initial support for packets

2006-05-23 18:31:02 +00:00 · 2006-05-23 18:31:02 +00:00 · e37158e6b9
parent a013b55e3e
commit e37158e6b9
7 changed files with 197 additions and 25 deletions
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@ -1,3 +1,4 @@
+- Add packet object class and support in corenetwork.
 - Add a copy of genhomedircon for monolithic policy building, so that a
  policycoreutils package update is not required for RHEL4 systems.
 - Add appletalk sockets for use in cups.
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@ -328,7 +328,7 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
 	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
 	@echo "#" >> $@
 	$(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
-	$(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
+	$(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
 		| m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
 		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@

--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@ -1329,6 +1329,75 @@ interface(`corenet_sendrecv_unlabeled_packets',`
 	kernel_sendrecv_unlabeled_packets($1)
 ')

+########################################
+## <summary>
+##	Send all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+	corenet_send_all_packets($1)
+	corenet_recveive_all_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@ -18,7 +18,7 @@ define(`create_netif_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -37,7 +37,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -56,7 +56,7 @@ interface(`corenet_udp_send_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@ -75,7 +75,7 @@ interface(`corenet_udp_receive_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -91,7 +91,7 @@ interface(`corenet_udp_sendrecv_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -110,7 +110,7 @@ interface(`corenet_raw_send_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@ -129,7 +129,7 @@ interface(`corenet_raw_receive_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -153,7 +153,7 @@ define(`create_node_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -172,7 +172,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -191,7 +191,7 @@ interface(`corenet_udp_send_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@ -210,7 +210,7 @@ interface(`corenet_udp_receive_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -226,7 +226,7 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -245,7 +245,7 @@ interface(`corenet_raw_send_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -264,7 +264,7 @@ interface(`corenet_raw_receive_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -280,7 +280,7 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@ -299,7 +299,7 @@ interface(`corenet_tcp_bind_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@ -326,7 +326,7 @@ define(`create_port_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -345,7 +345,7 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@ -364,7 +364,7 @@ interface(`corenet_udp_send_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@ -383,7 +383,7 @@ interface(`corenet_udp_receive_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@ -399,7 +399,7 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@ -419,7 +419,7 @@ interface(`corenet_tcp_bind_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@ -439,7 +439,7 @@ interface(`corenet_udp_bind_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@ -452,6 +452,80 @@ interface(`corenet_tcp_connect_$1_port',`
 ')
 '') dnl end create_port_interfaces

+define(`create_packet_interfaces',``
+########################################
+## <summary>
+##	Send $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_$1_packets',`
+	corenet_send_$1_packets(dollarsone)
+	corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+##	Relabel packets to $1 the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
 #
 # create_netif_*_interfaces(linux_interfacename)
 #
@ -507,3 +581,11 @@ define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute
 define(`network_port',`
 create_port_type_interfaces($*)
 ')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@ -166,7 +166,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)

 ########################################
 #
-# Network Interfaces:
+# Network Interfaces
 #

 #
@ -179,6 +179,15 @@ ifdef(`enable_mls',`
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')

+########################################
+#
+# Network Packets
+#
+
+network_packet(dns)
+network_packet(ldap)
+network_packet(portmap)
+
 ########################################
 #
 # Unconfined access to this module
--- a/refpolicy/policy/modules/kernel/corenetwork.te.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4
@ -62,3 +62,11 @@ define(`network_port',`
 type $1_port_t, port_type;
 declare_ports($1_port_t,shift($*))
 ')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type;
+type $1_server_packet_t, packet_type;
+')
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@ -495,6 +495,7 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_tcp_sendrecv_dns_port($1)
 	corenet_udp_sendrecv_dns_port($1)
 	corenet_tcp_connect_dns_port($1)
+	corenet_sendrecv_dns_client_packets($1)

 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;
@ -522,6 +523,7 @@ interface(`sysnet_use_ldap',`
 	corenet_tcp_sendrecv_all_nodes($1)
 	corenet_tcp_sendrecv_ldap_port($1)
 	corenet_tcp_connect_ldap_port($1)
+	corenet_sendrecv_ldap_client_packets($1)

 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;
@ -553,6 +555,7 @@ interface(`sysnet_use_portmap',`
 	corenet_tcp_sendrecv_portmap_port($1)
 	corenet_udp_sendrecv_portmap_port($1)
 	corenet_tcp_connect_portmap_port($1)
+	corenet_sendrecv_portmap_client_packets($1)

 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;