diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 04de822..0ec50e2 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -161,13 +161,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,s15:c0.c255) # kernel local policy # -# Use capabilities. need to investigate which capabilities are actually used allow kernel_t self:capability *; - -# Other possible mount points for the root fs are in files -allow kernel_t unlabeled_t:dir mounton; - -# old general_domain_access() allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; allow kernel_t self:sem create_sem_perms; @@ -181,20 +175,27 @@ allow kernel_t self:fifo_file rw_file_perms; allow kernel_t self:sock_file r_file_perms; allow kernel_t self:fd use; -# old general_proc_read_access(): allow kernel_t proc_t:dir r_dir_perms; allow kernel_t proc_t:{ lnk_file file } r_file_perms; + allow kernel_t proc_net_t:dir r_dir_perms; allow kernel_t proc_net_t:file r_file_perms; + allow kernel_t proc_mdstat_t:file r_file_perms; + allow kernel_t proc_kcore_t:file getattr; + allow kernel_t proc_kmsg_t:file getattr; -allow kernel_t sysctl_t:dir r_dir_perms; + allow kernel_t sysctl_kernel_t:dir r_dir_perms; allow kernel_t sysctl_kernel_t:file r_file_perms; +allow kernel_t sysctl_t:dir r_dir_perms; -# cjp: this seems questionable -allow kernel_t unlabeled_t:fifo_file rw_file_perms; +# Other possible mount points for the root fs are in files +allow kernel_t unlabeled_t:dir mounton; +# Kernel-generated traffic e.g., TCP resets on +# connections with invalidated labels: +allow kernel_t unlabeled_t:packet send; corenet_non_ipsec_sendrecv(kernel_t) # Kernel-generated traffic e.g., ICMP replies: diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 3f59ac4..256153b 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -376,18 +376,17 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) +corenet_non_ipsec_sendrecv(nmbd_t) corenet_tcp_sendrecv_all_if(nmbd_t) corenet_udp_sendrecv_all_if(nmbd_t) -corenet_raw_sendrecv_all_if(nmbd_t) corenet_tcp_sendrecv_all_nodes(nmbd_t) corenet_udp_sendrecv_all_nodes(nmbd_t) -corenet_raw_sendrecv_all_nodes(nmbd_t) corenet_tcp_sendrecv_all_ports(nmbd_t) corenet_udp_sendrecv_all_ports(nmbd_t) -corenet_non_ipsec_sendrecv(nmbd_t) -corenet_tcp_bind_all_nodes(nmbd_t) corenet_udp_bind_all_nodes(nmbd_t) corenet_udp_bind_nmbd_port(nmbd_t) +corenet_sendrecv_nmbd_server_packets(nmbd_t) +corenet_sendrecv_nmbd_client_packets(nmbd_t) dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t)