initial support for packets

This commit is contained in:
Chris PeBenito 2006-05-23 18:31:02 +00:00
parent a013b55e3e
commit e37158e6b9
7 changed files with 197 additions and 25 deletions

View File

@ -1,3 +1,4 @@
- Add packet object class and support in corenetwork.
- Add a copy of genhomedircon for monolithic policy building, so that a
policycoreutils package update is not required for RHEL4 systems.
- Add appletalk sockets for use in cups.

View File

@ -328,7 +328,7 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
$(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
$(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
| m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@

View File

@ -1329,6 +1329,75 @@ interface(`corenet_sendrecv_unlabeled_packets',`
kernel_sendrecv_unlabeled_packets($1)
')
########################################
## <summary>
## Send all packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_send_all_packets',`
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet send;
')
########################################
## <summary>
## Receive all packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_receive_all_packets',`
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet recv;
')
########################################
## <summary>
## Send and receive all packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_sendrecv_all_packets',`
corenet_send_all_packets($1)
corenet_recveive_all_packets($1)
')
########################################
## <summary>
## Relabel packets to any packet type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_relabelto_all_packets',`
gen_require(`
attribute packet_type;
')
allow $1 packet_type:packet relabelto;
')
########################################
## <summary>
## Unconfined access to network objects.

View File

@ -18,7 +18,7 @@ define(`create_netif_interfaces',``
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -37,7 +37,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -56,7 +56,7 @@ interface(`corenet_udp_send_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
@ -75,7 +75,7 @@ interface(`corenet_udp_receive_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -91,7 +91,7 @@ interface(`corenet_udp_sendrecv_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -110,7 +110,7 @@ interface(`corenet_raw_send_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
@ -129,7 +129,7 @@ interface(`corenet_raw_receive_$1_if',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -153,7 +153,7 @@ define(`create_node_interfaces',``
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -172,7 +172,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -191,7 +191,7 @@ interface(`corenet_udp_send_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
@ -210,7 +210,7 @@ interface(`corenet_udp_receive_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -226,7 +226,7 @@ interface(`corenet_udp_sendrecv_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -245,7 +245,7 @@ interface(`corenet_raw_send_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -264,7 +264,7 @@ interface(`corenet_raw_receive_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -280,7 +280,7 @@ interface(`corenet_raw_sendrecv_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
@ -299,7 +299,7 @@ interface(`corenet_tcp_bind_$1_node',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
@ -326,7 +326,7 @@ define(`create_port_interfaces',``
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -345,7 +345,7 @@ interface(`corenet_tcp_sendrecv_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
@ -364,7 +364,7 @@ interface(`corenet_udp_send_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
@ -383,7 +383,7 @@ interface(`corenet_udp_receive_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
@ -399,7 +399,7 @@ interface(`corenet_udp_sendrecv_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
@ -419,7 +419,7 @@ interface(`corenet_tcp_bind_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="none"/>
@ -439,7 +439,7 @@ interface(`corenet_udp_bind_$1_port',`
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## Domain allowed access.
## </summary>
## </param>
#
@ -452,6 +452,80 @@ interface(`corenet_tcp_connect_$1_port',`
')
'') dnl end create_port_interfaces
define(`create_packet_interfaces',``
########################################
## <summary>
## Send $1 packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_send_$1_packets',`
gen_require(`
type $1_t;
')
allow dollarsone $1_packet_t:packet send;
')
########################################
## <summary>
## Receive $1 packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_receive_$1_packets',`
gen_require(`
type $1_t;
')
allow dollarsone $1_packet_t:packet recv;
')
########################################
## <summary>
## Send and receive $1 packets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_sendrecv_$1_packets',`
corenet_send_$1_packets(dollarsone)
corenet_receive_$1_packets(dollarsone)
')
########################################
## <summary>
## Relabel packets to $1 the packet type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_relabelto_$1_packets',`
gen_require(`
type $1_t;
')
allow dollarsone $1_packet_t:packet relabelto;
')
'') dnl end create_port_interfaces
#
# create_netif_*_interfaces(linux_interfacename)
#
@ -507,3 +581,11 @@ define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute
define(`network_port',`
create_port_type_interfaces($*)
')
#
# network_packet(packet_name)
#
define(`network_packet',`
create_packet_interfaces($1_client)
create_packet_interfaces($1_server)
')

View File

@ -166,7 +166,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
########################################
#
# Network Interfaces:
# Network Interfaces
#
#
@ -179,6 +179,15 @@ ifdef(`enable_mls',`
network_interface(lo, lo,s0 - s15:c0.c255)
')
########################################
#
# Network Packets
#
network_packet(dns)
network_packet(ldap)
network_packet(portmap)
########################################
#
# Unconfined access to this module

View File

@ -62,3 +62,11 @@ define(`network_port',`
type $1_port_t, port_type;
declare_ports($1_port_t,shift($*))
')
#
# network_packet(packet_name)
#
define(`network_packet',`
type $1_client_packet_t, packet_type;
type $1_server_packet_t, packet_type;
')

View File

@ -495,6 +495,7 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
@ -522,6 +523,7 @@ interface(`sysnet_use_ldap',`
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
@ -553,6 +555,7 @@ interface(`sysnet_use_portmap',`
corenet_tcp_sendrecv_portmap_port($1)
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;