add generic packet interfaces, and fix up unconfined handling

2006-05-25 17:01:36 +00:00 · 2006-05-25 17:01:36 +00:00 · c5657a262b
commit c5657a262b
parent e4b30fb010
3 changed files with 72 additions and 5 deletions
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -1308,6 +1308,75 @@ interface(`corenet_non_ipsec_sendrecv',`
 	kernel_sendrecv_unlabeled_association($1)
 ')

+########################################
+## <summary>
+##	Send generic packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_packets',`
+	gen_require(`
+		type packet_t;
+	')
+
+	allow $1 packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_packets',`
+	gen_require(`
+		type packet_t;
+	')
+
+	allow $1 packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_packets',`
+	corenet_send_generic_packets($1)
+	corenet_recveive_generic_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_packets',`
+	gen_require(`
+		type packet_t;
+	')
+
+	allow $1 packet_t:packet relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive unlabeled packets.
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork,1.1.8)
+policy_module(corenetwork,1.1.9)

 ########################################
 #
@ -198,6 +198,3 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 # Bind to any network address.
 allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
-
-corenet_non_ipsec_sendrecv(corenet_unconfined_type)
-corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel,1.3.6)
+policy_module(kernel,1.3.7)

 ########################################
 #
@ -351,5 +351,6 @@ allow kern_unconfined kernel_t:system *;
 allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
+allow kern_unconfined unlabeled_t:packet *;

 kernel_rw_all_sysctls(kern_unconfined)