initial addition of packet policy, allow unconfined to send unlabeled packets.
This commit is contained in:
parent
e126047c73
commit
a013b55e3e
@ -1218,22 +1218,6 @@ interface(`corenet_rw_ppp_dev',`
|
||||
allow $1 ppp_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages on a
|
||||
## non-encrypted (no IPSEC) network
|
||||
## session.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_non_ipsec_sendrecv',`
|
||||
kernel_sendrecv_unlabeled_association($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Bind TCP sockets to all RPC ports.
|
||||
@ -1308,6 +1292,43 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
|
||||
dontaudit $1 rpc_port_type:udp_socket name_bind;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages on a
|
||||
## non-encrypted (no IPSEC) network
|
||||
## session.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_non_ipsec_sendrecv',`
|
||||
kernel_sendrecv_unlabeled_association($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive unlabeled packets.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Send and receive unlabeled packets.
|
||||
## These packets do not match any netfilter
|
||||
## SECMARK rules.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corenet_sendrecv_unlabeled_packets',`
|
||||
kernel_sendrecv_unlabeled_packets($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to network objects.
|
||||
|
@ -8,6 +8,7 @@ policy_module(corenetwork,1.1.8)
|
||||
|
||||
attribute netif_type;
|
||||
attribute node_type;
|
||||
attribute packet_type;
|
||||
attribute port_type;
|
||||
attribute reserved_port_type;
|
||||
attribute rpc_port_type;
|
||||
@ -174,10 +175,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
||||
type netif_t, netif_type;
|
||||
sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
|
||||
|
||||
ifdef(`enable_mls', `
|
||||
ifdef(`enable_mls',`
|
||||
network_interface(lo, lo,s0 - s15:c0.c255)
|
||||
')
|
||||
#network_interface(eth0, eth0,s0)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -186,6 +186,7 @@ network_interface(lo, lo,s0 - s15:c0.c255)
|
||||
|
||||
allow corenet_unconfined_type node_type:node *;
|
||||
allow corenet_unconfined_type netif_type:netif *;
|
||||
allow corenet_unconfined_type packet_type:packet *;
|
||||
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
|
||||
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
|
||||
|
||||
@ -194,3 +195,4 @@ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
||||
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
|
||||
|
||||
corenet_non_ipsec_sendrecv(corenet_unconfined_type)
|
||||
corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)
|
||||
|
@ -2049,6 +2049,36 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
||||
allow $1 unlabeled_t:association { sendto recvfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive unlabeled packets.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Send and receive unlabeled packets.
|
||||
## These packets do not match any netfilter
|
||||
## SECMARK rules.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
## corenet_sendrecv_unlabeled_packets() should
|
||||
## be used instead of this one.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_sendrecv_unlabeled_packets',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:packet { send recv };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to kernel module resources.
|
||||
|
Loading…
Reference in New Issue
Block a user