From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 03 Feb 2009 11:33:10 -0500
Subject: [refpolicy] [PATCH] network: Enable "network_peer_controls" and
 fix some remaining issues
In-Reply-To: <20090202222816.353506919@hp.com>
References: <20090202222816.353506919@hp.com>
Message-ID: <1233678793.5788.0.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2009-02-02 at 17:28 -0500, Paul Moore wrote:
> plain text document attachment (network-in_out_basic)
> We added the network_peer_controls capability back in Linux Kernel 2.6.25 but
> didn't activate the capability because more work was needed to ensure a smooth
> transition to the new controls.  This patch enables the network_peer_controls
> capability and fixes a few remaining issues with its use.  With this patch
> applied to the Fedora Rawhide SELinux policy (selinux-policy-3.6.3-12.fc11) I
> am able to interact with the machine over the network without any new AVC
> denials.

Merged, with some rearrangement.  I also plan on adding similar
interfaces for all netifs and all nodes, for completeness.

> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  policy/modules/kernel/corenetwork.if.in |  108 ++++++++++++++++++++++++++++++++
>  policy/modules/kernel/kernel.te         |    4 -
>  policy/policy_capabilities              |    2 
>  3 files changed, 112 insertions(+), 2 deletions(-)
> 
> Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -140,6 +140,60 @@ interface(`corenet_server_packet',`
>  
>  ########################################
>  ## <summary>
> +##	Allow outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the outgoing network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_if',`
> +	gen_require(`
> +		type netif_t;
> +	')
> +
> +	allow $1 netif_t:netif { egress };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow incoming traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the incoming network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_if',`
> +	gen_require(`
> +		type netif_t;
> +	')
> +
> +	allow $1 netif_t:netif { ingress };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow incoming and outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_if',`
> +	corenet_in_generic_if($1)
> +	corenet_out_generic_if($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Send and receive TCP network traffic on the generic interfaces.
>  ## </summary>
>  ## <param name="domain">
> @@ -435,6 +489,60 @@ interface(`corenet_raw_sendrecv_all_if',
>  
>  ########################################
>  ## <summary>
> +##	Allow outgoing network traffic to generic nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the outgoing network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_node',`
> +	gen_require(`
> +		type node_t;
> +	')
> +
> +	allow $1 node_t:node { sendto };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow incoming network traffic from generic nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the incoming network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_node',`
> +	gen_require(`
> +		type node_t;
> +	')
> +
> +	allow $1 node_t:node { recvfrom };
> +')
> +
> +########################################
> +## <summary>
> +##	Allow incoming and outgoing network traffic with generic nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The peer label of the network traffic.
> +##	</summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_node',`
> +	corenet_in_generic_node($1)
> +	corenet_out_generic_node($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Send and receive TCP network traffic on generic nodes.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> @@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
>  # connections with invalidated labels:
>  allow kernel_t unlabeled_t:packet send;
>  
> -# Forwarded network traffic
> +# Allow unlabeled network traffic
>  allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> +corenet_in_generic_if(unlabeled_t)
> +corenet_in_generic_node(unlabeled_t)
>  
>  corenet_all_recvfrom_unlabeled(kernel_t)
>  corenet_all_recvfrom_netlabel(kernel_t)
> Index: refpolicy_svn_repo/policy/policy_capabilities
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/policy_capabilities
> +++ refpolicy_svn_repo/policy/policy_capabilities
> @@ -17,7 +17,7 @@
>  # netif: ingress egress
>  # peer: recv
>  #
> -#policycap network_peer_controls;
> +policycap network_peer_controls;
>  
>  # Enable additional access controls for opening
>  # a file (and similar objects).
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150