1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
227 lines
9.2 KiB
Plaintext
227 lines
9.2 KiB
Plaintext
|
|
policy_module(corenetwork,1.2.10)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute client_packet_type;
|
|
attribute netif_type;
|
|
attribute node_type;
|
|
attribute packet_type;
|
|
attribute port_type;
|
|
attribute reserved_port_type;
|
|
attribute rpc_port_type;
|
|
attribute server_packet_type;
|
|
|
|
attribute corenet_unconfined_type;
|
|
|
|
type ppp_device_t;
|
|
dev_node(ppp_device_t)
|
|
|
|
#
|
|
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
|
|
#
|
|
type tun_tap_device_t;
|
|
dev_node(tun_tap_device_t)
|
|
|
|
########################################
|
|
#
|
|
# Ports and packets
|
|
#
|
|
|
|
#
|
|
# client_packet_t is the default type of IPv4 and IPv6 client packets.
|
|
#
|
|
type client_packet_t, packet_type, client_packet_type;
|
|
|
|
#
|
|
# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
|
|
# connections using NetLabel which do not carry full SELinux contexts.
|
|
#
|
|
type netlabel_peer_t;
|
|
sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
|
|
|
|
#
|
|
# port_t is the default type of INET port numbers.
|
|
#
|
|
type port_t, port_type;
|
|
sid port gen_context(system_u:object_r:port_t,s0)
|
|
|
|
#
|
|
# reserved_port_t is the type of INET port numbers below 1024.
|
|
#
|
|
type reserved_port_t, port_type, reserved_port_type;
|
|
|
|
#
|
|
# server_packet_t is the default type of IPv4 and IPv6 server packets.
|
|
#
|
|
type server_packet_t, packet_type, server_packet_type;
|
|
|
|
network_port(afs_bos, udp,7007,s0)
|
|
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
|
|
network_port(afs_ka, udp,7004,s0)
|
|
network_port(afs_pt, udp,7002,s0)
|
|
network_port(afs_vl, udp,7003,s0)
|
|
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
|
|
network_port(amavisd_recv, tcp,10024,s0)
|
|
network_port(amavisd_send, tcp,10025,s0)
|
|
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
|
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
|
network_port(auth, tcp,113,s0)
|
|
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
|
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
|
network_port(clamd, tcp,3310,s0)
|
|
network_port(clockspeed, udp,4041,s0)
|
|
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
|
|
network_port(comsat, udp,512,s0)
|
|
network_port(cvs, tcp,2401,s0, udp,2401,s0)
|
|
network_port(dcc, udp,6276,s0, udp,6277,s0)
|
|
network_port(dbskkd, tcp,1178,s0)
|
|
network_port(dhcpc, udp,68,s0)
|
|
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
|
|
network_port(dict, tcp,2628,s0)
|
|
network_port(distccd, tcp,3632,s0)
|
|
network_port(dns, udp,53,s0, tcp,53,s0)
|
|
network_port(fingerd, tcp,79,s0)
|
|
network_port(ftp_data, tcp,20,s0)
|
|
network_port(ftp, tcp,21,s0)
|
|
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
|
|
network_port(giftd, tcp,1213,s0)
|
|
network_port(gopher, tcp,70,s0, udp,70,s0)
|
|
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
|
|
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
|
|
network_port(howl, tcp,5335,s0, udp,5353,s0)
|
|
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
|
|
network_port(i18n_input, tcp,9010,s0)
|
|
network_port(imaze, tcp,5323,s0, udp,5323,s0)
|
|
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
|
|
network_port(innd, tcp,119,s0)
|
|
network_port(ipp, tcp,631,s0, udp,631,s0)
|
|
network_port(ircd, tcp,6667,s0)
|
|
network_port(isakmp, udp,500,s0)
|
|
network_port(iscsi, tcp,3260,s0)
|
|
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
|
|
network_port(jabber_interserver, tcp,5269,s0)
|
|
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
|
|
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
|
|
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
|
|
network_port(ktalkd, udp,517,s0, udp,518,s0)
|
|
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
|
|
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
|
|
network_port(lmtp, tcp,24,s0, udp,24,s0)
|
|
network_port(mail, tcp,2000,s0)
|
|
network_port(monopd, tcp,1234,s0)
|
|
network_port(mysqld, tcp,3306,s0)
|
|
network_port(nessus, tcp,1241,s0)
|
|
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
|
network_port(nmbd, udp,137,s0, udp,138,s0)
|
|
network_port(ntp, udp,123,s0)
|
|
network_port(ocsp, tcp,9080,s0)
|
|
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
|
network_port(pegasus_http, tcp,5988,s0)
|
|
network_port(pegasus_https, tcp,5989,s0)
|
|
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
|
network_port(portmap, udp,111,s0, tcp,111,s0)
|
|
network_port(postgresql, tcp,5432,s0)
|
|
network_port(postgrey, tcp,60000,s0)
|
|
network_port(printer, tcp,515,s0)
|
|
network_port(ptal, tcp,5703,s0)
|
|
network_port(pxe, udp,4011,s0)
|
|
network_port(pyzor, udp,24441,s0)
|
|
network_port(radacct, udp,1646,s0, udp,1813,s0)
|
|
network_port(radius, udp,1645,s0, udp,1812,s0)
|
|
network_port(razor, tcp,2703,s0)
|
|
network_port(ricci, tcp,11111,s0, udp,11111,s0)
|
|
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
|
|
network_port(rlogind, tcp,513,s0)
|
|
network_port(rndc, tcp,953,s0)
|
|
network_port(router, udp,520,s0)
|
|
network_port(rsh, tcp,514,s0)
|
|
network_port(rsync, tcp,873,s0, udp,873,s0)
|
|
network_port(rwho, udp,513,s0)
|
|
network_port(smbd, tcp,139,s0, tcp,445,s0)
|
|
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
|
|
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
|
|
network_port(spamd, tcp,783,s0)
|
|
network_port(ssh, tcp,22,s0)
|
|
network_port(soundd, tcp,8000,s0, tcp,9433,s0)
|
|
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
|
|
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
|
|
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
|
|
network_port(swat, tcp,901,s0)
|
|
network_port(syslogd, udp,514,s0)
|
|
network_port(telnetd, tcp,23,s0)
|
|
network_port(tftp, udp,69,s0)
|
|
network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
|
|
network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
|
|
network_port(transproxy, tcp,8081,s0)
|
|
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
|
|
network_port(uucpd, tcp,540,s0)
|
|
network_port(vnc, tcp,5900,s0)
|
|
network_port(xen, tcp,8002,s0)
|
|
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
|
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
|
|
network_port(zope, tcp,8021,s0)
|
|
|
|
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
|
# these entries just cover any remaining reserved ports not otherwise declared.
|
|
portcon tcp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
|
|
portcon udp 1-1023 gen_context(system_u:object_r:reserved_port_t, s0)
|
|
|
|
########################################
|
|
#
|
|
# Network nodes
|
|
#
|
|
|
|
#
|
|
# node_t is the default type of network nodes.
|
|
# The node_*_t types are used for specific network
|
|
# nodes in net_contexts or net_contexts.mls.
|
|
#
|
|
type node_t, node_type;
|
|
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
|
|
|
|
network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
|
|
network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
|
|
type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
|
|
network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
|
|
network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
|
|
network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
|
|
network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
|
|
network_node(site_local, s0, fec0::, ffc0::)
|
|
network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
|
|
|
|
########################################
|
|
#
|
|
# Network Interfaces
|
|
#
|
|
|
|
#
|
|
# netif_t is the default type of network interfaces.
|
|
#
|
|
type netif_t, netif_type;
|
|
sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
|
|
|
|
build_option(`enable_mls',`
|
|
network_interface(lo, lo,s0 - mls_systemhigh)
|
|
',`
|
|
typealias netif_t alias netif_lo_t;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Unconfined access to this module
|
|
#
|
|
|
|
allow corenet_unconfined_type node_type:node *;
|
|
allow corenet_unconfined_type netif_type:netif *;
|
|
allow corenet_unconfined_type packet_type:packet *;
|
|
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
|
|
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
|
|
|
|
# Bind to any network address.
|
|
allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
|
|
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|