diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 4b47d23e..15cb3282 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -1308,6 +1308,75 @@ interface(`corenet_non_ipsec_sendrecv',` kernel_sendrecv_unlabeled_association($1) ') +######################################## +## +## Send generic packets. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_send_generic_packets',` + gen_require(` + type packet_t; + ') + + allow $1 packet_t:packet send; +') + +######################################## +## +## Receive generic packets. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_receive_generic_packets',` + gen_require(` + type packet_t; + ') + + allow $1 packet_t:packet recv; +') + +######################################## +## +## Send and receive generic packets. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sendrecv_generic_packets',` + corenet_send_generic_packets($1) + corenet_recveive_generic_packets($1) +') + +######################################## +## +## Relabel packets to the generic packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_generic_packets',` + gen_require(` + type packet_t; + ') + + allow $1 packet_t:packet relabelto; +') + ######################################## ## ## Send and receive unlabeled packets. diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 34e031c9..cba356f0 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -1,5 +1,5 @@ -policy_module(corenetwork,1.1.8) +policy_module(corenetwork,1.1.9) ######################################## # @@ -198,6 +198,3 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind; allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind; - -corenet_non_ipsec_sendrecv(corenet_unconfined_type) -corenet_sendrecv_unlabeled_packets(corenet_unconfined_type) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 97ecfba6..41bbc8d7 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.3.6) +policy_module(kernel,1.3.7) ######################################## # @@ -351,5 +351,6 @@ allow kern_unconfined kernel_t:system *; allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; +allow kern_unconfined unlabeled_t:packet *; kernel_rw_all_sysctls(kern_unconfined)