#
# shiftn(num,list...)
#
# shift the list num times
#
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
########################################
#
# Network Interface generated macros
#
########################################
define(`create_netif_interfaces',``
########################################
##
## Send and receive TCP network traffic on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_tcp_sendrecv_$1',`
gen_require(`
type $1_netif_t;
')
allow dollarsone $1_netif_t:netif { tcp_send tcp_recv };
')
########################################
##
## Send UDP network traffic on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_send_$1',`
gen_require(`
type $1_netif_t;
')
allow dollarsone $1_netif_t:netif udp_send;
')
########################################
##
## Receive UDP network traffic on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_receive_$1',`
gen_require(`
type $1_netif_t;
')
allow dollarsone $1_netif_t:netif udp_recv;
')
########################################
##
## Send and receive UDP network traffic on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_sendrecv_$1',`
corenet_udp_send_$1(dollarsone)
corenet_udp_receive_$1(dollarsone)
')
########################################
##
## Send raw IP packets on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_send_$1',`
gen_require(`
type $1_netif_t;
')
allow dollarsone $1_netif_t:netif rawip_send;
# cjp: comment out until raw access is
# is fixed for network users
#allow dollarsone self:capability net_raw;
')
########################################
##
## Receive raw IP packets on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_receive_$1',`
gen_require(`
type $1_netif_t;
')
allow dollarsone $1_netif_t:netif rawip_recv;
')
########################################
##
## Send and receive raw IP packets on the $1 interface.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_sendrecv_$1',`
corenet_raw_send_$1(dollarsone)
corenet_raw_receive_$1(dollarsone)
')
'') dnl end create_netif_interfaces
########################################
#
# Network node generated macros
#
########################################
define(`create_node_interfaces',``
########################################
##
## Send and receive TCP traffic on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_tcp_sendrecv_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:node { tcp_send tcp_recv };
')
########################################
##
## Send UDP traffic on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_send_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:node udp_send;
')
########################################
##
## Receive UDP traffic on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_receive_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:node udp_recv;
')
########################################
##
## Send and receive UDP traffic on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_sendrecv_$1_node',`
corenet_udp_send_$1_node(dollarsone)
corenet_udp_receive_$1_node(dollarsone)
')
########################################
##
## Send raw IP packets on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_send_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:node rawip_send;
')
########################################
##
## Receive raw IP packets on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_receive_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:node rawip_recv;
')
########################################
##
## Send and receive raw IP packets on the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_raw_sendrecv_$1_node',`
corenet_raw_send_$1_node(dollarsone)
corenet_raw_receive_$1_node(dollarsone)
')
########################################
##
## Bind TCP sockets to node $1.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_tcp_bind_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:tcp_socket node_bind;
')
########################################
##
## Bind UDP sockets to the $1 node.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_bind_$1_node',`
gen_require(`
type $1_node_t;
')
allow dollarsone $1_node_t:udp_socket node_bind;
')
'') dnl end create_node_interfaces
########################################
#
# Network port generated macros
#
########################################
define(`create_port_interfaces',``
########################################
##
## Send and receive TCP traffic on the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_tcp_sendrecv_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg };
')
########################################
##
## Send UDP traffic on the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_send_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:udp_socket send_msg;
')
########################################
##
## Receive UDP traffic on the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_receive_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:udp_socket recv_msg;
')
########################################
##
## Send and receive UDP traffic on the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_sendrecv_$1_port',`
corenet_udp_send_$1_port(dollarsone)
corenet_udp_receive_$1_port(dollarsone)
')
########################################
##
## Bind TCP sockets to the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_tcp_bind_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:tcp_socket name_bind;
$2
')
########################################
##
## Bind UDP sockets to the $1 port.
##
##
## The type of the process performing this action.
##
##
#
interface(`corenet_udp_bind_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:udp_socket name_bind;
$2
')
########################################
##
## Make a TCP connection to the $1 port.
##
##
## The type of the process performing this action.
##
#
interface(`corenet_tcp_connect_$1_port',`
gen_require(`
type $1_port_t;
')
allow dollarsone $1_port_t:tcp_socket name_connect;
')
'') dnl end create_port_interfaces
#
# network_interface(linux_interfacename,mls_sensitivity)
#
define(`network_interface',`
create_netif_interfaces($1)
')
#
# network_node(node_name,mls_sensitivity,address,netmask)
#
define(`network_node',`
create_node_interfaces($1)
')
# These next three macros have formatting, and should not me indented
define(`determine_reserved_capability',`dnl
ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
')dnl end outer ifelse
') dnl end determine reserved capability
define(`declare_ports',`dnl
ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
')
#
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
#
define(`network_port',`
create_port_interfaces($1,determine_reserved_capability(shift($*)))
')