From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 03 Feb 2009 11:33:10 -0500 Subject: [refpolicy] [PATCH] network: Enable "network_peer_controls" and fix some remaining issues In-Reply-To: <20090202222816.353506919@hp.com> References: <20090202222816.353506919@hp.com> Message-ID: <1233678793.5788.0.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2009-02-02 at 17:28 -0500, Paul Moore wrote: > plain text document attachment (network-in_out_basic) > We added the network_peer_controls capability back in Linux Kernel 2.6.25 but > didn't activate the capability because more work was needed to ensure a smooth > transition to the new controls. This patch enables the network_peer_controls > capability and fixes a few remaining issues with its use. With this patch > applied to the Fedora Rawhide SELinux policy (selinux-policy-3.6.3-12.fc11) I > am able to interact with the machine over the network without any new AVC > denials. Merged, with some rearrangement. I also plan on adding similar interfaces for all netifs and all nodes, for completeness. > Signed-off-by: Paul Moore > --- > policy/modules/kernel/corenetwork.if.in | 108 ++++++++++++++++++++++++++++++++ > policy/modules/kernel/kernel.te | 4 - > policy/policy_capabilities | 2 > 3 files changed, 112 insertions(+), 2 deletions(-) > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > @@ -140,6 +140,60 @@ interface(`corenet_server_packet',` > > ######################################## > ## > +## Allow outgoing network traffic on the generic interfaces. > +## > +## > +## > +## The peer label of the outgoing network traffic. > +## > +## > +## > +# > +interface(`corenet_out_generic_if',` > + gen_require(` > + type netif_t; > + ') > + > + allow $1 netif_t:netif { egress }; > +') > + > +######################################## > +## > +## Allow incoming traffic on the generic interfaces. > +## > +## > +## > +## The peer label of the incoming network traffic. > +## > +## > +## > +# > +interface(`corenet_in_generic_if',` > + gen_require(` > + type netif_t; > + ') > + > + allow $1 netif_t:netif { ingress }; > +') > + > +######################################## > +## > +## Allow incoming and outgoing network traffic on the generic interfaces. > +## > +## > +## > +## The peer label of the network traffic. > +## > +## > +## > +# > +interface(`corenet_inout_generic_if',` > + corenet_in_generic_if($1) > + corenet_out_generic_if($1) > +') > + > +######################################## > +## > ## Send and receive TCP network traffic on the generic interfaces. > ## > ## > @@ -435,6 +489,60 @@ interface(`corenet_raw_sendrecv_all_if', > > ######################################## > ## > +## Allow outgoing network traffic to generic nodes. > +## > +## > +## > +## The peer label of the outgoing network traffic. > +## > +## > +## > +# > +interface(`corenet_out_generic_node',` > + gen_require(` > + type node_t; > + ') > + > + allow $1 node_t:node { sendto }; > +') > + > +######################################## > +## > +## Allow incoming network traffic from generic nodes. > +## > +## > +## > +## The peer label of the incoming network traffic. > +## > +## > +## > +# > +interface(`corenet_in_generic_node',` > + gen_require(` > + type node_t; > + ') > + > + allow $1 node_t:node { recvfrom }; > +') > + > +######################################## > +## > +## Allow incoming and outgoing network traffic with generic nodes. > +## > +## > +## > +## The peer label of the network traffic. > +## > +## > +## > +# > +interface(`corenet_inout_generic_node',` > + corenet_in_generic_node($1) > + corenet_out_generic_node($1) > +') > + > +######################################## > +## > ## Send and receive TCP network traffic on generic nodes. > ## > ## > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te > =================================================================== > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te > @@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton; > # connections with invalidated labels: > allow kernel_t unlabeled_t:packet send; > > -# Forwarded network traffic > +# Allow unlabeled network traffic > allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; > +corenet_in_generic_if(unlabeled_t) > +corenet_in_generic_node(unlabeled_t) > > corenet_all_recvfrom_unlabeled(kernel_t) > corenet_all_recvfrom_netlabel(kernel_t) > Index: refpolicy_svn_repo/policy/policy_capabilities > =================================================================== > --- refpolicy_svn_repo.orig/policy/policy_capabilities > +++ refpolicy_svn_repo/policy/policy_capabilities > @@ -17,7 +17,7 @@ > # netif: ingress egress > # peer: recv > # > -#policycap network_peer_controls; > +policycap network_peer_controls; > > # Enable additional access controls for opening > # a file (and similar objects). > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150