diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index c87c9ec..f5a2563 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -140,11 +140,23 @@ interface(`corenet_server_packet',` ######################################## ## -## Send and receive TCP network traffic on the generic interfaces. +## Send and receive TCP network traffic on generic interfaces. ## +## +##

+## Allow the specified domain to send and receive TCP network +## traffic on generic network interfaces. +##

+##

+## Related interface: +##

+## +##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## ## @@ -233,13 +245,26 @@ interface(`corenet_dontaudit_udp_receive_generic_if',` ######################################## ## -## Send and Receive UDP network traffic on generic interfaces. +## Send and receive UDP network traffic on generic interfaces. ## +## +##

+## Allow the specified domain to send and receive UDP network +## traffic on generic network interfaces. +##

+##

+## Related interface: +##

+## +##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_udp_sendrecv_generic_if',` corenet_udp_send_generic_if($1) @@ -491,11 +516,24 @@ interface(`corenet_raw_sendrecv_all_if',` ## ## Send and receive TCP network traffic on generic nodes. ## +## +##

+## Allow the specified domain to send and receive TCP network +## traffic to/from generic network nodes (hostnames/networks). +##

+##

+## Related interface: +##

+##
    +##
  • corenet_tcp_sendrecv_generic_if()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_tcp_sendrecv_generic_node',` gen_require(` @@ -545,11 +583,24 @@ interface(`corenet_udp_receive_generic_node',` ## ## Send and receive UDP network traffic on generic nodes. ## +## +##

+## Allow the specified domain to send and receive UDP network +## traffic to/from generic network nodes (hostnames/networks). +##

+##

+## Related interface: +##

+##
    +##
  • corenet_udp_sendrecv_generic_if()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_udp_sendrecv_generic_node',` corenet_udp_send_generic_node($1) @@ -611,11 +662,26 @@ interface(`corenet_raw_sendrecv_generic_node',` ## ## Bind TCP sockets to generic nodes. ## +## +##

+## Bind TCP sockets to generic nodes. This is +## necessary for binding a socket so it +## can be used for servers to listen +## for incoming connections. +##

+##

+## Related interface: +##

+##
    +##
  • corenet_udp_bind_generic_node()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_tcp_bind_generic_node',` gen_require(` @@ -629,11 +695,26 @@ interface(`corenet_tcp_bind_generic_node',` ## ## Bind UDP sockets to generic nodes. ## +## +##

+## Bind UDP sockets to generic nodes. This is +## necessary for binding a socket so it +## can be used for servers to listen +## for incoming connections. +##

+##

+## Related interface: +##

+##
    +##
  • corenet_tcp_bind_generic_node()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_udp_bind_generic_node',` gen_require(` @@ -1112,11 +1193,22 @@ interface(`corenet_tcp_connect_generic_port',` ## ## Send and receive TCP network traffic on all ports. ## +## +##

+## Send and receive TCP network traffic on all ports. +## Related interfaces: +##

+##
    +##
  • corenet_tcp_connect_all_ports()
  • +##
  • corenet_tcp_bind_all_ports()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_tcp_sendrecv_all_ports',` gen_require(` @@ -1166,11 +1258,21 @@ interface(`corenet_udp_receive_all_ports',` ## ## Send and receive UDP network traffic on all ports. ## +## +##

+## Send and receive UDP network traffic on all ports. +## Related interfaces: +##

+##
    +##
  • corenet_udp_bind_all_ports()
  • +##
+##
## ## -## The type of the process performing this action. +## Domain allowed access. ## ## +## # interface(`corenet_udp_sendrecv_all_ports',` corenet_udp_send_all_ports($1) @@ -2207,11 +2309,23 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## ## Receive packets from an unlabeled connection. ## +## +##

+## Allow the specified domain to receive packets from an +## unlabeled connection. On machines that do not utilize +## labeled networking, this will be required on all +## networking domains. On machines tha do utilize +## labeled networking, this will be required for any +## networking domain that is allowed to receive +## network traffic that does not have a label. +##

+##
## ## ## Domain allowed access. ## ## +## # interface(`corenet_all_recvfrom_unlabeled',` kernel_tcp_recvfrom_unlabeled($1) @@ -2229,11 +2343,22 @@ interface(`corenet_all_recvfrom_unlabeled',` ## ## Receive packets from a NetLabel connection. ## +## +##

+## Allow the specified domain to receive NetLabel +## network traffic, which utilizes the Commercial IP +## Security Option (CIPSO) to set the MLS level +## of the network packets. This is required for +## all networking domains that receive NetLabel +## network traffic. +##

+##
## ## ## Domain allowed access. ## ## +## # interface(`corenet_all_recvfrom_netlabel',` gen_require(`