From: paul.moore@hp.com (Paul Moore) Date: Mon, 8 Dec 2008 15:41:08 -0500 Subject: [refpolicy] [RFC PATCH v1] network: Enable "network_peer_controls" and fix some remaining issues In-Reply-To: <20081208195409.080889391@flek.lan> References: <20081208195409.080889391@flek.lan> Message-ID: <200812081541.08269.paul.moore@hp.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Monday 08 December 2008 2:53:59 pm paul.moore at hp.com wrote: > We added the network_peer_controls capability back in Linux Kernel > 2.6.25 but didn't activate the capabilitiy because more work needed > to be done to ensure a smooth transition to the new controls. This > patch enables the network_peer_controls capability and fixes a few > remaining issues. With this patch applied to the current Fedora > Rawhide SELinux policy > (selinux-policy-3.6.1-4.fc11) I am able to interact with the machine > over the network without any new AVC denials. > > Signed-off-by: Paul Moore > --- > policy/modules/kernel/corenetwork.if.in | 120 > ++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te > | 4 - > policy/policy_capabilities | 2 > 3 files changed, 124 insertions(+), 2 deletions(-) > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > @@ -140,6 +140,66 @@ interface(`corenet_server_packet',` > > ######################################## > ## > +## Allow outgoing network traffic on the generic interfaces. > +## > +## > +## > +## The peer label of the outgoing network traffic. > +## > +## > +## > +# > +interface(`corenet_out_generic_if',` > + gen_require(` > + type netif_t; > + ') > + > + allow $1 netif_t:netif { egress }; > + > + # XXX - legacy support > + allow $1 netif_t:netif { tcp_send udp_send rawip_send }; > +') I wanted to ask everyone's opinion on replacing the protocol specific corenet_*_if() macros with the more generic versions in this patch. I'm not convinced that distinguishing between protocols, i.e. UDP vs TCP, is all that useful in a general sense and only adds complexity to the policy. If people really wanted separation between protocols they could always accomplish that with Secmark ... Thoughts? -- paul moore linux @ hp