rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

add corenet patch from spencer

This commit is contained in:
Chris PeBenito 2006-01-16 18:48:57 +00:00
parent 44d5d93fb8
commit b7b1d238df
4 changed files with 95 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
refpolicy/Changelog
View File

@ -1,3 +1,8 @@
- Adds support for generating corenetwork interfaces based on attributes
in addition to types.
- Permits the listing of multiple nodes in a network_node() that will be
given the same type.
- Add two new permission sets for stream sockets.
- Rename file type transition interfaces verb from create to - Rename file type transition interfaces verb from create to
filetrans to differentiate it from create interfaces without filetrans to differentiate it from create interfaces without
type transitions. type transitions.

132
refpolicy/policy/modules/kernel/corenetwork.if.m4
View File

@ -21,12 +21,12 @@ define(`create_netif_interfaces',``
## </param> ## </param>
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
interface(`corenet_tcp_sendrecv_$1',` interface(`corenet_tcp_sendrecv_$1_if',`
gen_require(` gen_require(`
type $1_netif_t; $3 $1_$2;
') ')
allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; allow dollarsone $1_$2:netif { tcp_send tcp_recv };
') ')
######################################## ########################################
@ -38,12 +38,12 @@ interface(`corenet_tcp_sendrecv_$1',`
## </param> ## </param>
## <infoflow type="write" weight="10"/> ## <infoflow type="write" weight="10"/>
# #
interface(`corenet_udp_send_$1',` interface(`corenet_udp_send_$1_if',`
gen_require(` gen_require(`
type $1_netif_t; $3 $1_$2;
') ')
allow dollarsone $1_netif_t:netif udp_send; allow dollarsone $1_$2:netif udp_send;
') ')
######################################## ########################################
@ -55,12 +55,12 @@ interface(`corenet_udp_send_$1',`
## </param> ## </param>
## <infoflow type="read" weight="10"/> ## <infoflow type="read" weight="10"/>
# #
interface(`corenet_udp_receive_$1',` interface(`corenet_udp_receive_$1_if',`
gen_require(` gen_require(`
type $1_netif_t; $3 $1_$2;
') ')
allow dollarsone $1_netif_t:netif udp_recv; allow dollarsone $1_$2:netif udp_recv;
') ')
######################################## ########################################
@ -72,7 +72,7 @@ interface(`corenet_udp_receive_$1',`
## </param> ## </param>
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
interface(`corenet_udp_sendrecv_$1',` interface(`corenet_udp_sendrecv_$1_if',`
corenet_udp_send_$1(dollarsone) corenet_udp_send_$1(dollarsone)
corenet_udp_receive_$1(dollarsone) corenet_udp_receive_$1(dollarsone)
') ')
@ -86,12 +86,12 @@ interface(`corenet_udp_sendrecv_$1',`
## </param> ## </param>
## <infoflow type="write" weight="10"/> ## <infoflow type="write" weight="10"/>
# #
interface(`corenet_raw_send_$1',` interface(`corenet_raw_send_$1_if',`
gen_require(` gen_require(`
type $1_netif_t; $3 $1_$2;
') ')
allow dollarsone $1_netif_t:netif rawip_send; allow dollarsone $1_$2:netif rawip_send;
# cjp: comment out until raw access is # cjp: comment out until raw access is
# is fixed for network users # is fixed for network users
@ -107,12 +107,12 @@ interface(`corenet_raw_send_$1',`
## </param> ## </param>
## <infoflow type="read" weight="10"/> ## <infoflow type="read" weight="10"/>
# #
interface(`corenet_raw_receive_$1',` interface(`corenet_raw_receive_$1_if',`
gen_require(` gen_require(`
type $1_netif_t; $3 $1_$2;
') ')
allow dollarsone $1_netif_t:netif rawip_recv; allow dollarsone $1_$2:netif rawip_recv;
') ')
######################################## ########################################
@ -124,7 +124,7 @@ interface(`corenet_raw_receive_$1',`
## </param> ## </param>
## <infoflow type="both" weight="10"/> ## <infoflow type="both" weight="10"/>
# #
interface(`corenet_raw_sendrecv_$1',` interface(`corenet_raw_sendrecv_$1_if',`
corenet_raw_send_$1(dollarsone) corenet_raw_send_$1(dollarsone)
corenet_raw_receive_$1(dollarsone) corenet_raw_receive_$1(dollarsone)
') ')
@ -148,10 +148,10 @@ define(`create_node_interfaces',``
# #
interface(`corenet_tcp_sendrecv_$1_node',` interface(`corenet_tcp_sendrecv_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:node { tcp_send tcp_recv }; allow dollarsone $1_$2:node { tcp_send tcp_recv };
') ')
######################################## ########################################
@ -165,10 +165,10 @@ interface(`corenet_tcp_sendrecv_$1_node',`
# #
interface(`corenet_udp_send_$1_node',` interface(`corenet_udp_send_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:node udp_send; allow dollarsone $1_$2:node udp_send;
') ')
######################################## ########################################
@ -182,10 +182,10 @@ interface(`corenet_udp_send_$1_node',`
# #
interface(`corenet_udp_receive_$1_node',` interface(`corenet_udp_receive_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:node udp_recv; allow dollarsone $1_$2:node udp_recv;
') ')
######################################## ########################################
@ -213,10 +213,10 @@ interface(`corenet_udp_sendrecv_$1_node',`
# #
interface(`corenet_raw_send_$1_node',` interface(`corenet_raw_send_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:node rawip_send; allow dollarsone $1_$2:node rawip_send;
') ')
######################################## ########################################
@ -230,10 +230,10 @@ interface(`corenet_raw_send_$1_node',`
# #
interface(`corenet_raw_receive_$1_node',` interface(`corenet_raw_receive_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:node rawip_recv; allow dollarsone $1_$2:node rawip_recv;
') ')
######################################## ########################################
@ -261,10 +261,10 @@ interface(`corenet_raw_sendrecv_$1_node',`
# #
interface(`corenet_tcp_bind_$1_node',` interface(`corenet_tcp_bind_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:tcp_socket node_bind; allow dollarsone $1_$2:tcp_socket node_bind;
') ')
######################################## ########################################
@ -278,10 +278,10 @@ interface(`corenet_tcp_bind_$1_node',`
# #
interface(`corenet_udp_bind_$1_node',` interface(`corenet_udp_bind_$1_node',`
gen_require(` gen_require(`
type $1_node_t; $3 $1_$2;
') ')
allow dollarsone $1_node_t:udp_socket node_bind; allow dollarsone $1_$2:udp_socket node_bind;
') ')
'') dnl end create_node_interfaces '') dnl end create_node_interfaces
@ -303,10 +303,10 @@ define(`create_port_interfaces',``
# #
interface(`corenet_tcp_sendrecv_$1_port',` interface(`corenet_tcp_sendrecv_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; allow dollarsone $1_$2:tcp_socket { send_msg recv_msg };
') ')
######################################## ########################################
@ -320,10 +320,10 @@ interface(`corenet_tcp_sendrecv_$1_port',`
# #
interface(`corenet_udp_send_$1_port',` interface(`corenet_udp_send_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:udp_socket send_msg; allow dollarsone $1_$2:udp_socket send_msg;
') ')
######################################## ########################################
@ -337,10 +337,10 @@ interface(`corenet_udp_send_$1_port',`
# #
interface(`corenet_udp_receive_$1_port',` interface(`corenet_udp_receive_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:udp_socket recv_msg; allow dollarsone $1_$2:udp_socket recv_msg;
') ')
######################################## ########################################
@ -368,11 +368,11 @@ interface(`corenet_udp_sendrecv_$1_port',`
# #
interface(`corenet_tcp_bind_$1_port',` interface(`corenet_tcp_bind_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:tcp_socket name_bind; allow dollarsone $1_$2:tcp_socket name_bind;
$2 $4
') ')
######################################## ########################################
@ -386,11 +386,11 @@ interface(`corenet_tcp_bind_$1_port',`
# #
interface(`corenet_udp_bind_$1_port',` interface(`corenet_udp_bind_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:udp_socket name_bind; allow dollarsone $1_$2:udp_socket name_bind;
$2 $4
') ')
######################################## ########################################
@ -403,43 +403,65 @@ interface(`corenet_udp_bind_$1_port',`
# #
interface(`corenet_tcp_connect_$1_port',` interface(`corenet_tcp_connect_$1_port',`
gen_require(` gen_require(`
type $1_port_t; $3 $1_$2;
') ')
allow dollarsone $1_port_t:tcp_socket name_connect; allow dollarsone $1_$2:tcp_socket name_connect;
') ')
'') dnl end create_port_interfaces '') dnl end create_port_interfaces
#
# create_netif_*_interfaces(linux_interfacename)
#
define(`create_netif_type_interfaces',`
create_netif_interfaces($1,netif_t,type)
')
define(`create_netif_attrib_interfaces',`
create_netif_interfaces($1,netif,attribute)
')
# #
# network_interface(linux_interfacename,mls_sensitivity) # network_interface(linux_interfacename,mls_sensitivity)
# #
define(`network_interface',` define(`network_interface',`
create_netif_interfaces($1) create_netif_type_interfaces($1)
')
#
# create_node_*_interfaces(node_name)
#
define(`create_node_type_interfaces',`
create_node_interfaces($1,node_t,type)
')
define(`create_node_attrib_interfaces',`
create_node_interfaces($1,node,attribute)
') ')
# #
# network_node(node_name,mls_sensitivity,address,netmask) # network_node(node_name,mls_sensitivity,address,netmask)
# #
define(`network_node',` define(`network_node',`
create_node_interfaces($1) create_node_type_interfaces($1)
') ')
# These next three macros have formatting, and should not me indented # These next three macros have formatting, and should not me indented
define(`determine_reserved_capability',`dnl define(`determine_reserved_capability',`dnl
ifelse($2,`',`',`dnl
ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse determine_reserved_capability(shiftn(3,$*))dnl
')dnl end inner ifelse
')dnl end outer ifelse ')dnl end outer ifelse
') dnl end determine reserved capability ') dnl end determine reserved capability
define(`declare_ports',`dnl #
ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') # create_port_*_interfaces(port_name, protocol,portnum,mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
portcon $2 $3 gen_context(system_u:object_r:$1,$4) # (these wrap create_port_interfaces to handle attributes and types)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl define(`create_port_type_interfaces',`create_port_interfaces($1,port_t,type,determine_reserved_capability(shift($*)))')
') define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute,determine_reserved_capability(shift($*)))')
# #
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) # network_port(port_name,protocol portnum mls_sensitivity [,protocol,portnum,mls_sensitivity[,...]])
# #
define(`network_port',` define(`network_port',`
create_port_interfaces($1,determine_reserved_capability(shift($*))) create_port_type_interfaces($*)
') ')

9
refpolicy/policy/modules/kernel/corenetwork.te.m4
View File

@ -19,12 +19,17 @@ type $1_netif_t alias netif_$1_t, netif_type;
declare_netifs($1_netif_t,shift($*)) declare_netifs($1_netif_t,shift($*))
') ')
define(`declare_nodes',`dnl
nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
')
# #
# network_node(node_name,mls_sensitivity,address,netmask) # network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
# #
define(`network_node',` define(`network_node',`
type $1_node_t alias node_$1_t, node_type; type $1_node_t alias node_$1_t, node_type;
nodecon $3 $4 gen_context(system_u:object_r:$1_node_t,$2) declare_nodes($1_node_t,shift($*))
') ')
# These next three macros have formatting, and should not me indented # These next three macros have formatting, and should not me indented

6
refpolicy/policy/support/obj_perm_sets.spt
View File

@ -218,6 +218,12 @@ define(`manage_file_perms',`{ create getattr setattr read write append rename li
# #
define(`rw_term_perms', `{ getattr read write ioctl }') define(`rw_term_perms', `{ getattr read write ioctl }')
#
# Sockets
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
######################################## ########################################
# #
# Expand object class set macros. # Expand object class set macros.