An embedded and charset-unspecified text was scrubbed...
Name: network-in_out_basic
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090202/75eea9a7/attachment.pl
On Mon, 2009-02-02 at 17:28 -0500, Paul Moore wrote:
> plain text document attachment (network-in_out_basic)
> We added the network_peer_controls capability back in Linux Kernel 2.6.25 but
> didn't activate the capability because more work was needed to ensure a smooth
> transition to the new controls. This patch enables the network_peer_controls
> capability and fixes a few remaining issues with its use. With this patch
> applied to the Fedora Rawhide SELinux policy (selinux-policy-3.6.3-12.fc11) I
> am able to interact with the machine over the network without any new AVC
> denials.
Merged, with some rearrangement. I also plan on adding similar
interfaces for all netifs and all nodes, for completeness.
> Signed-off-by: Paul Moore <[email protected]>
> ---
> policy/modules/kernel/corenetwork.if.in | 108 ++++++++++++++++++++++++++++++++
> policy/modules/kernel/kernel.te | 4 -
> policy/policy_capabilities | 2
> 3 files changed, 112 insertions(+), 2 deletions(-)
>
> Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -140,6 +140,60 @@ interface(`corenet_server_packet',`
>
> ########################################
> ## <summary>
> +## Allow outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the outgoing network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_if',`
> + gen_require(`
> + type netif_t;
> + ')
> +
> + allow $1 netif_t:netif { egress };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the incoming network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_if',`
> + gen_require(`
> + type netif_t;
> + ')
> +
> + allow $1 netif_t:netif { ingress };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming and outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_if',`
> + corenet_in_generic_if($1)
> + corenet_out_generic_if($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive TCP network traffic on the generic interfaces.
> ## </summary>
> ## <param name="domain">
> @@ -435,6 +489,60 @@ interface(`corenet_raw_sendrecv_all_if',
>
> ########################################
> ## <summary>
> +## Allow outgoing network traffic to generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the outgoing network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:node { sendto };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming network traffic from generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the incoming network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:node { recvfrom };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming and outgoing network traffic with generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_node',`
> + corenet_in_generic_node($1)
> + corenet_out_generic_node($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive TCP network traffic on generic nodes.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> @@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> -# Forwarded network traffic
> +# Allow unlabeled network traffic
> allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> +corenet_in_generic_if(unlabeled_t)
> +corenet_in_generic_node(unlabeled_t)
>
> corenet_all_recvfrom_unlabeled(kernel_t)
> corenet_all_recvfrom_netlabel(kernel_t)
> Index: refpolicy_svn_repo/policy/policy_capabilities
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/policy_capabilities
> +++ refpolicy_svn_repo/policy/policy_capabilities
> @@ -17,7 +17,7 @@
> # netif: ingress egress
> # peer: recv
> #
> -#policycap network_peer_controls;
> +policycap network_peer_controls;
>
> # Enable additional access controls for opening
> # a file (and similar objects).
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tuesday 03 February 2009 11:33:10 am Christopher J. PeBenito wrote:
> On Mon, 2009-02-02 at 17:28 -0500, Paul Moore wrote:
> > plain text document attachment (network-in_out_basic)
> > We added the network_peer_controls capability back in Linux Kernel
> > 2.6.25 but didn't activate the capability because more work was
> > needed to ensure a smooth transition to the new controls. This
> > patch enables the network_peer_controls capability and fixes a few
> > remaining issues with its use. With this patch applied to the
> > Fedora Rawhide SELinux policy (selinux-policy-3.6.3-12.fc11) I am
> > able to interact with the machine over the network without any new
> > AVC denials.
>
> Merged, with some rearrangement. I also plan on adding similar
> interfaces for all netifs and all nodes, for completeness.
Okay thanks.
--
paul moore
linux @ hp