From a013b55e3ef610adff91212f3922ea6d850b75cc Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 22 May 2006 20:47:05 +0000
Subject: [PATCH] initial addition of packet policy, allow unconfined to send
 unlabeled packets.

---
 .../policy/modules/kernel/corenetwork.if.in   | 53 +++++++++++++------
 .../policy/modules/kernel/corenetwork.te.in   |  6 ++-
 refpolicy/policy/modules/kernel/kernel.if     | 30 +++++++++++
 3 files changed, 71 insertions(+), 18 deletions(-)

diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 249e5e7b..86b525ed 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1218,22 +1218,6 @@ interface(`corenet_rw_ppp_dev',`
 	allow $1 ppp_device_t:chr_file rw_file_perms;
 ')
 
-########################################
-## <summary>
-##	Send and receive messages on a
-##	non-encrypted (no IPSEC) network
-##	session.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`corenet_non_ipsec_sendrecv',`
-	kernel_sendrecv_unlabeled_association($1)
-')
-
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all RPC ports.
@@ -1308,6 +1292,43 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+	kernel_sendrecv_unlabeled_packets($1)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index 21094d12..d4265394 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -8,6 +8,7 @@ policy_module(corenetwork,1.1.8)
 
 attribute netif_type;
 attribute node_type;
+attribute packet_type;
 attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
@@ -174,10 +175,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 type netif_t, netif_type;
 sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
 
-ifdef(`enable_mls', `
+ifdef(`enable_mls',`
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
-#network_interface(eth0, eth0,s0)
 
 ########################################
 #
@@ -186,6 +186,7 @@ network_interface(lo, lo,s0 - s15:c0.c255)
 
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
@@ -194,3 +195,4 @@ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
 
 corenet_non_ipsec_sendrecv(corenet_unconfined_type)
+corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 47edcf8b..599d8b86 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -2049,6 +2049,36 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	allow $1 unlabeled_t:association { sendto recvfrom };
 ')
 
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_sendrecv_unlabeled_packets() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:packet { send recv };
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to kernel module resources.