From: russell@coker.com.au (Russell Coker)
Date: Sun, 31 Jul 2016 19:16:36 +1000
Subject: [refpolicy]  [PATCH] user_udp_server tunable
Message-ID: <20160731091636.65wrisq6dzzlyk26@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The following patch adds a tunable user_udp_server for the user domains to
run UDP services.


diff -ruN /home/rjc/src/pol-git/policy/global_tunables ./policy/global_tunables
--- /home/rjc/src/pol-git/policy/global_tunables	2016-07-28 20:33:39.955961513 +1000
+++ ./policy/global_tunables	2016-07-31 19:11:45.577569083 +1000
@@ -111,3 +111,11 @@
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_udp_server,false)
diff -ruN /home/rjc/src/pol-git/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if
--- /home/rjc/src/pol-git/policy/modules/system/userdomain.if	2016-07-28 20:33:39.971961928 +1000
+++ ./policy/modules/system/userdomain.if	2016-07-31 19:11:45.577569083 +1000
@@ -1041,6 +1041,13 @@
 		corenet_tcp_bind_generic_port($1_t)
 	')
 
+	# Allow users to run UDP servers (bind to ports and accept connection from
+	# the same domain and outside users)
+	tunable_policy(`user_udp_server',`
+		corenet_udp_bind_generic_node($1_t)
+		corenet_udp_bind_generic_port($1_t)
+	')
+
 	optional_policy(`
 		netutils_run_ping_cond($1_t, $1_r)
 		netutils_run_traceroute_cond($1_t, $1_r)