;
') ')
########################################
## <summary>
## Allow outgoing network traffic to generic nodes.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the outgoing network traffic.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_out_generic_node',`
gen_require(`
type node_t;
')
allow $1 node_t:node sendto;
')
########################################
## <summary>
## Allow incoming network traffic from generic nodes.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the incoming network traffic.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_in_generic_node',`
gen_require(`
type node_t;
')
allow $1 node_t:node recvfrom;
')
########################################
## <summary>
## Allow incoming and outgoing network traffic with generic nodes.
## </summary>
## <param name="domain">
## <summary>
## The peer label of the network traffic.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_inout_generic_node',`
corenet_in_generic_node($1)
corenet_out_generic_node($1)
')
######################################## ########################################
## <summary> ## <summary>
## Send and receive TCP network traffic on all nodes. ## Send and receive TCP network traffic on all nodes.

2
policy/modules/kernel/corenetwork.te.in
View File

@ -1,5 +1,5 @@
policy_module(corenetwork, 1.11.2) policy_module(corenetwork, 1.11.3)
######################################## ########################################
# #

6
policy/modules/kernel/kernel.te
View File

@ -1,5 +1,5 @@
policy_module(kernel, 1.10.2) policy_module(kernel, 1.10.3)
######################################## ########################################
# #
@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels: # connections with invalidated labels:
allow kernel_t unlabeled_t:packet send; allow kernel_t unlabeled_t:packet send;
# Forwarded network traffic # Allow unlabeled network traffic
allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
corenet_in_generic_node(unlabeled_t)
corenet_all_recvfrom_unlabeled(kernel_t) corenet_all_recvfrom_unlabeled(kernel_t)
corenet_all_recvfrom_netlabel(kernel_t) corenet_all_recvfrom_netlabel(kernel_t)

2
policy/policy_capabilities
View File

@ -17,7 +17,7 @@
# netif: ingress egress # netif: ingress egress
# peer: recv # peer: recv
# #
#policycap network_peer_controls; policycap network_peer_controls;
# Enable additional access controls for opening # Enable additional access controls for opening
# a file (and similar objects). # a file (and similar objects).