|
Chris PeBenito |
085faa |
## <summary>Policy controlling access to network objects</summary>
|
|
Chris PeBenito |
274547 |
## <required val="true">
|
|
Chris PeBenito |
274547 |
## Contains the initial SIDs for network objects.
|
|
Chris PeBenito |
274547 |
## </required>
|
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
004db9 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Define type to be a network port type
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## <desc>
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## Define type to be a network port type
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
320ea9 |
## This is for supporting third party modules and its
|
|
Chris PeBenito |
320ea9 |
## use is not allowed in upstream reference policy.
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## </desc>
|
|
Chris PeBenito |
9af48e |
## <param name="domain">
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Type to be used for network ports.
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## </param>
|
|
Chris PeBenito |
9af48e |
#
|
|
Chris PeBenito |
9af48e |
interface(`corenet_port',`
|
|
Chris PeBenito |
9af48e |
gen_require(`
|
|
Chris PeBenito |
9af48e |
attribute port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
typeattribute $1 port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
########################################
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Define network type to be a reserved port (lt 1024)
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## <desc>
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## Define network type to be a reserved port (lt 1024)
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
320ea9 |
## This is for supporting third party modules and its
|
|
Chris PeBenito |
320ea9 |
## use is not allowed in upstream reference policy.
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## </desc>
|
|
Chris PeBenito |
9af48e |
## <param name="domain">
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Type to be used for network ports.
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## </param>
|
|
Chris PeBenito |
9af48e |
#
|
|
Chris PeBenito |
9af48e |
interface(`corenet_reserved_port',`
|
|
Chris PeBenito |
9af48e |
gen_require(`
|
|
Chris PeBenito |
9af48e |
attribute reserved_port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
typeattribute $1 reserved_port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
########################################
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## <desc>
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## Define network type to be a rpc port ( 512 lt PORT lt 1024)
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
320ea9 |
## This is for supporting third party modules and its
|
|
Chris PeBenito |
320ea9 |
## use is not allowed in upstream reference policy.
|
|
Chris PeBenito |
9af48e |
##
|
|
Chris PeBenito |
9af48e |
## </desc>
|
|
Chris PeBenito |
9af48e |
## <param name="domain">
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
9af48e |
## Type to be used for network ports.
|
|
Chris PeBenito |
9af48e |
## </summary>
|
|
Chris PeBenito |
9af48e |
## </param>
|
|
Chris PeBenito |
9af48e |
#
|
|
Chris PeBenito |
9af48e |
interface(`corenet_rpc_port',`
|
|
Chris PeBenito |
9af48e |
gen_require(`
|
|
Chris PeBenito |
9af48e |
attribute rpc_port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
typeattribute $1 rpc_port_type;
|
|
Chris PeBenito |
9af48e |
')
|
|
Chris PeBenito |
9af48e |
|
|
Chris PeBenito |
9af48e |
########################################
|
|
Chris PeBenito |
9af48e |
## <summary>
|
|
Chris PeBenito |
320ea9 |
## Define type to be a network client packet type
|
|
Chris PeBenito |
320ea9 |
## </summary>
|
|
Chris PeBenito |
320ea9 |
## <desc>
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## Define type to be a network client packet type
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## This is for supporting third party modules and its
|
|
Chris PeBenito |
320ea9 |
## use is not allowed in upstream reference policy.
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## </desc>
|
|
Chris PeBenito |
320ea9 |
## <param name="domain">
|
|
Chris PeBenito |
320ea9 |
## <summary>
|
|
Chris PeBenito |
320ea9 |
## Type to be used for a network client packet.
|
|
Chris PeBenito |
320ea9 |
## </summary>
|
|
Chris PeBenito |
320ea9 |
## </param>
|
|
Chris PeBenito |
320ea9 |
#
|
|
Chris PeBenito |
320ea9 |
interface(`corenet_client_packet',`
|
|
Chris PeBenito |
320ea9 |
gen_require(`
|
|
Chris PeBenito |
320ea9 |
attribute packet_type, client_packet_type;
|
|
Chris PeBenito |
320ea9 |
')
|
|
Chris PeBenito |
320ea9 |
|
|
Chris PeBenito |
320ea9 |
typeattribute $1 client_packet_type, packet_type;
|
|
Chris PeBenito |
320ea9 |
')
|
|
Chris PeBenito |
320ea9 |
|
|
Chris PeBenito |
320ea9 |
########################################
|
|
Chris PeBenito |
320ea9 |
## <summary>
|
|
Chris PeBenito |
320ea9 |
## Define type to be a network server packet type
|
|
Chris PeBenito |
320ea9 |
## </summary>
|
|
Chris PeBenito |
320ea9 |
## <desc>
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## Define type to be a network server packet type
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## This is for supporting third party modules and its
|
|
Chris PeBenito |
320ea9 |
## use is not allowed in upstream reference policy.
|
|
Chris PeBenito |
320ea9 |
##
|
|
Chris PeBenito |
320ea9 |
## </desc>
|
|
Chris PeBenito |
320ea9 |
## <param name="domain">
|
|
Chris PeBenito |
320ea9 |
## <summary>
|
|
Chris PeBenito |
320ea9 |
## Type to be used for a network server packet.
|
|
Chris PeBenito |
320ea9 |
## </summary>
|
|
Chris PeBenito |
320ea9 |
## </param>
|
|
Chris PeBenito |
320ea9 |
#
|
|
Chris PeBenito |
320ea9 |
interface(`corenet_server_packet',`
|
|
Chris PeBenito |
320ea9 |
gen_require(`
|
|
Chris PeBenito |
320ea9 |
attribute packet_type, server_packet_type;
|
|
Chris PeBenito |
320ea9 |
')
|
|
Chris PeBenito |
320ea9 |
|
|
Chris PeBenito |
320ea9 |
typeattribute $1 server_packet_type, packet_type;
|
|
Chris PeBenito |
320ea9 |
')
|
|
Chris PeBenito |
320ea9 |
|
|
Chris PeBenito |
320ea9 |
########################################
|
|
Chris PeBenito |
320ea9 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Send and receive TCP network traffic on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to send and receive TCP network
|
|
Chris PeBenito |
42eb0f |
## traffic on generic network interfaces.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
42eb0f |
## corenet_tcp_sendrecv_generic_node()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to connect to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
414e41 |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_generic_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type netif_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_generic_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type netif_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_t:netif { udp_send egress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Dontaudit attempts to send UDP network traffic
|
|
Chris PeBenito |
bf469d |
## on generic interfaces.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_send_generic_if',`
|
|
Chris PeBenito |
bf469d |
gen_require(`
|
|
Chris PeBenito |
bf469d |
type netif_t;
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netif_t:netif { udp_send egress };
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_generic_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type netif_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_t:netif { udp_recv ingress };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to receive UDP network
|
|
Chris PeBenito |
bf469d |
## traffic on generic interfaces.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_receive_generic_if',`
|
|
Chris PeBenito |
bf469d |
gen_require(`
|
|
Chris PeBenito |
bf469d |
type netif_t;
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netif_t:netif { udp_recv ingress };
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Send and receive UDP network traffic on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to send and receive UDP network
|
|
Chris PeBenito |
42eb0f |
## traffic on generic network interfaces.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
42eb0f |
## corenet_udp_sendrecv_generic_node()
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to send to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_generic_if',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_generic_if($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_generic_if($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to send and receive UDP network
|
|
Chris PeBenito |
bf469d |
## traffic on generic interfaces.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_sendrecv_generic_if',`
|
|
Chris PeBenito |
bf469d |
corenet_dontaudit_udp_send_generic_if($1)
|
|
Chris PeBenito |
bf469d |
corenet_dontaudit_udp_receive_generic_if($1)
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send raw IP packets on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_send_generic_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type netif_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_t:netif { rawip_send egress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive raw IP packets on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_receive_generic_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type netif_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_t:netif { rawip_recv ingress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive raw IP packets on generic interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_sendrecv_generic_if',`
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_send_generic_if($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_receive_generic_if($1)
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow outgoing network traffic on the generic interfaces.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the outgoing network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="write" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_out_generic_if',`
|
|
Chris PeBenito |
7722c2 |
gen_require(`
|
|
Chris PeBenito |
7722c2 |
type netif_t;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
allow $1 netif_t:netif egress;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow incoming traffic on the generic interfaces.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the incoming network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_in_generic_if',`
|
|
Chris PeBenito |
7722c2 |
gen_require(`
|
|
Chris PeBenito |
7722c2 |
type netif_t;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
allow $1 netif_t:netif ingress;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow incoming and outgoing network traffic on the generic interfaces.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_inout_generic_if',`
|
|
Chris PeBenito |
7722c2 |
corenet_in_generic_if($1)
|
|
Chris PeBenito |
7722c2 |
corenet_out_generic_if($1)
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_all_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute netif_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_type:netif { tcp_send tcp_recv egress ingress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_all_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute netif_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_type:netif { udp_send egress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_all_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute netif_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_type:netif { udp_recv ingress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_all_if',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_all_if($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_all_if($1)
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send raw IP packets on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_send_all_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute netif_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_type:netif { rawip_send egress };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive raw IP packets on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_receive_all_if',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute netif_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 netif_type:netif { rawip_recv ingress };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive raw IP packets on all interfaces.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_sendrecv_all_if',`
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_send_all_if($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_receive_all_if($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to send and receive TCP network
|
|
Chris PeBenito |
42eb0f |
## traffic to/from generic network nodes (hostnames/networks).
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
42eb0f |
## corenet_tcp_sendrecv_generic_if()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to connect to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
|
|
Chris PeBenito |
d11566 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_t:node { udp_send sendto };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_t:node { udp_recv recvfrom };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to send and receive UDP network
|
|
Chris PeBenito |
42eb0f |
## traffic to/from generic network nodes (hostnames/networks).
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
42eb0f |
## corenet_udp_sendrecv_generic_if()
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to send to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_generic_node',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_generic_node($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_generic_node($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send raw IP packets on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_send_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_t:node { rawip_send sendto };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive raw IP packets on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_receive_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_t:node { rawip_recv recvfrom };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive raw IP packets on generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_sendrecv_generic_node',`
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_send_generic_node($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_receive_generic_node($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Bind TCP sockets to generic nodes. This is
|
|
Chris PeBenito |
42eb0f |
## necessary for binding a socket so it
|
|
Chris PeBenito |
42eb0f |
## can be used for servers to listen
|
|
Chris PeBenito |
42eb0f |
## for incoming connections.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## corenet_udp_bind_generic_node()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="read" weight="1"/>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 node_t:tcp_socket node_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to generic nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Bind UDP sockets to generic nodes. This is
|
|
Chris PeBenito |
42eb0f |
## necessary for binding a socket so it
|
|
Chris PeBenito |
42eb0f |
## can be used for servers to listen
|
|
Chris PeBenito |
42eb0f |
## for incoming connections.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Related interface:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## corenet_tcp_bind_generic_node()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="read" weight="1"/>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_generic_node',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type node_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 node_t:udp_socket node_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
c12621 |
## Bind raw sockets to genric nodes.
|
|
Chris PeBenito |
c12621 |
## </summary>
|
|
Chris PeBenito |
c12621 |
## <param name="domain">
|
|
Chris PeBenito |
c12621 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
c12621 |
## </summary>
|
|
Chris PeBenito |
c12621 |
## </param>
|
|
Chris PeBenito |
c12621 |
# rawip_socket node_bind does not make much sense.
|
|
Chris PeBenito |
c12621 |
# cjp: vmware hits this too
|
|
Chris PeBenito |
c12621 |
interface(`corenet_raw_bind_generic_node',`
|
|
Chris PeBenito |
c12621 |
gen_require(`
|
|
Chris PeBenito |
c12621 |
type node_t;
|
|
Chris PeBenito |
c12621 |
')
|
|
Chris PeBenito |
c12621 |
|
|
Chris PeBenito |
c12621 |
allow $1 node_t:rawip_socket node_bind;
|
|
Chris PeBenito |
c12621 |
')
|
|
Chris PeBenito |
c12621 |
|
|
Chris PeBenito |
c12621 |
########################################
|
|
Chris PeBenito |
c12621 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow outgoing network traffic to generic nodes.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the outgoing network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="write" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_out_generic_node',`
|
|
Chris PeBenito |
7722c2 |
gen_require(`
|
|
Chris PeBenito |
7722c2 |
type node_t;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
allow $1 node_t:node sendto;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow incoming network traffic from generic nodes.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the incoming network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_in_generic_node',`
|
|
Chris PeBenito |
7722c2 |
gen_require(`
|
|
Chris PeBenito |
7722c2 |
type node_t;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
allow $1 node_t:node recvfrom;
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## Allow incoming and outgoing network traffic with generic nodes.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## <param name="domain">
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
7722c2 |
## The peer label of the network traffic.
|
|
Chris PeBenito |
7722c2 |
## </summary>
|
|
Chris PeBenito |
7722c2 |
## </param>
|
|
Chris PeBenito |
7722c2 |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
7722c2 |
#
|
|
Chris PeBenito |
7722c2 |
interface(`corenet_inout_generic_node',`
|
|
Chris PeBenito |
7722c2 |
corenet_in_generic_node($1)
|
|
Chris PeBenito |
7722c2 |
corenet_out_generic_node($1)
|
|
Chris PeBenito |
7722c2 |
')
|
|
Chris PeBenito |
7722c2 |
|
|
Chris PeBenito |
7722c2 |
########################################
|
|
Chris PeBenito |
7722c2 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
308baa |
allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_type:node { udp_send sendto };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to send UDP network
|
|
Chris PeBenito |
bf469d |
## traffic on any nodes.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_send_all_nodes',`
|
|
Chris PeBenito |
bf469d |
gen_require(`
|
|
Chris PeBenito |
bf469d |
attribute node_type;
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
308baa |
dontaudit $1 node_type:node { udp_send sendto };
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_type:node { udp_recv recvfrom };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to receive UDP
|
|
Chris PeBenito |
bf469d |
## network traffic on all nodes.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_receive_all_nodes',`
|
|
Chris PeBenito |
bf469d |
gen_require(`
|
|
Chris PeBenito |
bf469d |
attribute node_type;
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
308baa |
dontaudit $1 node_type:node { udp_recv recvfrom };
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_all_nodes',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_all_nodes($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_all_nodes($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to send and receive UDP
|
|
Chris PeBenito |
bf469d |
## network traffic on any nodes nodes.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_udp_sendrecv_all_nodes',`
|
|
Chris PeBenito |
bf469d |
corenet_dontaudit_udp_send_all_nodes($1)
|
|
Chris PeBenito |
bf469d |
corenet_dontaudit_udp_receive_all_nodes($1)
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send raw IP packets on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_send_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_type:node { rawip_send sendto };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive raw IP packets on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_receive_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
308baa |
allow $1 node_type:node { rawip_recv recvfrom };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive raw IP packets on all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_raw_sendrecv_all_nodes',`
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_send_all_nodes($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_raw_receive_all_nodes($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 node_type:tcp_socket node_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to all nodes.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_all_nodes',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute node_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 node_type:udp_socket node_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Don Miner |
8f882f |
## Bind raw sockets to all nodes.
|
|
Don Miner |
8f882f |
## </summary>
|
|
Don Miner |
8f882f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Don Miner |
8f882f |
## </param>
|
|
Chris PeBenito |
5b7b2b |
# rawip_socket node_bind does not make much sense.
|
|
Chris PeBenito |
5b7b2b |
# cjp: vmware hits this too
|
|
Don Miner |
8f882f |
interface(`corenet_raw_bind_all_nodes',`
|
|
Don Miner |
8f882f |
gen_require(`
|
|
Don Miner |
8f882f |
attribute node_type;
|
|
Don Miner |
8f882f |
')
|
|
Don Miner |
8f882f |
|
|
Don Miner |
8f882f |
allow $1 node_type:rawip_socket node_bind;
|
|
Don Miner |
8f882f |
')
|
|
Don Miner |
8f882f |
|
|
Don Miner |
8f882f |
########################################
|
|
Don Miner |
8f882f |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_generic_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
d11566 |
allow $1 port_t:tcp_socket { send_msg recv_msg };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
9105f9 |
## Do not audit send and receive TCP network traffic on generic ports.
|
|
Chris PeBenito |
9105f9 |
## </summary>
|
|
Chris PeBenito |
9105f9 |
## <param name="domain">
|
|
Chris PeBenito |
9105f9 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
9105f9 |
## </summary>
|
|
Chris PeBenito |
9105f9 |
## </param>
|
|
Chris PeBenito |
9105f9 |
#
|
|
Chris PeBenito |
9105f9 |
interface(`corenet_dontaudit_tcp_sendrecv_generic_port',`
|
|
Chris PeBenito |
9105f9 |
gen_require(`
|
|
Chris PeBenito |
9105f9 |
type port_t;
|
|
Chris PeBenito |
9105f9 |
')
|
|
Chris PeBenito |
9105f9 |
|
|
Chris PeBenito |
f8cfdd |
dontaudit $1 port_t:tcp_socket { send_msg recv_msg };
|
|
Chris PeBenito |
9105f9 |
')
|
|
Chris PeBenito |
9105f9 |
|
|
Chris PeBenito |
9105f9 |
########################################
|
|
Chris PeBenito |
9105f9 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_generic_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_t:udp_socket send_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_generic_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_t:udp_socket recv_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_generic_port',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_generic_port($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_generic_port($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_generic_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type port_t;
|
|
Chris PeBenito |
495df4 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
495df4 |
dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
|
|
Chris PeBenito |
9105f9 |
')
|
|
Chris PeBenito |
9105f9 |
|
|
Chris PeBenito |
9105f9 |
########################################
|
|
Chris PeBenito |
9105f9 |
## <summary>
|
|
Chris PeBenito |
9105f9 |
## Do not audit bind TCP sockets to generic ports.
|
|
Chris PeBenito |
9105f9 |
## </summary>
|
|
Chris PeBenito |
9105f9 |
## <param name="domain">
|
|
Chris PeBenito |
9105f9 |
## <summary>
|
|
Chris PeBenito |
9105f9 |
## Domain to not audit.
|
|
Chris PeBenito |
9105f9 |
## </summary>
|
|
Chris PeBenito |
9105f9 |
## </param>
|
|
Chris PeBenito |
9105f9 |
#
|
|
Chris PeBenito |
9105f9 |
interface(`corenet_dontaudit_tcp_bind_generic_port',`
|
|
Chris PeBenito |
9105f9 |
gen_require(`
|
|
Chris PeBenito |
9105f9 |
type port_t;
|
|
Chris PeBenito |
9105f9 |
')
|
|
Chris PeBenito |
9105f9 |
|
|
Chris PeBenito |
9105f9 |
dontaudit $1 port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to generic ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_generic_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type port_t;
|
|
Chris PeBenito |
495df4 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_t:udp_socket name_bind;
|
|
Chris PeBenito |
495df4 |
dontaudit $1 { port_type -port_t }:udp_socket name_bind;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Connect TCP sockets to generic ports.
|
|
Chris PeBenito |
98a8ea |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## </param>
|
|
Chris PeBenito |
98a8ea |
#
|
|
Chris PeBenito |
98a8ea |
interface(`corenet_tcp_connect_generic_port',`
|
|
Chris PeBenito |
98a8ea |
gen_require(`
|
|
Chris PeBenito |
98a8ea |
type port_t;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
allow $1 port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
########################################
|
|
Chris PeBenito |
98a8ea |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Send and receive TCP network traffic on all ports.
|
|
Chris PeBenito |
42eb0f |
## Related interfaces:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node()
|
|
Chris PeBenito |
42eb0f |
## corenet_tcp_connect_all_ports()
|
|
Chris PeBenito |
42eb0f |
## corenet_tcp_bind_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to connect to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_all_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
d11566 |
allow $1 port_type:tcp_socket { send_msg recv_msg };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_all_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_type:udp_socket send_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_all_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_type:udp_socket recv_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Send and receive UDP network traffic on all ports.
|
|
Chris PeBenito |
42eb0f |
## Related interfaces:
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_if()
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_node()
|
|
Chris PeBenito |
42eb0f |
## corenet_udp_bind_all_ports()
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to send to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_udp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
42eb0f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_all_ports',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_all_ports($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_all_ports($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_all_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
97c57a |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
d14c0e |
## Do not audit attepts to bind TCP sockets to any ports.
|
|
Chris PeBenito |
d14c0e |
## </summary>
|
|
Chris PeBenito |
d14c0e |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
d14c0e |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
d14c0e |
## </param>
|
|
Chris PeBenito |
d14c0e |
#
|
|
Chris PeBenito |
d14c0e |
interface(`corenet_dontaudit_tcp_bind_all_ports',`
|
|
Chris PeBenito |
d14c0e |
gen_require(`
|
|
Chris PeBenito |
d14c0e |
attribute port_type;
|
|
Chris PeBenito |
d14c0e |
')
|
|
Chris PeBenito |
d14c0e |
|
|
Chris PeBenito |
d14c0e |
dontaudit $1 port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
d14c0e |
')
|
|
Chris PeBenito |
d14c0e |
|
|
Chris PeBenito |
d14c0e |
########################################
|
|
Chris PeBenito |
d14c0e |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to all ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_all_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 port_type:udp_socket name_bind;
|
|
Chris PeBenito |
97c57a |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
d6d16b |
## Do not audit attepts to bind UDP sockets to any ports.
|
|
Chris PeBenito |
d6d16b |
## </summary>
|
|
Chris PeBenito |
d6d16b |
## <param name="domain">
|
|
Chris PeBenito |
d6d16b |
## <summary>
|
|
Chris PeBenito |
d6d16b |
## Domain to not audit.
|
|
Chris PeBenito |
d6d16b |
## </summary>
|
|
Chris PeBenito |
d6d16b |
## </param>
|
|
Chris PeBenito |
d6d16b |
#
|
|
Chris PeBenito |
d6d16b |
interface(`corenet_dontaudit_udp_bind_all_ports',`
|
|
Chris PeBenito |
d6d16b |
gen_require(`
|
|
Chris PeBenito |
d6d16b |
attribute port_type;
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
dontaudit $1 port_type:udp_socket name_bind;
|
|
Chris PeBenito |
d6d16b |
')
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
########################################
|
|
Chris PeBenito |
d6d16b |
## <summary>
|
|
Chris PeBenito |
2705f9 |
## Connect TCP sockets to all ports.
|
|
Chris PeBenito |
2705f9 |
## </summary>
|
|
Chris PeBenito |
4a4436 |
## <desc>
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Connect TCP sockets to all ports
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Related interfaces:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports()
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_bind_all_ports()
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## Example client being able to connect to all ports over
|
|
Chris PeBenito |
4a4436 |
## generic nodes, without labeled networking:
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## allow myclient_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_if(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_generic_node(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_sendrecv_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_tcp_connect_all_ports(myclient_t)
|
|
Chris PeBenito |
4a4436 |
## corenet_all_recvfrom_unlabeled(myclient_t)
|
|
Chris PeBenito |
4a4436 |
##
|
|
Chris PeBenito |
4a4436 |
## </desc>
|
|
Chris PeBenito |
2705f9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4a4436 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2705f9 |
## </param>
|
|
Chris PeBenito |
4a4436 |
## <infoflow type="write" weight="1"/>
|
|
Chris PeBenito |
2705f9 |
#
|
|
Chris PeBenito |
2705f9 |
interface(`corenet_tcp_connect_all_ports',`
|
|
Chris PeBenito |
2705f9 |
gen_require(`
|
|
Chris PeBenito |
2705f9 |
attribute port_type;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
allow $1 port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
2705f9 |
')
|
|
Chris PeBenito |
2705f9 |
|
|
Chris PeBenito |
2705f9 |
########################################
|
|
Chris PeBenito |
2705f9 |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Do not audit attempts to connect TCP sockets
|
|
Chris PeBenito |
6b19be |
## to all ports.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Domain to not audit.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`corenet_dontaudit_tcp_connect_all_ports',`
|
|
Chris PeBenito |
6b19be |
gen_require(`
|
|
Chris PeBenito |
6b19be |
attribute port_type;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
dontaudit $1 port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_reserved_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type reserved_port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_reserved_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type reserved_port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_t:udp_socket send_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_reserved_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type reserved_port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_t:udp_socket recv_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_reserved_port',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_reserved_port($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_reserved_port($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_reserved_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type reserved_port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_t:tcp_socket name_bind;
|
|
Chris PeBenito |
d11566 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to generic reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_reserved_port',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
type reserved_port_t;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_t:udp_socket name_bind;
|
|
Chris PeBenito |
d11566 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Connect TCP sockets to generic reserved ports.
|
|
Chris PeBenito |
98a8ea |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## </param>
|
|
Chris PeBenito |
98a8ea |
#
|
|
Chris PeBenito |
98a8ea |
interface(`corenet_tcp_connect_reserved_port',`
|
|
Chris PeBenito |
98a8ea |
gen_require(`
|
|
Chris PeBenito |
98a8ea |
type reserved_port_t;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
allow $1 reserved_port_t:tcp_socket name_connect;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
########################################
|
|
Chris PeBenito |
98a8ea |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive TCP network traffic on all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_sendrecv_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send UDP network traffic on all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_send_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_type:udp_socket send_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Receive UDP network traffic on all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_receive_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_type:udp_socket recv_msg;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Send and receive UDP network traffic on all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
d11566 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_sendrecv_all_reserved_ports',`
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_send_all_reserved_ports($1)
|
|
Chris PeBenito |
0c5a28 |
corenet_udp_receive_all_reserved_ports($1)
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind TCP sockets to all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_tcp_bind_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
d11566 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
0e730c |
')
|
|
Chris PeBenito |
0e730c |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Do not audit attempts to bind TCP sockets to all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a7ee7f |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
dontaudit $1 reserved_port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Bind UDP sockets to all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
0e730c |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_udp_bind_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
allow $1 reserved_port_type:udp_socket name_bind;
|
|
Chris PeBenito |
d11566 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
a2d824 |
')
|
|
Chris PeBenito |
a2d824 |
|
|
Chris PeBenito |
62a7b0 |
########################################
|
|
Chris PeBenito |
62a7b0 |
## <summary>
|
|
Chris PeBenito |
62a7b0 |
## Do not audit attempts to bind UDP sockets to all reserved ports.
|
|
Chris PeBenito |
62a7b0 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a7ee7f |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
62a7b0 |
## </param>
|
|
Chris PeBenito |
a2d824 |
#
|
|
Chris PeBenito |
199895 |
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
|
|
Chris PeBenito |
2ba9a7 |
gen_require(`
|
|
Chris PeBenito |
2ba9a7 |
attribute reserved_port_type;
|
|
Chris PeBenito |
2ba9a7 |
')
|
|
Chris PeBenito |
d11566 |
|
|
Chris PeBenito |
d11566 |
dontaudit $1 reserved_port_type:udp_socket name_bind;
|
|
Chris PeBenito |
a2d824 |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
########################################
|
|
Chris PeBenito |
ebdc3b |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Bind TCP sockets to all ports > 1024.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`corenet_tcp_bind_all_unreserved_ports',`
|
|
Chris PeBenito |
6b19be |
gen_require(`
|
|
Chris PeBenito |
6b19be |
attribute port_type, reserved_port_type;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Bind UDP sockets to all ports > 1024.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`corenet_udp_bind_all_unreserved_ports',`
|
|
Chris PeBenito |
6b19be |
gen_require(`
|
|
Chris PeBenito |
6b19be |
attribute port_type, reserved_port_type;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Connect TCP sockets to reserved ports.
|
|
Chris PeBenito |
e08118 |
## </summary>
|
|
Chris PeBenito |
e08118 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e08118 |
## </param>
|
|
Chris PeBenito |
e08118 |
#
|
|
Chris PeBenito |
e08118 |
interface(`corenet_tcp_connect_all_reserved_ports',`
|
|
Chris PeBenito |
e08118 |
gen_require(`
|
|
Chris PeBenito |
e08118 |
attribute reserved_port_type;
|
|
Chris PeBenito |
e08118 |
')
|
|
Chris PeBenito |
e08118 |
|
|
Chris PeBenito |
e08118 |
allow $1 reserved_port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
e08118 |
')
|
|
Chris PeBenito |
e08118 |
|
|
Chris PeBenito |
e08118 |
########################################
|
|
Chris PeBenito |
e08118 |
## <summary>
|
|
Chris PeBenito |
a65fd9 |
## Connect TCP sockets to all ports > 1024.
|
|
Chris PeBenito |
a65fd9 |
## </summary>
|
|
Chris PeBenito |
a65fd9 |
## <param name="domain">
|
|
Chris PeBenito |
a65fd9 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
a65fd9 |
## </summary>
|
|
Chris PeBenito |
a65fd9 |
## </param>
|
|
Chris PeBenito |
a65fd9 |
#
|
|
Chris PeBenito |
a65fd9 |
interface(`corenet_tcp_connect_all_unreserved_ports',`
|
|
Chris PeBenito |
a65fd9 |
gen_require(`
|
|
Chris PeBenito |
a65fd9 |
attribute port_type, reserved_port_type;
|
|
Chris PeBenito |
a65fd9 |
')
|
|
Chris PeBenito |
a65fd9 |
|
|
Chris PeBenito |
a65fd9 |
allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
|
|
Chris PeBenito |
a65fd9 |
')
|
|
Chris PeBenito |
a65fd9 |
|
|
Chris PeBenito |
a65fd9 |
########################################
|
|
Chris PeBenito |
a65fd9 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Do not audit attempts to connect TCP sockets
|
|
Chris PeBenito |
98a8ea |
## all reserved ports.
|
|
Chris PeBenito |
98a8ea |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## </param>
|
|
Chris PeBenito |
98a8ea |
#
|
|
Chris PeBenito |
98a8ea |
interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
|
|
Chris PeBenito |
98a8ea |
gen_require(`
|
|
Chris PeBenito |
98a8ea |
attribute reserved_port_type;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
dontaudit $1 reserved_port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
########################################
|
|
Chris PeBenito |
98a8ea |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Connect TCP sockets to rpc ports.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="domain">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
495df4 |
interface(`corenet_tcp_connect_all_rpc_ports',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
attribute rpc_port_type;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
allow $1 rpc_port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Do not audit attempts to connect TCP sockets
|
|
Chris PeBenito |
495df4 |
## all rpc ports.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="domain">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Domain to not audit.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
495df4 |
interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
attribute rpc_port_type;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
dontaudit $1 rpc_port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## Read and write the TUN/TAP virtual network device.
|
|
Chris PeBenito |
ebdc3b |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## The domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## </param>
|
|
Chris PeBenito |
ebdc3b |
#
|
|
Chris PeBenito |
5b6ddb |
interface(`corenet_rw_tun_tap_dev',`
|
|
Chris PeBenito |
ebdc3b |
gen_require(`
|
|
Chris PeBenito |
ebdc3b |
type tun_tap_device_t;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
82d277 |
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
9726b3 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
eeb761 |
## Do not audit attempts to read or write the TUN/TAP
|
|
Chris PeBenito |
eeb761 |
## virtual network device.
|
|
Chris PeBenito |
eeb761 |
## </summary>
|
|
Chris PeBenito |
eeb761 |
## <param name="domain">
|
|
Chris PeBenito |
eeb761 |
## <summary>
|
|
Chris PeBenito |
eeb761 |
## Domain to not audit.
|
|
Chris PeBenito |
eeb761 |
## </summary>
|
|
Chris PeBenito |
eeb761 |
## </param>
|
|
Chris PeBenito |
eeb761 |
#
|
|
Chris PeBenito |
eeb761 |
interface(`corenet_dontaudit_rw_tun_tap_dev',`
|
|
Chris PeBenito |
eeb761 |
gen_require(`
|
|
Chris PeBenito |
eeb761 |
type tun_tap_device_t;
|
|
Chris PeBenito |
eeb761 |
')
|
|
Chris PeBenito |
eeb761 |
|
|
Chris PeBenito |
eeb761 |
dontaudit $1 tun_tap_device_t:chr_file { read write };
|
|
Chris PeBenito |
eeb761 |
')
|
|
Chris PeBenito |
eeb761 |
|
|
Chris PeBenito |
eeb761 |
########################################
|
|
Chris PeBenito |
eeb761 |
## <summary>
|
|
Chris PeBenito |
a65fd9 |
## Getattr the point-to-point device.
|
|
Chris PeBenito |
a65fd9 |
## </summary>
|
|
Chris PeBenito |
a65fd9 |
## <param name="domain">
|
|
Chris PeBenito |
a65fd9 |
## <summary>
|
|
Chris PeBenito |
a65fd9 |
## The domain allowed access.
|
|
Chris PeBenito |
a65fd9 |
## </summary>
|
|
Chris PeBenito |
a65fd9 |
## </param>
|
|
Chris PeBenito |
a65fd9 |
#
|
|
Chris PeBenito |
a65fd9 |
interface(`corenet_getattr_ppp_dev',`
|
|
Chris PeBenito |
a65fd9 |
gen_require(`
|
|
Chris PeBenito |
a65fd9 |
type ppp_device_t;
|
|
Chris PeBenito |
a65fd9 |
')
|
|
Chris PeBenito |
a65fd9 |
|
|
Chris PeBenito |
a65fd9 |
allow $1 ppp_device_t:chr_file getattr;
|
|
Chris PeBenito |
a65fd9 |
')
|
|
Chris PeBenito |
a65fd9 |
|
|
Chris PeBenito |
a65fd9 |
########################################
|
|
Chris PeBenito |
a65fd9 |
## <summary>
|
|
Chris PeBenito |
e08118 |
## Read and write the point-to-point device.
|
|
Chris PeBenito |
e08118 |
## </summary>
|
|
Chris PeBenito |
e08118 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
e08118 |
## The domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
e08118 |
## </param>
|
|
Chris PeBenito |
e08118 |
#
|
|
Chris PeBenito |
5b6ddb |
interface(`corenet_rw_ppp_dev',`
|
|
Chris PeBenito |
e08118 |
gen_require(`
|
|
Chris PeBenito |
e08118 |
type ppp_device_t;
|
|
Chris PeBenito |
e08118 |
')
|
|
Chris PeBenito |
e08118 |
|
|
Chris PeBenito |
e08118 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
82d277 |
allow $1 ppp_device_t:chr_file rw_chr_file_perms;
|
|
Chris PeBenito |
e08118 |
')
|
|
Chris PeBenito |
e08118 |
|
|
Chris PeBenito |
e08118 |
########################################
|
|
Chris PeBenito |
e08118 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Bind TCP sockets to all RPC ports.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## <param name="domain">
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## </param>
|
|
Chris PeBenito |
e99359 |
#
|
|
Chris PeBenito |
e99359 |
interface(`corenet_tcp_bind_all_rpc_ports',`
|
|
Chris PeBenito |
e99359 |
gen_require(`
|
|
Chris PeBenito |
e99359 |
attribute rpc_port_type;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
allow $1 rpc_port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
e99359 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
########################################
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Do not audit attempts to bind TCP sockets to all RPC ports.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## <param name="domain">
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
a7ee7f |
## Domain to not audit.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## </param>
|
|
Chris PeBenito |
e99359 |
#
|
|
Chris PeBenito |
e99359 |
interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',`
|
|
Chris PeBenito |
e99359 |
gen_require(`
|
|
Chris PeBenito |
e99359 |
attribute rpc_port_type;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
dontaudit $1 rpc_port_type:tcp_socket name_bind;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
########################################
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Bind UDP sockets to all RPC ports.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## <param name="domain">
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
a72e42 |
## Domain allowed access.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## </param>
|
|
Chris PeBenito |
e99359 |
#
|
|
Chris PeBenito |
e99359 |
interface(`corenet_udp_bind_all_rpc_ports',`
|
|
Chris PeBenito |
e99359 |
gen_require(`
|
|
Chris PeBenito |
e99359 |
attribute rpc_port_type;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
allow $1 rpc_port_type:udp_socket name_bind;
|
|
Chris PeBenito |
e99359 |
allow $1 self:capability net_bind_service;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
########################################
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Do not audit attempts to bind UDP sockets to all RPC ports.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## <param name="domain">
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
a7ee7f |
## Domain to not audit.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## </param>
|
|
Chris PeBenito |
e99359 |
#
|
|
Chris PeBenito |
e99359 |
interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
|
|
Chris PeBenito |
e99359 |
gen_require(`
|
|
Chris PeBenito |
e99359 |
attribute rpc_port_type;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
dontaudit $1 rpc_port_type:udp_socket name_bind;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
########################################
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
a013b5 |
## Send and receive messages on a
|
|
Chris PeBenito |
a013b5 |
## non-encrypted (no IPSEC) network
|
|
Chris PeBenito |
a013b5 |
## session.
|
|
Chris PeBenito |
a013b5 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <desc>
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## Send and receive messages on a
|
|
Chris PeBenito |
190066 |
## non-encrypted (no IPSEC) network
|
|
Chris PeBenito |
190066 |
## session. (Deprecated)
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## The corenet_all_recvfrom_unlabeled() interface should be used instead
|
|
Chris PeBenito |
190066 |
## of this one.
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## </desc>
|
|
Chris PeBenito |
a013b5 |
## <param name="domain">
|
|
Chris PeBenito |
a013b5 |
## <summary>
|
|
Chris PeBenito |
a013b5 |
## Domain allowed access.
|
|
Chris PeBenito |
a013b5 |
## </summary>
|
|
Chris PeBenito |
a013b5 |
## </param>
|
|
Chris PeBenito |
a013b5 |
#
|
|
Chris PeBenito |
a013b5 |
interface(`corenet_non_ipsec_sendrecv',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
|
|
Chris PeBenito |
190066 |
corenet_all_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
a013b5 |
')
|
|
Chris PeBenito |
a013b5 |
|
|
Chris PeBenito |
a013b5 |
########################################
|
|
Chris PeBenito |
a013b5 |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Do not audit attempts to send and receive
|
|
Chris PeBenito |
bf469d |
## messages on a non-encrypted (no IPSEC) network
|
|
Chris PeBenito |
bf469d |
## session.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
190066 |
## <desc>
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## Do not audit attempts to send and receive
|
|
Chris PeBenito |
190066 |
## messages on a non-encrypted (no IPSEC) network
|
|
Chris PeBenito |
190066 |
## session.
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
|
|
Chris PeBenito |
190066 |
## used instead of this one.
|
|
Chris PeBenito |
190066 |
##
|
|
Chris PeBenito |
190066 |
## </desc>
|
|
Chris PeBenito |
bf469d |
## <param name="domain">
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
bf469d |
## Domain to not audit.
|
|
Chris PeBenito |
bf469d |
## </summary>
|
|
Chris PeBenito |
bf469d |
## </param>
|
|
Chris PeBenito |
bf469d |
#
|
|
Chris PeBenito |
bf469d |
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
|
|
Chris PeBenito |
190066 |
corenet_dontaudit_all_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
bf469d |
')
|
|
Chris PeBenito |
bf469d |
|
|
Chris PeBenito |
bf469d |
########################################
|
|
Chris PeBenito |
bf469d |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive TCP packets from a NetLabel connection.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## <param name="domain">
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
130f8a |
## Domain allowed access.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## </param>
|
|
Chris PeBenito |
130f8a |
#
|
|
Chris PeBenito |
130f8a |
interface(`corenet_tcp_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
|
|
Chris PeBenito |
190066 |
corenet_tcp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive TCP packets from a NetLabel connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_tcp_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
allow $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
allow $1 netlabel_peer_t:tcp_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive TCP packets from an unlabled connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_tcp_recvfrom_unlabeled',`
|
|
Chris PeBenito |
130f8a |
kernel_tcp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
130f8a |
')
|
|
Chris PeBenito |
130f8a |
|
|
Chris PeBenito |
130f8a |
########################################
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive TCP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## <param name="domain">
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
130f8a |
## Domain to not audit.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## </param>
|
|
Chris PeBenito |
130f8a |
#
|
|
Chris PeBenito |
130f8a |
interface(`corenet_dontaudit_tcp_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
|
|
Chris PeBenito |
190066 |
corenet_dontaudit_tcp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive TCP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive TCP packets from an unlabeled
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
|
|
Chris PeBenito |
130f8a |
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
130f8a |
')
|
|
Chris PeBenito |
130f8a |
|
|
Chris PeBenito |
130f8a |
########################################
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive UDP packets from a NetLabel connection.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## <param name="domain">
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
130f8a |
## Domain allowed access.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## </param>
|
|
Chris PeBenito |
130f8a |
#
|
|
Chris PeBenito |
130f8a |
interface(`corenet_udp_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
|
|
Chris PeBenito |
190066 |
corenet_udp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive UDP packets from a NetLabel connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_udp_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
allow $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
allow $1 netlabel_peer_t:udp_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive UDP packets from an unlabeled connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_udp_recvfrom_unlabeled',`
|
|
Chris PeBenito |
130f8a |
kernel_udp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
130f8a |
')
|
|
Chris PeBenito |
130f8a |
|
|
Chris PeBenito |
130f8a |
########################################
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive UDP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## <param name="domain">
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
130f8a |
## Domain to not audit.
|
|
Chris PeBenito |
130f8a |
## </summary>
|
|
Chris PeBenito |
130f8a |
## </param>
|
|
Chris PeBenito |
130f8a |
#
|
|
Chris PeBenito |
130f8a |
interface(`corenet_dontaudit_udp_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
|
|
Chris PeBenito |
190066 |
corenet_dontaudit_udp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive UDP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive UDP packets from an unlabeled
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
|
|
Chris PeBenito |
130f8a |
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
130f8a |
')
|
|
Chris PeBenito |
130f8a |
|
|
Chris PeBenito |
130f8a |
########################################
|
|
Chris PeBenito |
130f8a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive Raw IP packets from a NetLabel connection.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Domain allowed access.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`corenet_raw_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
|
|
Chris PeBenito |
190066 |
corenet_raw_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive Raw IP packets from a NetLabel connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_raw_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
allow $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
allow $1 netlabel_peer_t:rawip_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive Raw IP packets from an unlabeled connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_raw_recvfrom_unlabeled',`
|
|
Chris PeBenito |
6b19be |
kernel_raw_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## <param name="domain">
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
6b19be |
## Domain to not audit.
|
|
Chris PeBenito |
6b19be |
## </summary>
|
|
Chris PeBenito |
6b19be |
## </param>
|
|
Chris PeBenito |
6b19be |
#
|
|
Chris PeBenito |
6b19be |
interface(`corenet_dontaudit_raw_recv_netlabel',`
|
|
Chris PeBenito |
190066 |
refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
|
|
Chris PeBenito |
190066 |
corenet_dontaudit_raw_recvfrom_netlabel($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive Raw IP packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive Raw IP packets from an unlabeled
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
|
Chris PeBenito |
6b19be |
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive packets from an unlabeled connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to receive packets from an
|
|
Chris PeBenito |
42eb0f |
## unlabeled connection. On machines that do not utilize
|
|
Chris PeBenito |
42eb0f |
## labeled networking, this will be required on all
|
|
Chris PeBenito |
42eb0f |
## networking domains. On machines tha do utilize
|
|
Chris PeBenito |
42eb0f |
## labeled networking, this will be required for any
|
|
Chris PeBenito |
42eb0f |
## networking domain that is allowed to receive
|
|
Chris PeBenito |
42eb0f |
## network traffic that does not have a label.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_all_recvfrom_unlabeled',`
|
|
Chris PeBenito |
190066 |
kernel_tcp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
190066 |
kernel_udp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
190066 |
kernel_raw_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Receive packets from a NetLabel connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
42eb0f |
## <desc>
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## Allow the specified domain to receive NetLabel
|
|
Chris PeBenito |
42eb0f |
## network traffic, which utilizes the Commercial IP
|
|
Chris PeBenito |
42eb0f |
## Security Option (CIPSO) to set the MLS level
|
|
Chris PeBenito |
42eb0f |
## of the network packets. This is required for
|
|
Chris PeBenito |
42eb0f |
## all networking domains that receive NetLabel
|
|
Chris PeBenito |
42eb0f |
## network traffic.
|
|
Chris PeBenito |
42eb0f |
##
|
|
Chris PeBenito |
42eb0f |
## </desc>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
42eb0f |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_all_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
allow $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive packets from an unlabeled connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain allowed access.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_udp_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_raw_recvfrom_unlabeled($1)
|
|
Chris PeBenito |
308baa |
kernel_dontaudit_recvfrom_unlabeled_peer($1)
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
# XXX - at some point the oubound/send access check will be removed
|
|
Chris PeBenito |
190066 |
# but for right now we need to keep this in place so as not to break
|
|
Chris PeBenito |
190066 |
# older systems
|
|
Chris PeBenito |
190066 |
kernel_dontaudit_sendrecv_unlabeled_association($1)
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
190066 |
########################################
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Do not audit attempts to receive packets from a NetLabel
|
|
Chris PeBenito |
ff8f0a |
## connection.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## <param name="domain">
|
|
Chris PeBenito |
190066 |
## <summary>
|
|
Chris PeBenito |
190066 |
## Domain to not audit.
|
|
Chris PeBenito |
190066 |
## </summary>
|
|
Chris PeBenito |
190066 |
## </param>
|
|
Chris PeBenito |
190066 |
#
|
|
Chris PeBenito |
190066 |
interface(`corenet_dontaudit_all_recvfrom_netlabel',`
|
|
Chris PeBenito |
190066 |
gen_require(`
|
|
Chris PeBenito |
190066 |
type netlabel_peer_t;
|
|
Chris PeBenito |
190066 |
')
|
|
Chris PeBenito |
190066 |
|
|
Chris PeBenito |
308baa |
dontaudit $1 netlabel_peer_t:peer recv;
|
|
Chris PeBenito |
190066 |
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
|
|
Chris PeBenito |
6b19be |
')
|
|
Chris PeBenito |
6b19be |
|
|
Chris PeBenito |
6b19be |
########################################
|
|
Chris PeBenito |
6b19be |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled TCP packets.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## <desc>
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled TCP packets.
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## Due to the nature of TCP, this is bidirectional.
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## </desc>
|
|
Chris PeBenito |
0b6aca |
## <param name="domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Domain allowed access.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
## <param name="peer_domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Peer domain.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
#
|
|
Chris PeBenito |
0b6aca |
interface(`corenet_tcp_recvfrom_labeled',`
|
|
Chris PeBenito |
0b6aca |
allow { $1 $2 } self:association sendto;
|
|
Chris PeBenito |
0b6aca |
allow $1 $2:{ association tcp_socket } recvfrom;
|
|
Chris PeBenito |
0b6aca |
allow $2 $1:{ association tcp_socket } recvfrom;
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
308baa |
allow $1 $2:peer recv;
|
|
Chris PeBenito |
308baa |
allow $2 $1:peer recv;
|
|
Chris PeBenito |
308baa |
|
|
Chris PeBenito |
308baa |
# allow receiving packets from MLS-only peers using NetLabel
|
|
Chris PeBenito |
0b6aca |
corenet_tcp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
0b6aca |
corenet_tcp_recvfrom_netlabel($2)
|
|
Chris PeBenito |
0b6aca |
')
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
0b6aca |
########################################
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled UDP packets.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## <param name="domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Domain allowed access.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
## <param name="peer_domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Peer domain.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
#
|
|
Chris PeBenito |
0b6aca |
interface(`corenet_udp_recvfrom_labeled',`
|
|
Chris PeBenito |
0b6aca |
allow $2 self:association sendto;
|
|
Chris PeBenito |
0b6aca |
allow $1 $2:{ association udp_socket } recvfrom;
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
308baa |
allow $1 $2:peer recv;
|
|
Chris PeBenito |
308baa |
|
|
Chris PeBenito |
308baa |
# allow receiving packets from MLS-only peers using NetLabel
|
|
Chris PeBenito |
0b6aca |
corenet_udp_recvfrom_netlabel($1)
|
|
Chris PeBenito |
0b6aca |
')
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
0b6aca |
########################################
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled raw IP packets.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## <param name="domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Domain allowed access.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
## <param name="peer_domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Peer domain.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
#
|
|
Chris PeBenito |
0b6aca |
interface(`corenet_raw_recvfrom_labeled',`
|
|
Chris PeBenito |
0b6aca |
allow $2 self:association sendto;
|
|
Chris PeBenito |
0b6aca |
allow $1 $2:{ association rawip_socket } recvfrom;
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
308baa |
allow $1 $2:peer recv;
|
|
Chris PeBenito |
308baa |
|
|
Chris PeBenito |
308baa |
# allow receiving packets from MLS-only peers using NetLabel
|
|
Chris PeBenito |
0b6aca |
corenet_raw_recvfrom_netlabel($1)
|
|
Chris PeBenito |
0b6aca |
')
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
0b6aca |
########################################
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled packets via TCP, UDP and raw IP.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## <desc>
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## Rules for receiving labeled packets via TCP, UDP and raw IP.
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## Due to the nature of TCP, the rules (for TCP
|
|
Chris PeBenito |
0b6aca |
## networking only) are bidirectional.
|
|
Chris PeBenito |
0b6aca |
##
|
|
Chris PeBenito |
0b6aca |
## </desc>
|
|
Chris PeBenito |
0b6aca |
## <param name="domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Domain allowed access.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
## <param name="peer_domain">
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
0b6aca |
## Peer domain.
|
|
Chris PeBenito |
0b6aca |
## </summary>
|
|
Chris PeBenito |
0b6aca |
## </param>
|
|
Chris PeBenito |
0b6aca |
#
|
|
Chris PeBenito |
0b6aca |
interface(`corenet_all_recvfrom_labeled',`
|
|
Chris PeBenito |
0b6aca |
corenet_tcp_recvfrom_labeled($1,$2)
|
|
Chris PeBenito |
0b6aca |
corenet_udp_recvfrom_labeled($1,$2)
|
|
Chris PeBenito |
0b6aca |
corenet_raw_recvfrom_labeled($1,$2)
|
|
Chris PeBenito |
0b6aca |
')
|
|
Chris PeBenito |
0b6aca |
|
|
Chris PeBenito |
0b6aca |
########################################
|
|
Chris PeBenito |
0b6aca |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Send generic client packets.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## <param name="domain">
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
c5657a |
## Domain allowed access.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## </param>
|
|
Chris PeBenito |
c5657a |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_send_generic_client_packets',`
|
|
Chris PeBenito |
c5657a |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type client_packet_t;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
35a4b3 |
allow $1 client_packet_t:packet send;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
c5657a |
########################################
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Receive generic client packets.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## <param name="domain">
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
c5657a |
## Domain allowed access.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## </param>
|
|
Chris PeBenito |
c5657a |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_receive_generic_client_packets',`
|
|
Chris PeBenito |
c5657a |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type client_packet_t;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
35a4b3 |
allow $1 client_packet_t:packet recv;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
c5657a |
########################################
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Send and receive generic client packets.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## <param name="domain">
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
c5657a |
## Domain allowed access.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## </param>
|
|
Chris PeBenito |
c5657a |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_sendrecv_generic_client_packets',`
|
|
Chris PeBenito |
35a4b3 |
corenet_send_generic_client_packets($1)
|
|
Chris PeBenito |
35a4b3 |
corenet_receive_generic_client_packets($1)
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
c5657a |
########################################
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Relabel packets to the generic client packet type.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## <param name="domain">
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
c5657a |
## Domain allowed access.
|
|
Chris PeBenito |
c5657a |
## </summary>
|
|
Chris PeBenito |
c5657a |
## </param>
|
|
Chris PeBenito |
c5657a |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_relabelto_generic_client_packets',`
|
|
Chris PeBenito |
c5657a |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type client_packet_t;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
35a4b3 |
allow $1 client_packet_t:packet relabelto;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
########################################
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Send generic server packets.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## <param name="domain">
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Domain allowed access.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## </param>
|
|
Chris PeBenito |
35a4b3 |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_send_generic_server_packets',`
|
|
Chris PeBenito |
35a4b3 |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type server_packet_t;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
allow $1 server_packet_t:packet send;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
########################################
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Receive generic server packets.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## <param name="domain">
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Domain allowed access.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## </param>
|
|
Chris PeBenito |
35a4b3 |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_receive_generic_server_packets',`
|
|
Chris PeBenito |
35a4b3 |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type server_packet_t;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
allow $1 server_packet_t:packet recv;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
########################################
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Send and receive generic server packets.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## <param name="domain">
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Domain allowed access.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## </param>
|
|
Chris PeBenito |
35a4b3 |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_sendrecv_generic_server_packets',`
|
|
Chris PeBenito |
35a4b3 |
corenet_send_generic_server_packets($1)
|
|
Chris PeBenito |
35a4b3 |
corenet_receive_generic_server_packets($1)
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
########################################
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Relabel packets to the generic server packet type.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## <param name="domain">
|
|
Chris PeBenito |
35a4b3 |
## <summary>
|
|
Chris PeBenito |
35a4b3 |
## Domain allowed access.
|
|
Chris PeBenito |
35a4b3 |
## </summary>
|
|
Chris PeBenito |
35a4b3 |
## </param>
|
|
Chris PeBenito |
35a4b3 |
#
|
|
Chris PeBenito |
35a4b3 |
interface(`corenet_relabelto_generic_server_packets',`
|
|
Chris PeBenito |
35a4b3 |
gen_require(`
|
|
Chris PeBenito |
35a4b3 |
type server_packet_t;
|
|
Chris PeBenito |
35a4b3 |
')
|
|
Chris PeBenito |
35a4b3 |
|
|
Chris PeBenito |
35a4b3 |
allow $1 server_packet_t:packet relabelto;
|
|
Chris PeBenito |
c5657a |
')
|
|
Chris PeBenito |
c5657a |
|
|
Chris PeBenito |
c5657a |
########################################
|
|
Chris PeBenito |
c5657a |
## <summary>
|
|
Chris PeBenito |
a013b5 |
## Send and receive unlabeled packets.
|
|
Chris PeBenito |
a013b5 |
## </summary>
|
|
Chris PeBenito |
a013b5 |
## <desc>
|
|
Chris PeBenito |
a013b5 |
##
|
|
Chris PeBenito |
a013b5 |
## Send and receive unlabeled packets.
|
|
Chris PeBenito |
a013b5 |
## These packets do not match any netfilter
|
|
Chris PeBenito |
a013b5 |
## SECMARK rules.
|
|
Chris PeBenito |
a013b5 |
##
|
|
Chris PeBenito |
a013b5 |
## </desc>
|
|
Chris PeBenito |
a013b5 |
## <param name="domain">
|
|
Chris PeBenito |
a013b5 |
## <summary>
|
|
Chris PeBenito |
a013b5 |
## Domain allowed access.
|
|
Chris PeBenito |
a013b5 |
## </summary>
|
|
Chris PeBenito |
a013b5 |
## </param>
|
|
Chris PeBenito |
a013b5 |
#
|
|
Chris PeBenito |
a013b5 |
interface(`corenet_sendrecv_unlabeled_packets',`
|
|
Chris PeBenito |
a013b5 |
kernel_sendrecv_unlabeled_packets($1)
|
|
Chris PeBenito |
a013b5 |
')
|
|
Chris PeBenito |
a013b5 |
|
|
Chris PeBenito |
a013b5 |
########################################
|
|
Chris PeBenito |
a013b5 |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Send all client packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_send_all_client_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute client_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 client_packet_type:packet send;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Receive all client packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_receive_all_client_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute client_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 client_packet_type:packet recv;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Send and receive all client packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_sendrecv_all_client_packets',`
|
|
Chris PeBenito |
2f8eec |
corenet_send_all_client_packets($1)
|
|
Chris PeBenito |
332bb3 |
corenet_receive_all_client_packets($1)
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Relabel packets to any client packet type.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_relabelto_all_client_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute client_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 client_packet_type:packet relabelto;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Send all server packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_send_all_server_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute server_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 server_packet_type:packet send;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Receive all server packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_receive_all_server_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute server_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 server_packet_type:packet recv;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Send and receive all server packets.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_sendrecv_all_server_packets',`
|
|
Chris PeBenito |
2f8eec |
corenet_send_all_server_packets($1)
|
|
Chris PeBenito |
332bb3 |
corenet_receive_all_server_packets($1)
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Relabel packets to any server packet type.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## <param name="domain">
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
2f8eec |
## Domain allowed access.
|
|
Chris PeBenito |
2f8eec |
## </summary>
|
|
Chris PeBenito |
2f8eec |
## </param>
|
|
Chris PeBenito |
2f8eec |
#
|
|
Chris PeBenito |
2f8eec |
interface(`corenet_relabelto_all_server_packets',`
|
|
Chris PeBenito |
2f8eec |
gen_require(`
|
|
Chris PeBenito |
2f8eec |
attribute server_packet_type;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
allow $1 server_packet_type:packet relabelto;
|
|
Chris PeBenito |
2f8eec |
')
|
|
Chris PeBenito |
2f8eec |
|
|
Chris PeBenito |
2f8eec |
########################################
|
|
Chris PeBenito |
2f8eec |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Send all packets.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## <param name="domain">
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Domain allowed access.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## </param>
|
|
Chris PeBenito |
e37158 |
#
|
|
Chris PeBenito |
e37158 |
interface(`corenet_send_all_packets',`
|
|
Chris PeBenito |
e37158 |
gen_require(`
|
|
Chris PeBenito |
e37158 |
attribute packet_type;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
allow $1 packet_type:packet send;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
########################################
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Receive all packets.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## <param name="domain">
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Domain allowed access.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## </param>
|
|
Chris PeBenito |
e37158 |
#
|
|
Chris PeBenito |
e37158 |
interface(`corenet_receive_all_packets',`
|
|
Chris PeBenito |
e37158 |
gen_require(`
|
|
Chris PeBenito |
e37158 |
attribute packet_type;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
allow $1 packet_type:packet recv;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
########################################
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Send and receive all packets.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## <param name="domain">
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Domain allowed access.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## </param>
|
|
Chris PeBenito |
e37158 |
#
|
|
Chris PeBenito |
e37158 |
interface(`corenet_sendrecv_all_packets',`
|
|
Chris PeBenito |
e37158 |
corenet_send_all_packets($1)
|
|
Chris PeBenito |
332bb3 |
corenet_receive_all_packets($1)
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
########################################
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Relabel packets to any packet type.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## <param name="domain">
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
e37158 |
## Domain allowed access.
|
|
Chris PeBenito |
e37158 |
## </summary>
|
|
Chris PeBenito |
e37158 |
## </param>
|
|
Chris PeBenito |
e37158 |
#
|
|
Chris PeBenito |
e37158 |
interface(`corenet_relabelto_all_packets',`
|
|
Chris PeBenito |
e37158 |
gen_require(`
|
|
Chris PeBenito |
e37158 |
attribute packet_type;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
allow $1 packet_type:packet relabelto;
|
|
Chris PeBenito |
e37158 |
')
|
|
Chris PeBenito |
e37158 |
|
|
Chris PeBenito |
e37158 |
########################################
|
|
Chris PeBenito |
e37158 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## Unconfined access to network objects.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## The domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## </param>
|
|
Chris PeBenito |
9726b3 |
#
|
|
Chris PeBenito |
9726b3 |
interface(`corenet_unconfined',`
|
|
Chris PeBenito |
9726b3 |
gen_require(`
|
|
Chris PeBenito |
b518fc |
attribute corenet_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
b518fc |
typeattribute $1 corenet_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|