From: paul.moore@hp.com (Paul Moore)
Date: Mon, 8 Dec 2008 15:41:08 -0500
Subject: [refpolicy] [RFC PATCH v1] network: Enable
	"network_peer_controls" and fix some remaining issues
In-Reply-To: <20081208195409.080889391@flek.lan>
References: <20081208195409.080889391@flek.lan>
Message-ID: <200812081541.08269.paul.moore@hp.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Monday 08 December 2008 2:53:59 pm paul.moore at hp.com wrote:
> We added the network_peer_controls capability back in Linux Kernel
> 2.6.25 but didn't activate the capabilitiy because more work needed
> to be done to ensure a smooth transition to the new controls.  This
> patch enables the network_peer_controls capability and fixes a few
> remaining issues.  With this patch applied to the current Fedora
> Rawhide SELinux policy
> (selinux-policy-3.6.1-4.fc11) I am able to interact with the machine
> over the network without any new AVC denials.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  policy/modules/kernel/corenetwork.if.in |  120
> ++++++++++++++++++++++++++++++++ policy/modules/kernel/kernel.te     
>    |    4 -
>  policy/policy_capabilities              |    2
>  3 files changed, 124 insertions(+), 2 deletions(-)
>
> Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -140,6 +140,66 @@ interface(`corenet_server_packet',`
>
>  ########################################
>  ## <summary>
> +##	Allow outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the outgoing network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_if',`
> +	gen_require(`
> +		type netif_t;
> +	')
> +
> +	allow $1 netif_t:netif { egress };
> +
> +	# XXX - legacy support
> +	allow $1 netif_t:netif { tcp_send udp_send rawip_send };
> +')

I wanted to ask everyone's opinion on replacing the protocol specific 
corenet_*_if() macros with the more generic versions in this patch.  
I'm not convinced that distinguishing between protocols, i.e. UDP vs 
TCP, is all that useful in a general sense and only adds complexity to 
the policy.  If people really wanted separation between protocols they 
could always accomplish that with Secmark ... Thoughts?

-- 
paul moore
linux @ hp