1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
2401 lines
51 KiB
Plaintext
2401 lines
51 KiB
Plaintext
## <summary>Policy controlling access to network objects</summary>
|
|
## <required val="true">
|
|
## Contains the initial SIDs for network objects.
|
|
## </required>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Define type to be a network port type
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Define type to be a network port type
|
|
## </p>
|
|
## <p>
|
|
## This is a template to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used for network ports.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_port',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
typeattribute $1 port_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Define network type to be a reserved port (lt 1024)
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Define network type to be a reserved port (lt 1024)
|
|
## </p>
|
|
## <p>
|
|
## This is a template to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used for network ports.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_reserved_port',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
typeattribute $1 reserved_port_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
|
|
## </p>
|
|
## <p>
|
|
## This is a template to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Type to be used for network ports.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_rpc_port',`
|
|
gen_require(`
|
|
attribute rpc_port_type;
|
|
')
|
|
|
|
typeattribute $1 rpc_port_type;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on the generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
## <infoflow type="both" weight="10"/>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
allow $1 netif_t:netif { tcp_send tcp_recv };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
allow $1 netif_t:netif udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Dontaudit attempts to send UDP network traffic
|
|
## on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_send_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
dontaudit $1 netif_t:netif udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
allow $1 netif_t:netif udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive UDP network
|
|
## traffic on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_receive_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
dontaudit $1 netif_t:netif udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and Receive UDP network traffic on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_generic_if',`
|
|
corenet_udp_send_generic_if($1)
|
|
corenet_udp_receive_generic_if($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to send and receive UDP network
|
|
## traffic on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
|
|
corenet_dontaudit_udp_send_generic_if($1)
|
|
corenet_dontaudit_udp_receive_generic_if($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send raw IP packets on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_send_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
allow $1 netif_t:netif rawip_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive raw IP packets on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_receive_generic_if',`
|
|
gen_require(`
|
|
type netif_t;
|
|
')
|
|
|
|
allow $1 netif_t:netif rawip_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive raw IP packets on generic interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_sendrecv_generic_if',`
|
|
corenet_raw_send_generic_if($1)
|
|
corenet_raw_receive_generic_if($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_all_if',`
|
|
gen_require(`
|
|
attribute netif_type;
|
|
')
|
|
|
|
allow $1 netif_type:netif { tcp_send tcp_recv };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_all_if',`
|
|
gen_require(`
|
|
attribute netif_type;
|
|
')
|
|
|
|
allow $1 netif_type:netif udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_all_if',`
|
|
gen_require(`
|
|
attribute netif_type;
|
|
')
|
|
|
|
allow $1 netif_type:netif udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_all_if',`
|
|
corenet_udp_send_all_if($1)
|
|
corenet_udp_receive_all_if($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send raw IP packets on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_send_all_if',`
|
|
gen_require(`
|
|
attribute netif_type;
|
|
')
|
|
|
|
allow $1 netif_type:netif rawip_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive raw IP packets on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_receive_all_if',`
|
|
gen_require(`
|
|
attribute netif_type;
|
|
')
|
|
|
|
allow $1 netif_type:netif rawip_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive raw IP packets on all interfaces.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_sendrecv_all_if',`
|
|
corenet_raw_send_all_if($1)
|
|
corenet_raw_receive_all_if($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:node { tcp_send tcp_recv };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:node udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:node udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_generic_node',`
|
|
corenet_udp_send_generic_node($1)
|
|
corenet_udp_receive_generic_node($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send raw IP packets on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_send_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:node rawip_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive raw IP packets on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_receive_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:node rawip_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive raw IP packets on generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_sendrecv_generic_node',`
|
|
corenet_raw_send_generic_node($1)
|
|
corenet_raw_receive_generic_node($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:tcp_socket node_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to generic nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_generic_node',`
|
|
gen_require(`
|
|
type node_t;
|
|
')
|
|
|
|
allow $1 node_t:udp_socket node_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:node { tcp_send tcp_recv };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:node udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to send UDP network
|
|
## traffic on any nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_send_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
dontaudit $1 node_type:node udp_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:node udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive UDP
|
|
## network traffic on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_receive_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
dontaudit $1 node_type:node udp_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_all_nodes',`
|
|
corenet_udp_send_all_nodes($1)
|
|
corenet_udp_receive_all_nodes($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to send and receive UDP
|
|
## network traffic on any nodes nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
|
|
corenet_dontaudit_udp_send_all_nodes($1)
|
|
corenet_dontaudit_udp_receive_all_nodes($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send raw IP packets on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_send_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:node rawip_send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive raw IP packets on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_receive_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:node rawip_recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive raw IP packets on all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_sendrecv_all_nodes',`
|
|
corenet_raw_send_all_nodes($1)
|
|
corenet_raw_receive_all_nodes($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:tcp_socket node_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:udp_socket node_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind raw sockets to all nodes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
# rawip_socket node_bind does not make much sense.
|
|
# cjp: vmware hits this too
|
|
interface(`corenet_raw_bind_all_nodes',`
|
|
gen_require(`
|
|
attribute node_type;
|
|
')
|
|
|
|
allow $1 node_type:rawip_socket node_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:tcp_socket { send_msg recv_msg };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit send and receive TCP network traffic on generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:udp_socket send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:udp_socket recv_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_generic_port',`
|
|
corenet_udp_send_generic_port($1)
|
|
corenet_udp_receive_generic_port($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit bind TCP sockets to generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_bind_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
dontaudit $1 port_t:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:udp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect TCP sockets to generic ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_connect_generic_port',`
|
|
gen_require(`
|
|
type port_t;
|
|
')
|
|
|
|
allow $1 port_t:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:tcp_socket { send_msg recv_msg };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:udp_socket send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:udp_socket recv_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_all_ports',`
|
|
corenet_udp_send_all_ports($1)
|
|
corenet_udp_receive_all_ports($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:tcp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attepts to bind TCP sockets to any ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_bind_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
dontaudit $1 port_type:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:udp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attepts to bind UDP sockets to any ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_bind_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
dontaudit $1 port_type:udp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect TCP sockets to all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_connect_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
allow $1 port_type:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to connect TCP sockets
|
|
## to all ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_connect_all_ports',`
|
|
gen_require(`
|
|
attribute port_type;
|
|
')
|
|
|
|
dontaudit $1 port_type:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:udp_socket send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:udp_socket recv_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_reserved_port',`
|
|
corenet_udp_send_reserved_port($1)
|
|
corenet_udp_receive_reserved_port($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:tcp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:udp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect TCP sockets to generic reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_connect_reserved_port',`
|
|
gen_require(`
|
|
type reserved_port_t;
|
|
')
|
|
|
|
allow $1 reserved_port_t:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive TCP network traffic on all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_sendrecv_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send UDP network traffic on all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_send_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:udp_socket send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP network traffic on all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_receive_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:udp_socket recv_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive UDP network traffic on all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_sendrecv_all_reserved_ports',`
|
|
corenet_udp_send_all_reserved_ports($1)
|
|
corenet_udp_receive_all_reserved_ports($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:tcp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to bind TCP sockets to all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
dontaudit $1 reserved_port_type:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:udp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to bind UDP sockets to all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to all ports > 1024.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_all_unreserved_ports',`
|
|
gen_require(`
|
|
attribute port_type, reserved_port_type;
|
|
')
|
|
|
|
allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to all ports > 1024.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_all_unreserved_ports',`
|
|
gen_require(`
|
|
attribute port_type, reserved_port_type;
|
|
')
|
|
|
|
allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect TCP sockets to reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_connect_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
allow $1 reserved_port_type:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to connect TCP sockets
|
|
## all reserved ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
|
|
gen_require(`
|
|
attribute reserved_port_type;
|
|
')
|
|
|
|
dontaudit $1 reserved_port_type:tcp_socket name_connect;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write the TUN/TAP virtual network device.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_rw_tun_tap_dev',`
|
|
gen_require(`
|
|
type tun_tap_device_t;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 tun_tap_device_t:chr_file { getattr read write ioctl lock append };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write the point-to-point device.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_rw_ppp_dev',`
|
|
gen_require(`
|
|
type ppp_device_t;
|
|
')
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
allow $1 ppp_device_t:chr_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind TCP sockets to all RPC ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_bind_all_rpc_ports',`
|
|
gen_require(`
|
|
attribute rpc_port_type;
|
|
')
|
|
|
|
allow $1 rpc_port_type:tcp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to bind TCP sockets to all RPC ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
|
|
gen_require(`
|
|
attribute rpc_port_type;
|
|
')
|
|
|
|
dontaudit $1 rpc_port_type:tcp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Bind UDP sockets to all RPC ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_bind_all_rpc_ports',`
|
|
gen_require(`
|
|
attribute rpc_port_type;
|
|
')
|
|
|
|
allow $1 rpc_port_type:udp_socket name_bind;
|
|
allow $1 self:capability net_bind_service;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to bind UDP sockets to all RPC ports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The type of the process to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
|
|
gen_require(`
|
|
attribute rpc_port_type;
|
|
')
|
|
|
|
dontaudit $1 rpc_port_type:udp_socket name_bind;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages on a
|
|
## non-encrypted (no IPSEC) network
|
|
## session.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Send and receive messages on a
|
|
## non-encrypted (no IPSEC) network
|
|
## session. (Deprecated)
|
|
## </p>
|
|
## <p>
|
|
## The corenet_all_recvfrom_unlabeled() interface should be used instead
|
|
## of this one.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_non_ipsec_sendrecv',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
|
|
corenet_all_recvfrom_unlabeled($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to send and receive
|
|
## messages on a non-encrypted (no IPSEC) network
|
|
## session.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Do not audit attempts to send and receive
|
|
## messages on a non-encrypted (no IPSEC) network
|
|
## session.
|
|
## </p>
|
|
## <p>
|
|
## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
|
|
## used instead of this one.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
|
|
corenet_dontaudit_all_recvfrom_unlabeled($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive TCP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
|
|
corenet_tcp_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive TCP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
allow $1 netlabel_peer_t:tcp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive TCP packets from an unlabled connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_tcp_recvfrom_unlabeled',`
|
|
kernel_tcp_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive TCP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
|
|
corenet_dontaudit_tcp_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive TCP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive TCP packets from an unlabeled
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
|
|
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
|
|
corenet_udp_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
allow $1 netlabel_peer_t:udp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive UDP packets from an unlabeled connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_udp_recvfrom_unlabeled',`
|
|
kernel_udp_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive UDP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
|
|
corenet_dontaudit_udp_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive UDP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive UDP packets from an unlabeled
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
|
|
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive Raw IP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
|
|
corenet_raw_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive Raw IP packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
allow $1 netlabel_peer_t:rawip_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive Raw IP packets from an unlabeled connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_raw_recvfrom_unlabeled',`
|
|
kernel_raw_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_raw_recv_netlabel',`
|
|
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
|
|
corenet_dontaudit_raw_recvfrom_netlabel($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive Raw IP packets from an unlabeled
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
|
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive packets from an unlabeled connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_all_recvfrom_unlabeled',`
|
|
kernel_tcp_recvfrom_unlabeled($1)
|
|
kernel_udp_recvfrom_unlabeled($1)
|
|
kernel_raw_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive packets from a NetLabel connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_all_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive packets from an unlabeled connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
|
|
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
|
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
|
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
|
|
|
# XXX - at some point the oubound/send access check will be removed
|
|
# but for right now we need to keep this in place so as not to break
|
|
# older systems
|
|
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to receive packets from a NetLabel
|
|
## connection.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
|
gen_require(`
|
|
type netlabel_peer_t;
|
|
')
|
|
|
|
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_send_generic_client_packets',`
|
|
gen_require(`
|
|
type client_packet_t;
|
|
')
|
|
|
|
allow $1 client_packet_t:packet send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive generic client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_receive_generic_client_packets',`
|
|
gen_require(`
|
|
type client_packet_t;
|
|
')
|
|
|
|
allow $1 client_packet_t:packet recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive generic client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_generic_client_packets',`
|
|
corenet_send_generic_client_packets($1)
|
|
corenet_receive_generic_client_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel packets to the generic client packet type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_relabelto_generic_client_packets',`
|
|
gen_require(`
|
|
type client_packet_t;
|
|
')
|
|
|
|
allow $1 client_packet_t:packet relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_send_generic_server_packets',`
|
|
gen_require(`
|
|
type server_packet_t;
|
|
')
|
|
|
|
allow $1 server_packet_t:packet send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive generic server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_receive_generic_server_packets',`
|
|
gen_require(`
|
|
type server_packet_t;
|
|
')
|
|
|
|
allow $1 server_packet_t:packet recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive generic server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_generic_server_packets',`
|
|
corenet_send_generic_server_packets($1)
|
|
corenet_receive_generic_server_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel packets to the generic server packet type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_relabelto_generic_server_packets',`
|
|
gen_require(`
|
|
type server_packet_t;
|
|
')
|
|
|
|
allow $1 server_packet_t:packet relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive unlabeled packets.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Send and receive unlabeled packets.
|
|
## These packets do not match any netfilter
|
|
## SECMARK rules.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_unlabeled_packets',`
|
|
kernel_sendrecv_unlabeled_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send all client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_send_all_client_packets',`
|
|
gen_require(`
|
|
attribute client_packet_type;
|
|
')
|
|
|
|
allow $1 client_packet_type:packet send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive all client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_receive_all_client_packets',`
|
|
gen_require(`
|
|
attribute client_packet_type;
|
|
')
|
|
|
|
allow $1 client_packet_type:packet recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive all client packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_all_client_packets',`
|
|
corenet_send_all_client_packets($1)
|
|
corenet_receive_all_client_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel packets to any client packet type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_relabelto_all_client_packets',`
|
|
gen_require(`
|
|
attribute client_packet_type;
|
|
')
|
|
|
|
allow $1 client_packet_type:packet relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send all server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_send_all_server_packets',`
|
|
gen_require(`
|
|
attribute server_packet_type;
|
|
')
|
|
|
|
allow $1 server_packet_type:packet send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive all server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_receive_all_server_packets',`
|
|
gen_require(`
|
|
attribute server_packet_type;
|
|
')
|
|
|
|
allow $1 server_packet_type:packet recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive all server packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_all_server_packets',`
|
|
corenet_send_all_server_packets($1)
|
|
corenet_receive_all_server_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel packets to any server packet type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_relabelto_all_server_packets',`
|
|
gen_require(`
|
|
attribute server_packet_type;
|
|
')
|
|
|
|
allow $1 server_packet_type:packet relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send all packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_send_all_packets',`
|
|
gen_require(`
|
|
attribute packet_type;
|
|
')
|
|
|
|
allow $1 packet_type:packet send;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Receive all packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_receive_all_packets',`
|
|
gen_require(`
|
|
attribute packet_type;
|
|
')
|
|
|
|
allow $1 packet_type:packet recv;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive all packets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_sendrecv_all_packets',`
|
|
corenet_send_all_packets($1)
|
|
corenet_receive_all_packets($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel packets to any packet type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_relabelto_all_packets',`
|
|
gen_require(`
|
|
attribute packet_type;
|
|
')
|
|
|
|
allow $1 packet_type:packet relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Unconfined access to network objects.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## The domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`corenet_unconfined',`
|
|
gen_require(`
|
|
attribute corenet_unconfined_type;
|
|
')
|
|
|
|
typeattribute $1 corenet_unconfined_type;
|
|
')
|