From bc1fbab472c71c160ff260839f4ce21e14333a6b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jun 17 2005 18:59:34 +0000 Subject: interface review, and remove net_raw from raw node sends. only give capability for raw send on an interface --- diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index d4a71be..682f22c 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -17,17 +17,14 @@ define(`create_netif_interfaces',`` ## # define(`corenet_tcp_sendrecv_$1',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_netif_t; + class netif { tcp_send tcp_recv }; + ') allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; ') -define(`corenet_tcp_sendrecv_$1_depend',` - type $1_netif_t; - - class netif { tcp_send tcp_recv }; -') - ######################################## ## ## @@ -40,17 +37,14 @@ define(`corenet_tcp_sendrecv_$1_depend',` ## # define(`corenet_udp_send_$1',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_netif_t; + class netif udp_send; + ') allow dollarsone $1_netif_t:netif udp_send; ') -define(`corenet_udp_send_$1_depend',` - type $1_netif_t; - - class netif udp_send; -') - ######################################## ## ## @@ -63,17 +57,14 @@ define(`corenet_udp_send_$1_depend',` ## # define(`corenet_udp_receive_$1',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_netif_t; + class netif udp_recv; + ') allow dollarsone $1_netif_t:netif udp_recv; ') -define(`corenet_udp_receive_$1_depend',` - type $1_netif_t; - - class netif udp_recv; -') - ######################################## ## ## @@ -102,19 +93,16 @@ define(`corenet_udp_sendrecv_$1',` ## # define(`corenet_raw_send_$1',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_netif_t; + class netif rawip_send; + class capability net_raw; + ') allow dollarsone $1_netif_t:netif rawip_send; allow dollarsone self:capability net_raw; ') -define(`corenet_raw_send_$1_depend',` - type $1_netif_t; - - class netif rawip_send; - class capability net_raw; -') - ######################################## ## ## @@ -127,17 +115,14 @@ define(`corenet_raw_send_$1_depend',` ## # define(`corenet_raw_receive_$1',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_netif_t; + class netif rawip_recv; + ') allow dollarsone $1_netif_t:netif rawip_recv; ') -define(`corenet_raw_receive_$1_depend',` - type $1_netif_t; - - class netif rawip_recv; -') - ######################################## ## ## @@ -174,17 +159,14 @@ define(`create_node_interfaces',`` ## # define(`corenet_tcp_sendrecv_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class node { tcp_send tcp_recv }; + ') allow dollarsone $1_node_t:node { tcp_send tcp_recv }; ') -define(`corenet_tcp_sendrecv_$1_node_depend',` - type $1_node_t; - - class node { tcp_send tcp_recv }; -') - ######################################## ## ## @@ -197,17 +179,14 @@ define(`corenet_tcp_sendrecv_$1_node_depend',` ## # define(`corenet_udp_send_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class node udp_send; + ') allow dollarsone $1_node_t:node udp_send; ') -define(`corenet_udp_send_$1_node_depend',` - type $1_node_t; - - class node udp_send; -') - ######################################## ## ## @@ -220,17 +199,14 @@ define(`corenet_udp_send_$1_node_depend',` ## # define(`corenet_udp_receive_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class node udp_recv; + ') allow dollarsone $1_node_t:node udp_recv; ') -define(`corenet_udp_receive_$1_node_depend',` - type $1_node_t; - - class node udp_recv; -') - ######################################## ## ## @@ -259,17 +235,12 @@ define(`corenet_udp_sendrecv_$1_node',` ## # define(`corenet_raw_send_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class node rawip_send; + ') allow dollarsone $1_node_t:node rawip_send; - allow dollarsone self:capability net_raw; -') - -define(`corenet_raw_send_$1_node_depend',` - type $1_node_t; - - class node rawip_send; - class capability net_raw; ') ######################################## @@ -284,17 +255,14 @@ define(`corenet_raw_send_$1_node_depend',` ## # define(`corenet_raw_receive_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class node rawip_recv; + ') allow dollarsone $1_node_t:node rawip_recv; ') -define(`corenet_raw_receive_$1_node_depend',` - type $1_node_t; - - class node rawip_recv; -') - ######################################## ## ## @@ -323,17 +291,14 @@ define(`corenet_raw_sendrecv_$1_node',` ## # define(`corenet_tcp_bind_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class tcp_socket node_bind; + ') allow dollarsone $1_node_t:tcp_socket node_bind; ') -define(`corenet_tcp_bind_$1_node_depend',` - type $1_node_t; - - class tcp_socket node_bind; -') - ######################################## ## ## @@ -346,16 +311,13 @@ define(`corenet_tcp_bind_$1_node_depend',` ## # define(`corenet_udp_bind_$1_node',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_node_t; + class udp_socket node_bind; + ') allow dollarsone $1_node_t:udp_socket node_bind; ') - -define(`corenet_udp_bind_$1_node_depend',` - type $1_node_t; - - class udp_socket node_bind; -') '') dnl end create_node_interfaces ######################################## @@ -377,17 +339,14 @@ define(`create_port_interfaces',`` ## # define(`corenet_tcp_sendrecv_$1_port',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_port_t; + class tcp_socket { send_msg recv_msg }; + ') allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; ') -define(`corenet_tcp_sendrecv_$1_port_depend',` - type $1_port_t; - - class tcp_socket { send_msg recv_msg }; -') - ######################################## ## ## @@ -400,17 +359,14 @@ define(`corenet_tcp_sendrecv_$1_port_depend',` ## # define(`corenet_udp_send_$1_port',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_port_t; + class udp_socket send_msg; + ') allow dollarsone $1_port_t:udp_socket send_msg; ') -define(`corenet_udp_send_$1_port_depend',` - type $1_port_t; - - class udp_socket send_msg; -') - ######################################## ## ## @@ -423,17 +379,14 @@ define(`corenet_udp_send_$1_port_depend',` ## # define(`corenet_udp_receive_$1_port',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_port_t; + class udp_socket recv_msg; + ') allow dollarsone $1_port_t:udp_socket recv_msg; ') -define(`corenet_udp_receive_$1_port_depend',` - type $1_port_t; - - class udp_socket recv_msg; -') - ######################################## ## ## @@ -462,18 +415,15 @@ define(`corenet_udp_sendrecv_$1_port',` ## # define(`corenet_tcp_bind_$1_port',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_port_t; + class tcp_socket name_bind; + $3 + ') allow dollarsone $1_port_t:tcp_socket name_bind; $2 ') -define(`corenet_tcp_bind_$1_port_depend',` - type $1_port_t; - - class tcp_socket name_bind; - $3 -') - ######################################## ## ## @@ -486,18 +436,15 @@ define(`corenet_tcp_bind_$1_port_depend',` ## # define(`corenet_udp_bind_$1_port',` - gen_require(`dollarszero'_depend) + gen_require(` + type $1_port_t; + class udp_socket name_bind; + $3 + ') allow dollarsone $1_port_t:udp_socket name_bind; $2 ') - -define(`corenet_udp_bind_$1_port_depend',` - type $1_port_t; - - class udp_socket name_bind; - $3 -') '') dnl end create_port_interfaces #