From e37158e6b98dcdd9e3972003ee96ea91ce7eb73f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 23 May 2006 18:31:02 +0000
Subject: [PATCH] initial support for packets

---
 refpolicy/Changelog                           |   1 +
 refpolicy/Makefile                            |   2 +-
 .../policy/modules/kernel/corenetwork.if.in   |  69 ++++++++++
 .../policy/modules/kernel/corenetwork.if.m4   | 128 ++++++++++++++----
 .../policy/modules/kernel/corenetwork.te.in   |  11 +-
 .../policy/modules/kernel/corenetwork.te.m4   |   8 ++
 refpolicy/policy/modules/system/sysnetwork.if |   3 +
 7 files changed, 197 insertions(+), 25 deletions(-)

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 8ee82dee..926a9e3a 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add packet object class and support in corenetwork.
 - Add a copy of genhomedircon for monolithic policy building, so that a
   policycoreutils package update is not required for RHEL4 systems.
 - Add appletalk sockets for use in cups.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 951ff40c..ae361118 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -328,7 +328,7 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
 	@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
 	@echo "#" >> $@
 	$(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
-	$(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
+	$(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
 		| m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
 		| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
 
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 86b525ed..4b47d23e 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1329,6 +1329,75 @@ interface(`corenet_sendrecv_unlabeled_packets',`
 	kernel_sendrecv_unlabeled_packets($1)
 ')
 
+########################################
+## <summary>
+##	Send all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet send;
+')
+
+########################################
+## <summary>
+##	Receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive all packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_all_packets',`
+	corenet_send_all_packets($1)
+	corenet_recveive_all_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to any packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_all_packets',`
+	gen_require(`
+		attribute packet_type;
+	')
+
+	allow $1 packet_type:packet relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4
index 0e6608a3..a5612bd5 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@@ -18,7 +18,7 @@ define(`create_netif_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -37,7 +37,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -56,7 +56,7 @@ interface(`corenet_udp_send_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@@ -75,7 +75,7 @@ interface(`corenet_udp_receive_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -91,7 +91,7 @@ interface(`corenet_udp_sendrecv_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -110,7 +110,7 @@ interface(`corenet_raw_send_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@@ -129,7 +129,7 @@ interface(`corenet_raw_receive_$1_if',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -153,7 +153,7 @@ define(`create_node_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -172,7 +172,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -191,7 +191,7 @@ interface(`corenet_udp_send_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@@ -210,7 +210,7 @@ interface(`corenet_udp_receive_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -226,7 +226,7 @@ interface(`corenet_udp_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -245,7 +245,7 @@ interface(`corenet_raw_send_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -264,7 +264,7 @@ interface(`corenet_raw_receive_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -280,7 +280,7 @@ interface(`corenet_raw_sendrecv_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@@ -299,7 +299,7 @@ interface(`corenet_tcp_bind_$1_node',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@@ -326,7 +326,7 @@ define(`create_port_interfaces',``
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -345,7 +345,7 @@ interface(`corenet_tcp_sendrecv_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="write" weight="10"/>
@@ -364,7 +364,7 @@ interface(`corenet_udp_send_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="read" weight="10"/>
@@ -383,7 +383,7 @@ interface(`corenet_udp_receive_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
@@ -399,7 +399,7 @@ interface(`corenet_udp_sendrecv_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@@ -419,7 +419,7 @@ interface(`corenet_tcp_bind_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <infoflow type="none"/>
@@ -439,7 +439,7 @@ interface(`corenet_udp_bind_$1_port',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -452,6 +452,80 @@ interface(`corenet_tcp_connect_$1_port',`
 ')
 '') dnl end create_port_interfaces
 
+define(`create_packet_interfaces',``
+########################################
+## <summary>
+##	Send $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive $1 packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_$1_packets',`
+	corenet_send_$1_packets(dollarsone)
+	corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+## <summary>
+##	Relabel packets to $1 the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_$1_packets',`
+	gen_require(`
+		type $1_t;
+	')
+
+	allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
 #
 # create_netif_*_interfaces(linux_interfacename)
 #
@@ -507,3 +581,11 @@ define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute
 define(`network_port',`
 create_port_type_interfaces($*)
 ')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index d4265394..be2e87e5 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -166,7 +166,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 
 ########################################
 #
-# Network Interfaces:
+# Network Interfaces
 #
 
 #
@@ -179,6 +179,15 @@ ifdef(`enable_mls',`
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
 
+########################################
+#
+# Network Packets
+#
+
+network_packet(dns)
+network_packet(ldap)
+network_packet(portmap)
+
 ########################################
 #
 # Unconfined access to this module
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4
index 66658961..65bb8479 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4
@@ -62,3 +62,11 @@ define(`network_port',`
 type $1_port_t, port_type;
 declare_ports($1_port_t,shift($*))
 ')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type;
+type $1_server_packet_t, packet_type;
+')
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index a4c4fefb..be11fc06 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -495,6 +495,7 @@ interface(`sysnet_dns_name_resolve',`
 	corenet_tcp_sendrecv_dns_port($1)
 	corenet_udp_sendrecv_dns_port($1)
 	corenet_tcp_connect_dns_port($1)
+	corenet_sendrecv_dns_client_packets($1)
 
 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;
@@ -522,6 +523,7 @@ interface(`sysnet_use_ldap',`
 	corenet_tcp_sendrecv_all_nodes($1)
 	corenet_tcp_sendrecv_ldap_port($1)
 	corenet_tcp_connect_ldap_port($1)
+	corenet_sendrecv_ldap_client_packets($1)
 
 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;
@@ -553,6 +555,7 @@ interface(`sysnet_use_portmap',`
 	corenet_tcp_sendrecv_portmap_port($1)
 	corenet_udp_sendrecv_portmap_port($1)
 	corenet_tcp_connect_portmap_port($1)
+	corenet_sendrecv_portmap_client_packets($1)
 
 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;