diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if index e839ba2..670c3f0 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if +++ b/refpolicy/policy/modules/kernel/corenetwork.if @@ -1,4 +1,6 @@ # Copyright (C) 2005 Tresys Technology, LLC +## +## Policy controlling access to network objects ####################################### # @@ -804,9 +806,17 @@ define(`devices_make_device_node',`dnl') ######################################## define(`create_netif_interfaces',`` -####################################### -# -# corenetwork_network_tcp_on_$1_interface(domain) + +######################################## +## +## +## Send and receive TCP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_tcp_on_$1_interface',` requires_block_template(`dollarszero'_depend) @@ -818,27 +828,48 @@ type $1_netif_t; class netif { tcp_send tcp_recv }; ') -####################################### -# -# corenetwork_network_udp_on_$1_interface(domain) +######################################## +## +## +## Send and receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_udp_on_$1_interface',` corenetwork_send_udp_on_$1_interface(dollarsone,dollarstwo) corenetwork_receive_udp_on_$1_interface(dollarsone,dollarstwo) ') -####################################### -# -# corenetwork_network_raw_on_$1_interface(domain) +######################################## +## +## +## Send and receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_raw_on_$1_interface',` corenetwork_send_raw_on_$1_interface(dollarsone,dollarstwo) corenetwork_receive_raw_on_$1_interface(dollarsone,dollarstwo) ') -####################################### -# -# corenetwork_send_udp_on_$1_interface(domain) +######################################## +## +## +## Send UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_send_udp_on_$1_interface',` requires_block_template(`dollarszero'_depend) @@ -850,9 +881,16 @@ type $1_netif_t; class netif udp_send; ') -####################################### -# -# corenetwork_receive_udp_on_$1_interface(domain) +######################################## +## +## +## Receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_receive_udp_on_$1_interface',` requires_block_template(`dollarszero'_depend) @@ -864,9 +902,16 @@ type $1_netif_t; class netif udp_recv; ') -####################################### -# -# corenetwork_send_raw_on_$1_interface(domain) +######################################## +## +## +## Send raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_send_raw_on_$1_interface',` requires_block_template(`dollarszero'_depend) @@ -880,9 +925,16 @@ class netif rawip_send; class capability net_raw; ') -####################################### -# -# corenetwork_receive_raw_on_$1_interface(domain) +######################################## +## +## +## Receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_receive_raw_on_$1_interface',` requires_block_template(`dollarszero'_depend) @@ -902,9 +954,16 @@ class netif rawip_recv; ######################################## define(`create_node_interfaces',`` -####################################### -# -# corenetwork_network_tcp_on_$1_node(domain) +######################################## +## +## +## Send and receive TCP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_tcp_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -916,27 +975,48 @@ type $1_node_t; class node { tcp_send tcp_recv }; ') -####################################### -# -# corenetwork_network_udp_on_$1_node(domain) +######################################## +## +## +## Send and receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_udp_on_$1_node',` corenetwork_send_udp_on_$1_node(dollarsone) corenetwork_receive_udp_on_$1_node(dollarsone) ') -####################################### -# -# corenetwork_network_raw_on_$1_node(domain) +######################################## +## +## +## Send and receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_raw_on_$1_node',` corenetwork_send_raw_on_$1_node(dollarsone) corenetwork_receive_raw_on_$1_node(dollarsone) ') -####################################### -# -# corenetwork_send_udp_on_$1_node(domain) +######################################## +## +## +## Send and UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_send_udp_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -948,9 +1028,16 @@ type $1_node_t; class node udp_send; ') -####################################### -# -# corenetwork_receive_udp_on_$1_node(domain) +######################################## +## +## +## Receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_receive_udp_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -962,9 +1049,16 @@ type $1_node_t; class node udp_recv; ') -####################################### -# -# corenetwork_send_raw_on_$1_node(domain) +######################################## +## +## +## Send raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_send_raw_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -978,9 +1072,16 @@ class node rawip_send; class capability net_raw; ') -####################################### -# -# corenetwork_receive_raw_on_$1_node(domain) +######################################## +## +## +## Receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_receive_raw_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -992,9 +1093,16 @@ type $1_node_t; class node rawip_recv; ') -####################################### -# -# corenetwork_bind_tcp_on_$1_node(domain) +######################################## +## +## +## Bind TCP sockets to node $1. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_bind_tcp_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -1006,9 +1114,16 @@ type $1_node_t; class tcp_socket node_bind; ') -####################################### -# -# corenetwork_bind_udp_on_$1_node(domain) +######################################## +## +## +## Bind UDP sockets to the $1 node. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_bind_udp_on_$1_node',` requires_block_template(`dollarszero'_depend) @@ -1028,9 +1143,16 @@ class udp_socket node_bind; ######################################## define(`create_port_interfaces',`` -####################################### -# -# corenetwork_network_tcp_on_$1_port(domain) +######################################## +## +## +## Send and receive TCP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_tcp_on_$1_port',` requires_block_template(`dollarszero'_depend) @@ -1042,18 +1164,32 @@ type $1_port_t; class tcp_socket { send_msg recv_msg }; ') -####################################### -# -# corenetwork_network_udp_on_$1_port(domain) +######################################## +## +## +## Send and receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_network_udp_on_$1_port',` corenetwork_send_udp_on_$1_port(dollarsone,dollarstwo) corenetwork_receive_udp_on_$1_port(dollarsone,dollarstwo) ') -####################################### -# -# corenetwork_send_udp_on_$1_port(domain) +######################################## +## +## +## Send UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_send_udp_on_$1_port',` requires_block_template(`dollarszero'_depend) @@ -1065,9 +1201,16 @@ type $1_port_t; class udp_socket send_msg; ') -####################################### -# -# corenetwork_receive_udp_on_$1_port(domain) +######################################## +## +## +## Receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_receive_udp_on_$1_port',` requires_block_template(`dollarszero'_depend) @@ -1079,9 +1222,16 @@ type $1_port_t; class udp_socket recv_msg; ') -####################################### -# -# corenetwork_bind_tcp_on_$1_port(domain) +######################################## +## +## +## Bind TCP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_bind_tcp_on_$1_port',` requires_block_template(`dollarszero'_depend) @@ -1095,9 +1245,16 @@ class tcp_socket name_bind; $3 ') -####################################### -# -# corenetwork_bind_udp_on_$1_port(domain) +######################################## +## +## +## Bind UDP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## +## # define(`corenetwork_bind_udp_on_$1_port',` requires_block_template(`dollarszero'_depend) @@ -1113,7 +1270,7 @@ $3 '') dnl end create_port_interfaces # -# network_interface(linux_interfacename) +# network_interface(linux_interfacename,mls_sensitivity) # define(`network_interface',` ifdef(`interface_pass',` @@ -1121,19 +1278,19 @@ create_netif_interfaces($1) ',` type $1_netif_t alias netif_$1_t, netif_type; requires_block_template(`type unlabeled_t') -netifcon $1 system_u:object_r:$1_netif_t system_u:object_r:unlabeled_t +netifcon $1 context_template(system_u:object_r:$1_netif_t,$2) context_template(system_u:object_r:unlabeled_t,$2) ') ') # -# network_node(node_name,address,netmask) +# network_node(node_name,mls_sensitivity,address,netmask) # define(`network_node',` ifdef(`interface_pass',` create_node_interfaces($1) ',` type $1_node_t alias node_$1_t, node_type; -nodecon $2 $3 system_u:object_r:$1_node_t +nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2) ') ') @@ -1166,3 +1323,5 @@ type $1_port_t, port_type; declare_ports($1_port_t,shift($*)) ') ') + +## diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te index a9d46b5..4877196 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te +++ b/refpolicy/policy/modules/kernel/corenetwork.te @@ -96,15 +96,15 @@ portcon udp 1-1023 system_u:object_r:reserved_port_t # type node_t, node_type; -network_node(compat_ipv4, ::, ffff:ffff:ffff:ffff:ffff:ffff::) -network_node(inaddr_any, 0.0.0.0, 255.255.255.255) -dnl network_node(internal, , ) # no nodecon for this in current strict policy -network_node(link_local, fe80::, ffff:ffff:ffff:ffff::, ) -network_node(lo, 127.0.0.1, 255.255.255.255) -network_node(mapped_ipv4, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) -network_node(multicast, ff00::, ff00::) -network_node(site_local, fec0::, ffc0::) -network_node(unspec, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) +network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255) +dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy +network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, ) +network_node(lo, s0, 127.0.0.1, 255.255.255.255) +network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::) +network_node(multicast, s0, ff00::, ff00::) +network_node(site_local, s0, fec0::, ffc0::) +network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) ######################################## @@ -117,11 +117,11 @@ network_node(unspec, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) # type netif_t, netif_type; -network_interface(lo) -network_interface(eth0) -network_interface(eth1) -network_interface(eth2) -network_interface(ippp0) -network_interface(ipsec0) -network_interface(ipsec1) -network_interface(ipsec2) +network_interface(lo, s0) +network_interface(eth0, s0) +network_interface(eth1, s0) +network_interface(eth2, s0) +network_interface(ippp0, s0) +network_interface(ipsec0, s0) +network_interface(ipsec1, s0) +network_interface(ipsec2, s0)