* [PATCHv2 0/5] Labeled network policy patches
@ 2007-06-21 23:15 Paul Moore
2007-06-21 23:15 ` [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections Paul Moore
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
If there are still concerns please let me know, thanks.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
@ 2007-06-21 23:15 ` Paul Moore
2007-06-21 23:15 ` [PATCHv2 2/5] Add NetLabel labeled and unlabeled support to the system domains Paul Moore
` (4 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/mls | 5
policy/modules/kernel/corenetwork.if.in | 244 +++++++++++++++++++++++++++++++-
policy/modules/kernel/corenetwork.te.in | 7
policy/modules/kernel/kernel.if | 69 +++------
policy/modules/kernel/kernel.te | 1
5 files changed, 275 insertions(+), 51 deletions(-)
Index: refpolicy_svn_repo/policy/mls
===================================================================
--- refpolicy_svn_repo.orig/policy/mls
+++ refpolicy_svn_repo/policy/mls
@@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_soc
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -1565,6 +1565,12 @@ interface(`corenet_dontaudit_udp_bind_al
## non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## The corenet_all_recvfrom_unlabeled() interface should be used instead
+## of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1581,6 +1587,12 @@ interface(`corenet_non_ipsec_sendrecv',`
## messages on a non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+## used instead of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
@@ -1601,8 +1613,31 @@ interface(`corenet_dontaudit_non_ipsec_s
## </summary>
## </param>
#
-interface(`corenet_tcp_recv_netlabel',`
+interface(`corenet_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1616,8 +1651,32 @@ interface(`corenet_tcp_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_tcp_recv_netlabel',`
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1630,8 +1689,31 @@ interface(`corenet_dontaudit_tcp_recv_ne
## </summary>
## </param>
#
-interface(`corenet_udp_recv_netlabel',`
+interface(`corenet_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1645,8 +1727,32 @@ interface(`corenet_udp_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_udp_recv_netlabel',`
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1659,8 +1765,31 @@ interface(`corenet_dontaudit_udp_recv_ne
## </summary>
## </param>
#
-interface(`corenet_raw_recv_netlabel',`
+interface(`corenet_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1674,8 +1803,111 @@ interface(`corenet_raw_recv_netlabel',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_raw_recv_netlabel',`
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
########################################
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.te.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.te.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.te.in
@@ -37,6 +37,13 @@ dev_node(tun_tap_device_t)
type client_packet_t, packet_type, client_packet_type;
#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2198,17 +2198,14 @@ interface(`kernel_dontaudit_sendrecv_unl
########################################
## <summary>
-## Receive TCP packets from a NetLabel connection.
+## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive TCP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive TCP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_tcp_recv_netlabel() should
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2228,19 +2225,17 @@ interface(`kernel_tcp_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_tcp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2259,17 +2254,14 @@ interface(`kernel_dontaudit_tcp_recvfrom
########################################
## <summary>
-## Receive UDP packets from a NetLabel connection.
+## Receive UDP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive UDP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive UDP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_udp_recv_netlabel() should
+## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2289,19 +2281,17 @@ interface(`kernel_udp_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_udp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2320,17 +2310,14 @@ interface(`kernel_dontaudit_udp_recvfrom
########################################
## <summary>
-## Receive Raw IP packets from a NetLabel connection.
+## Receive Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive Raw IP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_raw_recv_netlabel() should
+## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2350,19 +2337,17 @@ interface(`kernel_raw_recvfrom_unlabeled
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_raw_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
@@ -153,7 +153,6 @@ sid icmp_socket gen_context(system_u:ob
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCHv2 2/5] Add NetLabel labeled and unlabeled support to the system domains
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
2007-06-21 23:15 ` [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections Paul Moore
@ 2007-06-21 23:15 ` Paul Moore
2007-06-21 23:15 ` [PATCHv2 3/5] Add NetLabel labeled and unlabeled support to the service domains Paul Moore
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
This patch adds calls to the NetLabel corenet policy interfaces to grant the
relevant system domains access to NetLabel labeled and unlabeled packets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/system/hotplug.te | 3 ++-
policy/modules/system/init.te | 3 ++-
policy/modules/system/ipsec.te | 2 +-
policy/modules/system/iscsi.te | 3 ++-
policy/modules/system/logging.te | 3 ++-
policy/modules/system/lvm.te | 3 ++-
policy/modules/system/mount.te | 3 ++-
policy/modules/system/sysnetwork.if | 9 ++++++---
policy/modules/system/sysnetwork.te | 3 ++-
policy/modules/system/userdomain.if | 9 ++-------
policy/modules/system/xen.te | 3 ++-
11 files changed, 25 insertions(+), 19 deletions(-)
Index: refpolicy_svn_repo/policy/modules/system/hotplug.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/hotplug.te
+++ refpolicy_svn_repo/policy/modules/system/hotplug.te
@@ -51,7 +51,8 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
-corenet_non_ipsec_sendrecv(hotplug_t)
+corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_all_recvfrom_netlabel(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t)
Index: refpolicy_svn_repo/policy/modules/system/init.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/init.te
+++ refpolicy_svn_repo/policy/modules/system/init.te
@@ -247,7 +247,8 @@ kernel_dontaudit_getattr_message_if(init
files_read_kernel_symbol_table(initrc_t)
-corenet_non_ipsec_sendrecv(initrc_t)
+corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_all_recvfrom_netlabel(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
Index: refpolicy_svn_repo/policy/modules/system/ipsec.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/ipsec.te
+++ refpolicy_svn_repo/policy/modules/system/ipsec.te
@@ -95,7 +95,7 @@ kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
-corenet_non_ipsec_sendrecv(ipsec_t)
+corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
Index: refpolicy_svn_repo/policy/modules/system/iscsi.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/iscsi.te
+++ refpolicy_svn_repo/policy/modules/system/iscsi.te
@@ -54,7 +54,8 @@ files_search_var_lib(iscsid_t)
manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
-corenet_non_ipsec_sendrecv(iscsid_t)
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_all_if(iscsid_t)
corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t)
Index: refpolicy_svn_repo/policy/modules/system/logging.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/logging.te
+++ refpolicy_svn_repo/policy/modules/system/logging.te
@@ -303,7 +303,8 @@ init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
-corenet_non_ipsec_sendrecv(syslogd_t)
+corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
Index: refpolicy_svn_repo/policy/modules/system/lvm.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/lvm.te
+++ refpolicy_svn_repo/policy/modules/system/lvm.te
@@ -69,7 +69,8 @@ kernel_dontaudit_getattr_core_if(clvmd_t
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
-corenet_non_ipsec_sendrecv(clvmd_t)
+corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t)
Index: refpolicy_svn_repo/policy/modules/system/mount.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/mount.te
+++ refpolicy_svn_repo/policy/modules/system/mount.te
@@ -139,7 +139,8 @@ ifdef(`targeted_policy',`
optional_policy(`
# for nfs
- corenet_non_ipsec_sendrecv(mount_t)
+ corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.if
+++ refpolicy_svn_repo/policy/modules/system/sysnetwork.if
@@ -480,7 +480,8 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
@@ -511,7 +512,8 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -540,7 +542,8 @@ interface(`sysnet_use_portmap',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.te
+++ refpolicy_svn_repo/policy/modules/system/sysnetwork.te
@@ -84,7 +84,8 @@ kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_use_fds(dhcpc_t)
-corenet_non_ipsec_sendrecv(dhcpc_t)
+corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_all_recvfrom_netlabel(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
corenet_udp_sendrecv_all_if(dhcpc_t)
Index: refpolicy_svn_repo/policy/modules/system/userdomain.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/userdomain.if
+++ refpolicy_svn_repo/policy/modules/system/userdomain.if
@@ -537,7 +537,8 @@ template(`userdom_basic_networking_templ
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -546,12 +547,6 @@ template(`userdom_basic_networking_templ
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
-
- ifdef(`enable_mls',`
- # netlabel/CIPSO labeled networking
- corenet_tcp_recv_netlabel($1_t)
- corenet_udp_recv_netlabel($1_t)
- ')
')
#######################################
Index: refpolicy_svn_repo/policy/modules/system/xen.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/xen.te
+++ refpolicy_svn_repo/policy/modules/system/xen.te
@@ -132,7 +132,8 @@ kernel_read_network_state(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
-corenet_non_ipsec_sendrecv(xend_t)
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCHv2 3/5] Add NetLabel labeled and unlabeled support to the service domains
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
2007-06-21 23:15 ` [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections Paul Moore
2007-06-21 23:15 ` [PATCHv2 2/5] Add NetLabel labeled and unlabeled support to the system domains Paul Moore
@ 2007-06-21 23:15 ` Paul Moore
2007-06-21 23:15 ` [PATCHv2 4/5] Add NetLabel labeled and unlabeled support to the application domains Paul Moore
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
This patch adds calls to the NetLabel corenet policy interfaces to grant the
relevant service domains access to NetLabel labeled and unlabeled packets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/services/afs.te | 15 ++++++++++-----
policy/modules/services/amavis.te | 3 ++-
policy/modules/services/apache.if | 6 ++++--
policy/modules/services/apache.te | 6 ++++--
policy/modules/services/apcupsd.te | 3 ++-
policy/modules/services/arpwatch.te | 3 ++-
policy/modules/services/asterisk.te | 3 ++-
policy/modules/services/automount.te | 3 ++-
policy/modules/services/avahi.te | 3 ++-
policy/modules/services/bind.te | 4 ++--
policy/modules/services/bluetooth.te | 3 ++-
policy/modules/services/canna.te | 3 ++-
policy/modules/services/ccs.te | 3 ++-
policy/modules/services/cipe.te | 3 ++-
policy/modules/services/clamav.te | 6 ++++--
policy/modules/services/clockspeed.te | 6 ++++--
policy/modules/services/comsat.te | 3 ++-
policy/modules/services/courier.if | 3 ++-
policy/modules/services/cron.if | 3 ++-
policy/modules/services/cron.te | 3 ++-
policy/modules/services/cups.te | 16 +++++++++++-----
policy/modules/services/cvs.te | 3 ++-
policy/modules/services/cyrus.te | 3 ++-
policy/modules/services/dante.te | 3 ++-
policy/modules/services/dbskk.te | 3 ++-
policy/modules/services/dbus.if | 4 ++--
policy/modules/services/dcc.te | 18 ++++++++++++------
policy/modules/services/ddclient.te | 3 ++-
policy/modules/services/dhcp.te | 3 ++-
policy/modules/services/dictd.te | 3 ++-
policy/modules/services/distcc.te | 3 ++-
policy/modules/services/djbdns.if | 3 ++-
policy/modules/services/dnsmasq.te | 3 ++-
policy/modules/services/dovecot.te | 3 ++-
policy/modules/services/fetchmail.te | 3 ++-
policy/modules/services/finger.te | 3 ++-
policy/modules/services/ftp.te | 3 ++-
policy/modules/services/gatekeeper.te | 3 ++-
policy/modules/services/hal.te | 3 ++-
policy/modules/services/howl.te | 3 ++-
policy/modules/services/i18n_input.te | 3 ++-
policy/modules/services/imaze.te | 3 ++-
policy/modules/services/inetd.te | 12 ++++--------
policy/modules/services/inn.te | 3 ++-
policy/modules/services/ircd.te | 3 ++-
policy/modules/services/jabber.te | 3 ++-
policy/modules/services/kerberos.if | 3 ++-
policy/modules/services/kerberos.te | 6 ++++--
policy/modules/services/ktalk.te | 3 ++-
policy/modules/services/ldap.te | 3 ++-
policy/modules/services/lpd.if | 3 ++-
policy/modules/services/lpd.te | 6 ++++--
policy/modules/services/mailman.if | 3 ++-
policy/modules/services/monop.te | 3 ++-
policy/modules/services/mta.if | 3 ++-
policy/modules/services/munin.te | 3 ++-
policy/modules/services/mysql.te | 3 ++-
policy/modules/services/nagios.te | 3 ++-
policy/modules/services/nessus.te | 3 ++-
policy/modules/services/networkmanager.te | 3 ++-
policy/modules/services/nis.if | 3 ++-
policy/modules/services/nis.te | 15 ++++++++-------
policy/modules/services/nscd.te | 3 ++-
policy/modules/services/nsd.te | 6 ++++--
policy/modules/services/ntop.te | 3 ++-
policy/modules/services/nx.te | 3 ++-
policy/modules/services/oav.te | 6 ++++--
policy/modules/services/openvpn.te | 3 ++-
policy/modules/services/pcscd.te | 3 ++-
policy/modules/services/pegasus.te | 3 ++-
policy/modules/services/perdition.te | 3 ++-
policy/modules/services/portmap.te | 6 ++++--
policy/modules/services/portslave.te | 3 ++-
policy/modules/services/postfix.if | 3 ++-
policy/modules/services/postfix.te | 6 ++++--
policy/modules/services/postgresql.te | 3 ++-
policy/modules/services/postgrey.te | 3 ++-
policy/modules/services/ppp.te | 6 ++++--
policy/modules/services/privoxy.te | 3 ++-
policy/modules/services/procmail.te | 3 ++-
policy/modules/services/pyzor.te | 3 ++-
policy/modules/services/qmail.te | 3 ++-
policy/modules/services/radius.te | 3 ++-
policy/modules/services/radvd.te | 3 ++-
policy/modules/services/razor.if | 3 ++-
policy/modules/services/razor.te | 3 ++-
policy/modules/services/rdisc.te | 3 ++-
policy/modules/services/rhgb.te | 3 ++-
policy/modules/services/ricci.te | 4 ++--
policy/modules/services/rlogin.te | 3 ++-
policy/modules/services/roundup.te | 3 ++-
policy/modules/services/rpc.if | 4 ++--
policy/modules/services/rshd.te | 3 ++-
policy/modules/services/rsync.te | 3 ++-
policy/modules/services/rwho.te | 3 ++-
policy/modules/services/samba.te | 18 ++++++++++++------
policy/modules/services/sasl.te | 3 ++-
policy/modules/services/sendmail.te | 3 ++-
policy/modules/services/setroubleshoot.te | 3 ++-
policy/modules/services/smartmon.te | 3 ++-
policy/modules/services/snmp.te | 3 ++-
policy/modules/services/snort.te | 3 ++-
policy/modules/services/soundserver.te | 3 ++-
policy/modules/services/spamassassin.if | 6 ++++--
policy/modules/services/spamassassin.te | 3 ++-
policy/modules/services/squid.te | 3 ++-
policy/modules/services/ssh.if | 6 ++++--
policy/modules/services/stunnel.te | 3 ++-
policy/modules/services/tcpd.te | 3 ++-
policy/modules/services/telnet.te | 3 ++-
policy/modules/services/tftp.te | 3 ++-
policy/modules/services/timidity.te | 3 ++-
policy/modules/services/tor.te | 3 ++-
policy/modules/services/transproxy.te | 3 ++-
policy/modules/services/ucspitcp.te | 6 ++++--
policy/modules/services/uucp.te | 3 ++-
policy/modules/services/uwimap.te | 3 ++-
policy/modules/services/watchdog.te | 3 ++-
policy/modules/services/xprint.te | 3 ++-
policy/modules/services/xserver.if | 3 ++-
policy/modules/services/xserver.te | 3 ++-
policy/modules/services/zebra.te | 3 ++-
122 files changed, 317 insertions(+), 171 deletions(-)
Index: refpolicy_svn_repo/policy/modules/services/afs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/afs.te
+++ refpolicy_svn_repo/policy/modules/services/afs.te
@@ -89,7 +89,8 @@ domtrans_pattern(afs_bosserver_t, afs_vl
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_non_ipsec_sendrecv(afs_bosserver_t)
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
@@ -153,7 +154,8 @@ corenet_tcp_sendrecv_all_nodes(afs_fsser
corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_non_ipsec_sendrecv(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -206,7 +208,8 @@ manage_files_pattern(afs_kaserver_t,afs_
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_non_ipsec_sendrecv(afs_kaserver_t)
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
@@ -253,7 +256,8 @@ manage_files_pattern(afs_ptserver_t,afs_
manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
-corenet_non_ipsec_sendrecv(afs_ptserver_t)
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
@@ -294,7 +298,8 @@ manage_files_pattern(afs_vlserver_t,afs_
manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
-corenet_non_ipsec_sendrecv(afs_vlserver_t)
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
Index: refpolicy_svn_repo/policy/modules/services/amavis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/amavis.te
+++ refpolicy_svn_repo/policy/modules/services/amavis.te
@@ -100,7 +100,8 @@ kernel_dontaudit_read_system_state(amavi
# find perl
corecmd_exec_bin(amavis_t)
-corenet_non_ipsec_sendrecv(amavis_t)
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
corenet_tcp_bind_all_nodes(amavis_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.if
+++ refpolicy_svn_repo/policy/modules/services/apache.if
@@ -181,7 +181,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@@ -200,7 +201,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.te
+++ refpolicy_svn_repo/policy/modules/services/apache.te
@@ -298,7 +298,8 @@ kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
-corenet_non_ipsec_sendrecv(httpd_t)
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
corenet_tcp_sendrecv_all_nodes(httpd_t)
@@ -641,7 +642,8 @@ tunable_policy(`httpd_can_network_connec
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_suexec_t)
+ corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
Index: refpolicy_svn_repo/policy/modules/services/apcupsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apcupsd.te
+++ refpolicy_svn_repo/policy/modules/services/apcupsd.te
@@ -39,7 +39,8 @@ logging_log_filetrans(apcupsd_t,apcupsd_
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
-corenet_non_ipsec_sendrecv(apcupsd_t)
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_all_nodes(apcupsd_t)
corenet_tcp_sendrecv_all_ports(apcupsd_t)
Index: refpolicy_svn_repo/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/arpwatch.te
+++ refpolicy_svn_repo/policy/modules/services/arpwatch.te
@@ -47,7 +47,8 @@ kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-corenet_non_ipsec_sendrecv(arpwatch_t)
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
corenet_tcp_sendrecv_all_if(arpwatch_t)
corenet_udp_sendrecv_all_if(arpwatch_t)
corenet_raw_sendrecv_all_if(arpwatch_t)
Index: refpolicy_svn_repo/policy/modules/services/asterisk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/asterisk.te
+++ refpolicy_svn_repo/policy/modules/services/asterisk.te
@@ -82,7 +82,8 @@ kernel_read_kernel_sysctls(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
-corenet_non_ipsec_sendrecv(asterisk_t)
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
corenet_tcp_sendrecv_all_nodes(asterisk_t)
Index: refpolicy_svn_repo/policy/modules/services/automount.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/automount.te
+++ refpolicy_svn_repo/policy/modules/services/automount.te
@@ -76,7 +76,8 @@ fs_unmount_all_fs(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_non_ipsec_sendrecv(automount_t)
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
corenet_tcp_sendrecv_all_nodes(automount_t)
Index: refpolicy_svn_repo/policy/modules/services/avahi.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/avahi.te
+++ refpolicy_svn_repo/policy/modules/services/avahi.te
@@ -37,7 +37,8 @@ kernel_list_proc(avahi_t)
kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
-corenet_non_ipsec_sendrecv(avahi_t)
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_all_if(avahi_t)
corenet_udp_sendrecv_all_if(avahi_t)
corenet_tcp_sendrecv_all_nodes(avahi_t)
Index: refpolicy_svn_repo/policy/modules/services/bind.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bind.te
+++ refpolicy_svn_repo/policy/modules/services/bind.te
@@ -101,7 +101,8 @@ kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
-corenet_non_ipsec_sendrecv(named_t)
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
corenet_udp_sendrecv_all_if(named_t)
corenet_tcp_sendrecv_all_nodes(named_t)
@@ -231,7 +232,6 @@ allow ndc_t named_zone_t:dir search;
kernel_read_kernel_sysctls(ndc_t)
-corenet_non_ipsec_sendrecv(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
Index: refpolicy_svn_repo/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bluetooth.te
+++ refpolicy_svn_repo/policy/modules/services/bluetooth.te
@@ -81,7 +81,8 @@ files_pid_filetrans(bluetooth_t, bluetoo
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
-corenet_non_ipsec_sendrecv(bluetooth_t)
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
corenet_raw_sendrecv_all_if(bluetooth_t)
Index: refpolicy_svn_repo/policy/modules/services/canna.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/canna.te
+++ refpolicy_svn_repo/policy/modules/services/canna.te
@@ -47,7 +47,8 @@ files_pid_filetrans(canna_t, canna_var_r
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_non_ipsec_sendrecv(canna_t)
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
corenet_tcp_sendrecv_all_ports(canna_t)
Index: refpolicy_svn_repo/policy/modules/services/ccs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ccs.te
+++ refpolicy_svn_repo/policy/modules/services/ccs.te
@@ -77,7 +77,8 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_non_ipsec_sendrecv(ccs_t)
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_all_if(ccs_t)
corenet_udp_sendrecv_all_if(ccs_t)
corenet_tcp_sendrecv_all_nodes(ccs_t)
Index: refpolicy_svn_repo/policy/modules/services/cipe.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cipe.te
+++ refpolicy_svn_repo/policy/modules/services/cipe.te
@@ -29,7 +29,8 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_non_ipsec_sendrecv(ciped_t)
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
corenet_udp_sendrecv_all_ports(ciped_t)
Index: refpolicy_svn_repo/policy/modules/services/clamav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clamav.te
+++ refpolicy_svn_repo/policy/modules/services/clamav.te
@@ -86,7 +86,8 @@ files_pid_filetrans(clamd_t,clamd_var_ru
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-corenet_non_ipsec_sendrecv(clamd_t)
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
@@ -159,7 +160,8 @@ allow freshclam_t freshclam_var_log_t:di
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
-corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
Index: refpolicy_svn_repo/policy/modules/services/clockspeed.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clockspeed.te
+++ refpolicy_svn_repo/policy/modules/services/clockspeed.te
@@ -28,7 +28,8 @@ allow clockspeed_cli_t self:udp_socket c
read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
@@ -55,7 +56,8 @@ allow clockspeed_srv_t self:unix_stream_
manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
Index: refpolicy_svn_repo/policy/modules/services/comsat.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/comsat.te
+++ refpolicy_svn_repo/policy/modules/services/comsat.te
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
-corenet_non_ipsec_sendrecv(comsat_t)
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
corenet_udp_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_nodes(comsat_t)
Index: refpolicy_svn_repo/policy/modules/services/courier.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/courier.if
+++ refpolicy_svn_repo/policy/modules/services/courier.if
@@ -48,7 +48,8 @@ template(`courier_domain_template',`
corecmd_exec_bin(courier_$1_t)
- corenet_non_ipsec_sendrecv(courier_$1_t)
+ corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.if
+++ refpolicy_svn_repo/policy/modules/services/cron.if
@@ -94,7 +94,8 @@ template(`cron_per_role_template',`
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot($1_crond_t)
- corenet_non_ipsec_sendrecv($1_crond_t)
+ corenet_all_recvfrom_unlabeled($1_crond_t)
+ corenet_all_recvfrom_netlabel($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
corenet_tcp_sendrecv_all_nodes($1_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.te
+++ refpolicy_svn_repo/policy/modules/services/cron.te
@@ -327,7 +327,8 @@ ifdef(`targeted_policy',`
corecmd_exec_all_executables(system_crond_t)
- corenet_non_ipsec_sendrecv(system_crond_t)
+ corenet_all_recvfrom_unlabeled(system_crond_t)
+ corenet_all_recvfrom_netlabel(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
corenet_tcp_sendrecv_all_nodes(system_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cups.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cups.te
+++ refpolicy_svn_repo/policy/modules/services/cups.te
@@ -133,7 +133,9 @@ kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-corenet_non_ipsec_sendrecv(cupsd_t)
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
+corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
corenet_raw_sendrecv_all_if(cupsd_t)
@@ -340,7 +342,8 @@ files_pid_filetrans(cupsd_config_t,cupsd
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
-corenet_non_ipsec_sendrecv(cupsd_config_t)
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -491,7 +494,8 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
@@ -564,7 +568,8 @@ files_pid_filetrans(hplip_t,hplip_var_ru
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-corenet_non_ipsec_sendrecv(hplip_t)
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
corenet_raw_sendrecv_all_if(hplip_t)
@@ -661,7 +666,8 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_non_ipsec_sendrecv(ptal_t)
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
corenet_tcp_sendrecv_all_ports(ptal_t)
Index: refpolicy_svn_repo/policy/modules/services/cvs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cvs.te
+++ refpolicy_svn_repo/policy/modules/services/cvs.te
@@ -54,7 +54,8 @@ kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
-corenet_non_ipsec_sendrecv(cvs_t)
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
corenet_tcp_sendrecv_all_nodes(cvs_t)
Index: refpolicy_svn_repo/policy/modules/services/cyrus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cyrus.te
+++ refpolicy_svn_repo/policy/modules/services/cyrus.te
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
-corenet_non_ipsec_sendrecv(cyrus_t)
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
corenet_tcp_sendrecv_all_nodes(cyrus_t)
Index: refpolicy_svn_repo/policy/modules/services/dante.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dante.te
+++ refpolicy_svn_repo/policy/modules/services/dante.te
@@ -38,7 +38,8 @@ kernel_read_kernel_sysctls(dante_t)
kernel_list_proc(dante_t)
kernel_read_proc_symlinks(dante_t)
-corenet_non_ipsec_sendrecv(dante_t)
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
corenet_tcp_sendrecv_generic_if(dante_t)
corenet_udp_sendrecv_generic_if(dante_t)
corenet_tcp_sendrecv_all_nodes(dante_t)
Index: refpolicy_svn_repo/policy/modules/services/dbskk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbskk.te
+++ refpolicy_svn_repo/policy/modules/services/dbskk.te
@@ -48,7 +48,8 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_non_ipsec_sendrecv(dbskkd_t)
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_all_if(dbskkd_t)
corenet_udp_sendrecv_all_if(dbskkd_t)
corenet_tcp_sendrecv_all_nodes(dbskkd_t)
Index: refpolicy_svn_repo/policy/modules/services/dbus.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbus.if
+++ refpolicy_svn_repo/policy/modules/services/dbus.if
@@ -107,7 +107,8 @@ template(`dbus_per_role_template',`
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
- corenet_non_ipsec_sendrecv($1_dbusd_t)
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
@@ -269,7 +270,6 @@ template(`dbus_send_user_bus',`
allow $2 $1_dbusd_t:dbus send_msg;
')
-
########################################
## <summary>
## Read dbus configuration.
Index: refpolicy_svn_repo/policy/modules/services/dcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dcc.te
+++ refpolicy_svn_repo/policy/modules/services/dcc.te
@@ -99,7 +99,8 @@ allow cdcc_t dcc_var_t:dir list_dir_perm
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)
@@ -141,7 +142,8 @@ allow dcc_client_t dcc_var_t:dir list_di
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -183,7 +185,8 @@ manage_lnk_files_pattern(dcc_dbclean_t,d
kernel_read_system_state(dcc_dbclean_t)
-corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
@@ -243,7 +246,8 @@ files_pid_filetrans(dccd_t,dccd_var_run_
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_non_ipsec_sendrecv(dccd_t)
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
corenet_udp_sendrecv_all_ports(dccd_t)
@@ -324,7 +328,8 @@ files_pid_filetrans(dccifd_t,dccifd_var_
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
-corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
@@ -401,7 +406,8 @@ files_pid_filetrans(dccm_t,dccm_var_run_
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
-corenet_non_ipsec_sendrecv(dccm_t)
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)
Index: refpolicy_svn_repo/policy/modules/services/ddclient.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ddclient.te
+++ refpolicy_svn_repo/policy/modules/services/ddclient.te
@@ -64,7 +64,8 @@ kernel_read_kernel_sysctls(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_non_ipsec_sendrecv(ddclient_t)
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
corenet_tcp_sendrecv_all_nodes(ddclient_t)
Index: refpolicy_svn_repo/policy/modules/services/dhcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dhcp.te
+++ refpolicy_svn_repo/policy/modules/services/dhcp.te
@@ -52,7 +52,8 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_ru
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
-corenet_non_ipsec_sendrecv(dhcpd_t)
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
corenet_raw_sendrecv_all_if(dhcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/dictd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dictd.te
+++ refpolicy_svn_repo/policy/modules/services/dictd.te
@@ -37,7 +37,8 @@ allow dictd_t dictd_var_lib_t:file read_
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_non_ipsec_sendrecv(dictd_t)
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
corenet_raw_sendrecv_all_if(dictd_t)
corenet_udp_sendrecv_all_if(dictd_t)
Index: refpolicy_svn_repo/policy/modules/services/distcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/distcc.te
+++ refpolicy_svn_repo/policy/modules/services/distcc.te
@@ -44,7 +44,8 @@ files_pid_filetrans(distccd_t,distccd_va
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_non_ipsec_sendrecv(distccd_t)
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_all_if(distccd_t)
corenet_udp_sendrecv_all_if(distccd_t)
corenet_tcp_sendrecv_all_nodes(distccd_t)
Index: refpolicy_svn_repo/policy/modules/services/djbdns.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/djbdns.if
+++ refpolicy_svn_repo/policy/modules/services/djbdns.if
@@ -32,7 +32,8 @@ template(`djbdns_daemontools_domain_temp
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
- corenet_non_ipsec_sendrecv(djbdns_$1_t)
+ corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dnsmasq.te
+++ refpolicy_svn_repo/policy/modules/services/dnsmasq.te
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)
-corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
Index: refpolicy_svn_repo/policy/modules/services/dovecot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dovecot.te
+++ refpolicy_svn_repo/policy/modules/services/dovecot.te
@@ -70,7 +70,8 @@ files_pid_filetrans(dovecot_t,dovecot_va
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-corenet_non_ipsec_sendrecv(dovecot_t)
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_all_if(dovecot_t)
corenet_tcp_sendrecv_all_nodes(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
Index: refpolicy_svn_repo/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/fetchmail.te
+++ refpolicy_svn_repo/policy/modules/services/fetchmail.te
@@ -46,7 +46,8 @@ kernel_getattr_proc_files(fetchmail_t)
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
-corenet_non_ipsec_sendrecv(fetchmail_t)
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_udp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_all_nodes(fetchmail_t)
Index: refpolicy_svn_repo/policy/modules/services/finger.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/finger.te
+++ refpolicy_svn_repo/policy/modules/services/finger.te
@@ -47,7 +47,8 @@ logging_log_filetrans(fingerd_t,fingerd_
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_non_ipsec_sendrecv(fingerd_t)
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
corenet_udp_sendrecv_all_if(fingerd_t)
corenet_tcp_sendrecv_all_nodes(fingerd_t)
Index: refpolicy_svn_repo/policy/modules/services/ftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ftp.te
+++ refpolicy_svn_repo/policy/modules/services/ftp.te
@@ -128,7 +128,8 @@ dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_non_ipsec_sendrecv(ftpd_t)
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/gatekeeper.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/gatekeeper.te
+++ refpolicy_svn_repo/policy/modules/services/gatekeeper.te
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_non_ipsec_sendrecv(gatekeeper_t)
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
Index: refpolicy_svn_repo/policy/modules/services/hal.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/hal.te
+++ refpolicy_svn_repo/policy/modules/services/hal.te
@@ -91,7 +91,8 @@ auth_read_pam_console_data(hald_t)
corecmd_exec_all_executables(hald_t)
-corenet_non_ipsec_sendrecv(hald_t)
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
corenet_tcp_sendrecv_all_nodes(hald_t)
Index: refpolicy_svn_repo/policy/modules/services/howl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/howl.te
+++ refpolicy_svn_repo/policy/modules/services/howl.te
@@ -34,7 +34,8 @@ kernel_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_non_ipsec_sendrecv(howl_t)
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_all_if(howl_t)
corenet_udp_sendrecv_all_if(howl_t)
corenet_tcp_sendrecv_all_nodes(howl_t)
Index: refpolicy_svn_repo/policy/modules/services/i18n_input.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/i18n_input.te
+++ refpolicy_svn_repo/policy/modules/services/i18n_input.te
@@ -37,7 +37,8 @@ can_exec(i18n_input_t, i18n_input_exec_t
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_non_ipsec_sendrecv(i18n_input_t)
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_udp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_all_nodes(i18n_input_t)
Index: refpolicy_svn_repo/policy/modules/services/imaze.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/imaze.te
+++ refpolicy_svn_repo/policy/modules/services/imaze.te
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(imazesrv_t)
kernel_list_proc(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_non_ipsec_sendrecv(imazesrv_t)
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
corenet_tcp_sendrecv_all_nodes(imazesrv_t)
Index: refpolicy_svn_repo/policy/modules/services/inetd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inetd.te
+++ refpolicy_svn_repo/policy/modules/services/inetd.te
@@ -60,7 +60,8 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
# base networking:
-corenet_non_ipsec_sendrecv(inetd_t)
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
corenet_tcp_sendrecv_all_if(inetd_t)
corenet_udp_sendrecv_all_if(inetd_t)
corenet_tcp_sendrecv_all_nodes(inetd_t)
@@ -81,7 +82,6 @@ corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rsh_port(inetd_t)
@@ -143,11 +143,6 @@ sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
-ifdef(`enable_mls',`
- corenet_tcp_recv_netlabel(inetd_t)
- corenet_udp_recv_netlabel(inetd_t)
-')
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(inetd_t)
term_dontaudit_use_generic_ptys(inetd_t)
@@ -200,7 +195,8 @@ kernel_read_kernel_sysctls(inetd_child_t
kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
-corenet_non_ipsec_sendrecv(inetd_child_t)
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
corenet_udp_sendrecv_all_if(inetd_child_t)
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
Index: refpolicy_svn_repo/policy/modules/services/inn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inn.te
+++ refpolicy_svn_repo/policy/modules/services/inn.te
@@ -63,7 +63,8 @@ manage_lnk_files_pattern(innd_t,news_spo
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_non_ipsec_sendrecv(innd_t)
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_all_if(innd_t)
corenet_udp_sendrecv_all_if(innd_t)
corenet_tcp_sendrecv_all_nodes(innd_t)
Index: refpolicy_svn_repo/policy/modules/services/ircd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ircd.te
+++ refpolicy_svn_repo/policy/modules/services/ircd.te
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_search_bin(ircd_t)
-corenet_non_ipsec_sendrecv(ircd_t)
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_udp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_all_nodes(ircd_t)
Index: refpolicy_svn_repo/policy/modules/services/jabber.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/jabber.te
+++ refpolicy_svn_repo/policy/modules/services/jabber.te
@@ -44,7 +44,8 @@ kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
-corenet_non_ipsec_sendrecv(jabberd_t)
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
corenet_udp_sendrecv_generic_if(jabberd_t)
corenet_tcp_sendrecv_all_nodes(jabberd_t)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.if
+++ refpolicy_svn_repo/policy/modules/services/kerberos.if
@@ -47,7 +47,8 @@ interface(`kerberos_use',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.te
+++ refpolicy_svn_repo/policy/modules/services/kerberos.te
@@ -92,7 +92,8 @@ kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
-corenet_non_ipsec_sendrecv(kadmind_t)
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_udp_sendrecv_all_if(kadmind_t)
corenet_tcp_sendrecv_all_nodes(kadmind_t)
@@ -192,7 +193,8 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_non_ipsec_sendrecv(krb5kdc_t)
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_udp_sendrecv_all_if(krb5kdc_t)
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
Index: refpolicy_svn_repo/policy/modules/services/ktalk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ktalk.te
+++ refpolicy_svn_repo/policy/modules/services/ktalk.te
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
-corenet_non_ipsec_sendrecv(ktalkd_t)
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
corenet_tcp_sendrecv_all_if(ktalkd_t)
corenet_udp_sendrecv_all_if(ktalkd_t)
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
Index: refpolicy_svn_repo/policy/modules/services/ldap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ldap.te
+++ refpolicy_svn_repo/policy/modules/services/ldap.te
@@ -77,7 +77,8 @@ files_pid_filetrans(slapd_t,slapd_var_ru
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_non_ipsec_sendrecv(slapd_t)
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
corenet_tcp_sendrecv_all_nodes(slapd_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.if
+++ refpolicy_svn_repo/policy/modules/services/lpd.if
@@ -104,7 +104,8 @@ template(`lpd_per_role_template',`
kernel_read_kernel_sysctls($1_lpr_t)
- corenet_non_ipsec_sendrecv($1_lpr_t)
+ corenet_all_recvfrom_unlabeled($1_lpr_t)
+ corenet_all_recvfrom_netlabel($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.te
+++ refpolicy_svn_repo/policy/modules/services/lpd.te
@@ -72,7 +72,8 @@ allow checkpc_t printconf_t:dir { getatt
kernel_read_system_state(checkpc_t)
-corenet_non_ipsec_sendrecv(checkpc_t)
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
corenet_tcp_sendrecv_all_nodes(checkpc_t)
@@ -157,7 +158,8 @@ kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
-corenet_non_ipsec_sendrecv(lpd_t)
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
corenet_tcp_sendrecv_all_nodes(lpd_t)
Index: refpolicy_svn_repo/policy/modules/services/mailman.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mailman.if
+++ refpolicy_svn_repo/policy/modules/services/mailman.if
@@ -48,7 +48,8 @@ template(`mailman_domain_template', `
kernel_read_kernel_sysctls(mailman_$1_t)
kernel_read_system_state(mailman_$1_t)
- corenet_non_ipsec_sendrecv(mailman_$1_t)
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
corenet_raw_sendrecv_all_if(mailman_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/monop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/monop.te
+++ refpolicy_svn_repo/policy/modules/services/monop.te
@@ -43,7 +43,8 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_non_ipsec_sendrecv(monopd_t)
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_udp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_all_nodes(monopd_t)
Index: refpolicy_svn_repo/policy/modules/services/mta.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mta.if
+++ refpolicy_svn_repo/policy/modules/services/mta.if
@@ -72,7 +72,8 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
- corenet_non_ipsec_sendrecv($1_mail_t)
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
Index: refpolicy_svn_repo/policy/modules/services/munin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/munin.te
+++ refpolicy_svn_repo/policy/modules/services/munin.te
@@ -65,7 +65,8 @@ kernel_read_kernel_sysctls(munin_t)
corecmd_exec_bin(munin_t)
-corenet_non_ipsec_sendrecv(munin_t)
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_udp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_all_nodes(munin_t)
Index: refpolicy_svn_repo/policy/modules/services/mysql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mysql.te
+++ refpolicy_svn_repo/policy/modules/services/mysql.te
@@ -61,7 +61,8 @@ files_pid_filetrans(mysqld_t,mysqld_var_
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-corenet_non_ipsec_sendrecv(mysqld_t)
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
Index: refpolicy_svn_repo/policy/modules/services/nagios.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nagios.te
+++ refpolicy_svn_repo/policy/modules/services/nagios.te
@@ -66,7 +66,8 @@ kernel_read_kernel_sysctls(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_non_ipsec_sendrecv(nagios_t)
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_all_nodes(nagios_t)
Index: refpolicy_svn_repo/policy/modules/services/nessus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nessus.te
+++ refpolicy_svn_repo/policy/modules/services/nessus.te
@@ -57,7 +57,8 @@ kernel_read_kernel_sysctls(nessusd_t)
# for nmap etc
corecmd_exec_bin(nessusd_t)
-corenet_non_ipsec_sendrecv(nessusd_t)
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
corenet_raw_sendrecv_generic_if(nessusd_t)
Index: refpolicy_svn_repo/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/networkmanager.te
+++ refpolicy_svn_repo/policy/modules/services/networkmanager.te
@@ -41,7 +41,8 @@ kernel_read_network_state(NetworkManager
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
-corenet_non_ipsec_sendrecv(NetworkManager_t)
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
corenet_raw_sendrecv_all_if(NetworkManager_t)
Index: refpolicy_svn_repo/policy/modules/services/nis.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.if
+++ refpolicy_svn_repo/policy/modules/services/nis.if
@@ -37,7 +37,8 @@ interface(`nis_use_ypbind_uncond',`
allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file read_file_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
Index: refpolicy_svn_repo/policy/modules/services/nis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.te
+++ refpolicy_svn_repo/policy/modules/services/nis.te
@@ -69,7 +69,8 @@ kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
-corenet_non_ipsec_sendrecv(ypbind_t)
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
corenet_tcp_sendrecv_all_nodes(ypbind_t)
@@ -112,7 +113,6 @@ sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(ypbind_t)
term_dontaudit_use_generic_ptys(ypbind_t)
@@ -152,7 +152,8 @@ kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_non_ipsec_sendrecv(yppasswdd_t)
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
@@ -199,7 +200,6 @@ sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(yppasswdd_t)
term_dontaudit_use_generic_ptys(yppasswdd_t)
@@ -247,7 +247,8 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_non_ipsec_sendrecv(ypserv_t)
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
corenet_tcp_sendrecv_all_nodes(ypserv_t)
@@ -288,7 +289,6 @@ sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(ypserv_t)
term_dontaudit_use_generic_ptys(ypserv_t)
@@ -321,7 +321,8 @@ allow ypxfr_t ypserv_t:udp_socket { read
allow ypxfr_t ypserv_conf_t:file { getattr read };
-corenet_non_ipsec_sendrecv(ypxfr_t)
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
Index: refpolicy_svn_repo/policy/modules/services/nscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nscd.te
+++ refpolicy_svn_repo/policy/modules/services/nscd.te
@@ -65,7 +65,8 @@ fs_search_auto_mountpoints(nscd_t)
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_non_ipsec_sendrecv(nscd_t)
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
corenet_tcp_sendrecv_all_nodes(nscd_t)
Index: refpolicy_svn_repo/policy/modules/services/nsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nsd.te
+++ refpolicy_svn_repo/policy/modules/services/nsd.te
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_non_ipsec_sendrecv(nsd_t)
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
corenet_tcp_sendrecv_all_nodes(nsd_t)
@@ -148,7 +149,8 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_non_ipsec_sendrecv(nsd_crond_t)
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/ntop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ntop.te
+++ refpolicy_svn_repo/policy/modules/services/ntop.te
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
kernel_read_proc_symlinks(ntop_t)
-corenet_non_ipsec_sendrecv(ntop_t)
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_udp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
Index: refpolicy_svn_repo/policy/modules/services/nx.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nx.te
+++ refpolicy_svn_repo/policy/modules/services/nx.te
@@ -51,7 +51,8 @@ kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_non_ipsec_sendrecv(nx_server_t)
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_all_nodes(nx_server_t)
Index: refpolicy_svn_repo/policy/modules/services/oav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/oav.te
+++ refpolicy_svn_repo/policy/modules/services/oav.te
@@ -50,7 +50,8 @@ read_lnk_files_pattern(oav_update_t,oav_
corecmd_exec_all_executables(oav_update_t)
-corenet_non_ipsec_sendrecv(oav_update_t)
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
corenet_tcp_sendrecv_all_nodes(oav_update_t)
@@ -104,7 +105,8 @@ kernel_read_kernel_sysctls(scannerdaemon
# Can run kaffe
corecmd_exec_all_executables(scannerdaemon_t)
-corenet_non_ipsec_sendrecv(scannerdaemon_t)
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/openvpn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/openvpn.te
+++ refpolicy_svn_repo/policy/modules/services/openvpn.te
@@ -53,7 +53,8 @@ kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_non_ipsec_sendrecv(openvpn_t)
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
Index: refpolicy_svn_repo/policy/modules/services/pcscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pcscd.te
+++ refpolicy_svn_repo/policy/modules/services/pcscd.te
@@ -31,10 +31,11 @@ manage_files_pattern(pcscd_t,pcscd_var_r
manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_all_if(pcscd_t)
corenet_tcp_sendrecv_all_nodes(pcscd_t)
corenet_tcp_sendrecv_all_ports(pcscd_t)
-corenet_non_ipsec_sendrecv(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
dev_rw_generic_usb_dev(pcscd_t)
Index: refpolicy_svn_repo/policy/modules/services/pegasus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pegasus.te
+++ refpolicy_svn_repo/policy/modules/services/pegasus.te
@@ -66,7 +66,8 @@ kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
-corenet_non_ipsec_sendrecv(pegasus_t)
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_all_if(pegasus_t)
corenet_tcp_sendrecv_all_nodes(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
Index: refpolicy_svn_repo/policy/modules/services/perdition.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/perdition.te
+++ refpolicy_svn_repo/policy/modules/services/perdition.te
@@ -37,7 +37,8 @@ kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
-corenet_non_ipsec_sendrecv(perdition_t)
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_udp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_all_nodes(perdition_t)
Index: refpolicy_svn_repo/policy/modules/services/portmap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portmap.te
+++ refpolicy_svn_repo/policy/modules/services/portmap.te
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
-corenet_non_ipsec_sendrecv(portmap_t)
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
corenet_tcp_sendrecv_all_nodes(portmap_t)
@@ -123,6 +124,8 @@ allow portmap_helper_t self:udp_socket c
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -131,7 +134,6 @@ corenet_udp_sendrecv_all_nodes(portmap_h
corenet_raw_sendrecv_all_nodes(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
-corenet_non_ipsec_sendrecv(portmap_helper_t)
corenet_tcp_bind_all_nodes(portmap_helper_t)
corenet_udp_bind_all_nodes(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
Index: refpolicy_svn_repo/policy/modules/services/portslave.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portslave.te
+++ refpolicy_svn_repo/policy/modules/services/portslave.te
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_non_ipsec_sendrecv(portslave_t)
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.if
+++ refpolicy_svn_repo/policy/modules/services/postfix.if
@@ -125,7 +125,8 @@ template(`postfix_server_domain_template
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
- corenet_non_ipsec_sendrecv(postfix_$1_t)
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.te
+++ refpolicy_svn_repo/policy/modules/services/postfix.te
@@ -133,7 +133,8 @@ rename_files_pattern(postfix_master_t,po
kernel_read_all_sysctls(postfix_master_t)
-corenet_non_ipsec_sendrecv(postfix_master_t)
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
@@ -309,7 +310,8 @@ kernel_read_kernel_sysctls(postfix_map_t
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_non_ipsec_sendrecv(postfix_map_t)
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
Index: refpolicy_svn_repo/policy/modules/services/postgresql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgresql.te
+++ refpolicy_svn_repo/policy/modules/services/postgresql.te
@@ -82,7 +82,8 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
-corenet_non_ipsec_sendrecv(postgresql_t)
+corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
Index: refpolicy_svn_repo/policy/modules/services/postgrey.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgrey.te
+++ refpolicy_svn_repo/policy/modules/services/postgrey.te
@@ -46,7 +46,8 @@ kernel_read_kernel_sysctls(postgrey_t)
# for perl
corecmd_search_bin(postgrey_t)
-corenet_non_ipsec_sendrecv(postgrey_t)
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_all_nodes(postgrey_t)
corenet_tcp_sendrecv_all_ports(postgrey_t)
Index: refpolicy_svn_repo/policy/modules/services/ppp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ppp.te
+++ refpolicy_svn_repo/policy/modules/services/ppp.te
@@ -126,7 +126,8 @@ dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
-corenet_non_ipsec_sendrecv(pppd_t)
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
corenet_udp_sendrecv_all_if(pppd_t)
@@ -261,7 +262,8 @@ kernel_read_proc_symlinks(pptp_t)
dev_read_sysfs(pptp_t)
-corenet_non_ipsec_sendrecv(pptp_t)
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
corenet_tcp_sendrecv_all_nodes(pptp_t)
Index: refpolicy_svn_repo/policy/modules/services/privoxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/privoxy.te
+++ refpolicy_svn_repo/policy/modules/services/privoxy.te
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
-corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
Index: refpolicy_svn_repo/policy/modules/services/procmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/procmail.te
+++ refpolicy_svn_repo/policy/modules/services/procmail.te
@@ -34,7 +34,8 @@ files_tmp_filetrans(procmail_t, procmail
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_non_ipsec_sendrecv(procmail_t)
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
corenet_tcp_sendrecv_all_nodes(procmail_t)
Index: refpolicy_svn_repo/policy/modules/services/pyzor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pyzor.te
+++ refpolicy_svn_repo/policy/modules/services/pyzor.te
@@ -107,7 +107,8 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
corenet_udp_sendrecv_all_ports(pyzord_t)
Index: refpolicy_svn_repo/policy/modules/services/qmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/qmail.te
+++ refpolicy_svn_repo/policy/modules/services/qmail.te
@@ -171,7 +171,8 @@ allow qmail_remote_t self:udp_socket cre
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
-corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
Index: refpolicy_svn_repo/policy/modules/services/radius.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radius.te
+++ refpolicy_svn_repo/policy/modules/services/radius.te
@@ -58,7 +58,8 @@ files_pid_filetrans(radiusd_t,radiusd_va
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-corenet_non_ipsec_sendrecv(radiusd_t)
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_all_if(radiusd_t)
corenet_udp_sendrecv_all_if(radiusd_t)
corenet_tcp_sendrecv_all_nodes(radiusd_t)
Index: refpolicy_svn_repo/policy/modules/services/radvd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radvd.te
+++ refpolicy_svn_repo/policy/modules/services/radvd.te
@@ -38,7 +38,8 @@ kernel_read_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
kernel_read_system_state(radvd_t)
-corenet_non_ipsec_sendrecv(radvd_t)
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
corenet_tcp_sendrecv_all_if(radvd_t)
corenet_udp_sendrecv_all_if(radvd_t)
corenet_raw_sendrecv_all_if(radvd_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.if
+++ refpolicy_svn_repo/policy/modules/services/razor.if
@@ -67,7 +67,8 @@ template(`razor_common_domain_template',
corecmd_exec_bin($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.te
+++ refpolicy_svn_repo/policy/modules/services/razor.te
@@ -41,7 +41,8 @@ logging_log_filetrans(razor_t,razor_log_
manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t)
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
-corenet_non_ipsec_sendrecv(razor_t)
+corenet_all_recvfrom_unlabeled(razor_t)
+corenet_all_recvfrom_netlabel(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
Index: refpolicy_svn_repo/policy/modules/services/rdisc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rdisc.te
+++ refpolicy_svn_repo/policy/modules/services/rdisc.te
@@ -26,7 +26,8 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_non_ipsec_sendrecv(rdisc_t)
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
corenet_udp_sendrecv_all_nodes(rdisc_t)
Index: refpolicy_svn_repo/policy/modules/services/rhgb.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rhgb.te
+++ refpolicy_svn_repo/policy/modules/services/rhgb.te
@@ -44,7 +44,8 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_non_ipsec_sendrecv(rhgb_t)
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_udp_sendrecv_generic_if(rhgb_t)
corenet_tcp_sendrecv_all_nodes(rhgb_t)
Index: refpolicy_svn_repo/policy/modules/services/ricci.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ricci.te
+++ refpolicy_svn_repo/policy/modules/services/ricci.te
@@ -120,7 +120,8 @@ kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
-corenet_non_ipsec_sendrecv(ricci_t)
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
@@ -356,7 +357,6 @@ logging_read_generic_logs(ricci_modlog_t
miscfiles_read_localization(ricci_modlog_t)
-
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
')
Index: refpolicy_svn_repo/policy/modules/services/rlogin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rlogin.te
+++ refpolicy_svn_repo/policy/modules/services/rlogin.te
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_non_ipsec_sendrecv(rlogind_t)
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
corenet_tcp_sendrecv_all_nodes(rlogind_t)
Index: refpolicy_svn_repo/policy/modules/services/roundup.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/roundup.te
+++ refpolicy_svn_repo/policy/modules/services/roundup.te
@@ -43,7 +43,8 @@ dev_read_sysfs(roundup_t)
# execute python
corecmd_exec_bin(roundup_t)
-corenet_non_ipsec_sendrecv(roundup_t)
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_udp_sendrecv_generic_if(roundup_t)
corenet_raw_sendrecv_generic_if(roundup_t)
Index: refpolicy_svn_repo/policy/modules/services/rpc.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rpc.if
+++ refpolicy_svn_repo/policy/modules/services/rpc.if
@@ -70,7 +70,8 @@ template(`rpc_domain_template', `
dev_read_urand($1_t)
dev_read_rand($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -80,7 +81,6 @@ template(`rpc_domain_template', `
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
Index: refpolicy_svn_repo/policy/modules/services/rshd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rshd.te
+++ refpolicy_svn_repo/policy/modules/services/rshd.te
@@ -23,7 +23,8 @@ allow rshd_t self:tcp_socket create_stre
kernel_read_kernel_sysctls(rshd_t)
-corenet_non_ipsec_sendrecv(rshd_t)
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_all_nodes(rshd_t)
Index: refpolicy_svn_repo/policy/modules/services/rsync.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rsync.te
+++ refpolicy_svn_repo/policy/modules/services/rsync.te
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_non_ipsec_sendrecv(rsync_t)
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_all_if(rsync_t)
corenet_udp_sendrecv_all_if(rsync_t)
corenet_tcp_sendrecv_all_nodes(rsync_t)
Index: refpolicy_svn_repo/policy/modules/services/rwho.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rwho.te
+++ refpolicy_svn_repo/policy/modules/services/rwho.te
@@ -32,7 +32,8 @@ files_spool_filetrans(rwho_t,rwho_spool_
kernel_read_system_state(rwho_t)
-corenet_non_ipsec_sendrecv(rwho_t)
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_all_if(rwho_t)
corenet_udp_sendrecv_all_nodes(rwho_t)
corenet_udp_sendrecv_all_ports(rwho_t)
Index: refpolicy_svn_repo/policy/modules/services/samba.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/samba.te
+++ refpolicy_svn_repo/policy/modules/services/samba.te
@@ -133,6 +133,8 @@ manage_lnk_files_pattern(samba_net_t,sam
kernel_read_proc_symlinks(samba_net_t)
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
@@ -141,7 +143,6 @@ corenet_udp_sendrecv_all_nodes(samba_net
corenet_raw_sendrecv_all_nodes(samba_net_t)
corenet_tcp_sendrecv_all_ports(samba_net_t)
corenet_udp_sendrecv_all_ports(samba_net_t)
-corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
@@ -241,6 +242,8 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
@@ -249,7 +252,6 @@ corenet_udp_sendrecv_all_nodes(smbd_t)
corenet_raw_sendrecv_all_nodes(smbd_t)
corenet_tcp_sendrecv_all_ports(smbd_t)
corenet_udp_sendrecv_all_ports(smbd_t)
-corenet_non_ipsec_sendrecv(smbd_t)
corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
@@ -380,7 +382,8 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
-corenet_non_ipsec_sendrecv(nmbd_t)
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
corenet_tcp_sendrecv_all_nodes(nmbd_t)
@@ -463,6 +466,8 @@ manage_lnk_files_pattern(smbmount_t,samb
kernel_read_system_state(smbmount_t)
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
corenet_udp_sendrecv_all_if(smbmount_t)
@@ -471,7 +476,6 @@ corenet_raw_sendrecv_all_nodes(smbmount_
corenet_udp_sendrecv_all_nodes(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
corenet_udp_sendrecv_all_ports(smbmount_t)
-corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)
@@ -566,7 +570,8 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
-corenet_non_ipsec_sendrecv(swat_t)
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
corenet_raw_sendrecv_generic_if(swat_t)
@@ -663,6 +668,8 @@ kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
@@ -671,7 +678,6 @@ corenet_udp_sendrecv_all_nodes(winbind_t
corenet_raw_sendrecv_all_nodes(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
corenet_udp_sendrecv_all_ports(winbind_t)
-corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
Index: refpolicy_svn_repo/policy/modules/services/sasl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sasl.te
+++ refpolicy_svn_repo/policy/modules/services/sasl.te
@@ -47,7 +47,8 @@ files_pid_filetrans(saslauthd_t,saslauth
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-corenet_non_ipsec_sendrecv(saslauthd_t)
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_all_if(saslauthd_t)
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
corenet_tcp_sendrecv_all_ports(saslauthd_t)
Index: refpolicy_svn_repo/policy/modules/services/sendmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sendmail.te
+++ refpolicy_svn_repo/policy/modules/services/sendmail.te
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
-corenet_non_ipsec_sendrecv(sendmail_t)
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
Index: refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/setroubleshoot.te
+++ refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
@@ -58,7 +58,8 @@ kernel_read_network_state(setroubleshoot
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
Index: refpolicy_svn_repo/policy/modules/services/smartmon.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/smartmon.te
+++ refpolicy_svn_repo/policy/modules/services/smartmon.te
@@ -42,7 +42,8 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
-corenet_non_ipsec_sendrecv(fsdaemon_t)
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/snmp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snmp.te
+++ refpolicy_svn_repo/policy/modules/services/snmp.te
@@ -58,7 +58,8 @@ kernel_read_network_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-corenet_non_ipsec_sendrecv(snmpd_t)
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
corenet_tcp_sendrecv_all_nodes(snmpd_t)
Index: refpolicy_svn_repo/policy/modules/services/snort.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snort.te
+++ refpolicy_svn_repo/policy/modules/services/snort.te
@@ -55,7 +55,8 @@ kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
-corenet_non_ipsec_sendrecv(snort_t)
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
corenet_raw_sendrecv_generic_if(snort_t)
Index: refpolicy_svn_repo/policy/modules/services/soundserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/soundserver.te
+++ refpolicy_svn_repo/policy/modules/services/soundserver.te
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-corenet_non_ipsec_sendrecv(soundd_t)
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
corenet_tcp_sendrecv_all_nodes(soundd_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.if
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.if
@@ -97,7 +97,8 @@ template(`spamassassin_per_role_template
kernel_read_kernel_sysctls($1_spamc_t)
- corenet_non_ipsec_sendrecv($1_spamc_t)
+ corenet_all_recvfrom_unlabeled($1_spamc_t)
+ corenet_all_recvfrom_netlabel($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
corenet_udp_sendrecv_generic_if($1_spamc_t)
corenet_tcp_sendrecv_all_nodes($1_spamc_t)
@@ -267,7 +268,8 @@ template(`spamassassin_per_role_template
allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
allow $1_spamassassin_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_spamassassin_t)
+ corenet_all_recvfrom_unlabeled($1_spamassassin_t)
+ corenet_all_recvfrom_netlabel($1_spamassassin_t)
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.te
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.te
@@ -93,7 +93,8 @@ files_pid_filetrans(spamd_t,spamd_var_ru
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-corenet_non_ipsec_sendrecv(spamd_t)
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
corenet_tcp_sendrecv_all_nodes(spamd_t)
Index: refpolicy_svn_repo/policy/modules/services/squid.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/squid.te
+++ refpolicy_svn_repo/policy/modules/services/squid.te
@@ -75,7 +75,8 @@ kernel_read_system_state(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
-corenet_non_ipsec_sendrecv(squid_t)
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
corenet_tcp_sendrecv_all_nodes(squid_t)
Index: refpolicy_svn_repo/policy/modules/services/ssh.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ssh.if
+++ refpolicy_svn_repo/policy/modules/services/ssh.if
@@ -109,7 +109,8 @@ template(`ssh_basic_client_template',`
kernel_read_kernel_sysctls($1_ssh_t)
- corenet_non_ipsec_sendrecv($1_ssh_t)
+ corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
@@ -466,6 +467,8 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
@@ -474,7 +477,6 @@ template(`ssh_server_template', `
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
- corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
Index: refpolicy_svn_repo/policy/modules/services/stunnel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/stunnel.te
+++ refpolicy_svn_repo/policy/modules/services/stunnel.te
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
-corenet_non_ipsec_sendrecv(stunnel_t)
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
corenet_tcp_sendrecv_all_nodes(stunnel_t)
Index: refpolicy_svn_repo/policy/modules/services/tcpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tcpd.te
+++ refpolicy_svn_repo/policy/modules/services/tcpd.te
@@ -23,7 +23,8 @@ manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tc
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-corenet_non_ipsec_sendrecv(tcpd_t)
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
corenet_tcp_sendrecv_all_ports(tcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/telnet.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/telnet.te
+++ refpolicy_svn_repo/policy/modules/services/telnet.te
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_non_ipsec_sendrecv(telnetd_t)
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
Index: refpolicy_svn_repo/policy/modules/services/tftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tftp.te
+++ refpolicy_svn_repo/policy/modules/services/tftp.te
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
-corenet_non_ipsec_sendrecv(tftpd_t)
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_all_if(tftpd_t)
corenet_udp_sendrecv_all_if(tftpd_t)
corenet_tcp_sendrecv_all_nodes(tftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/timidity.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/timidity.te
+++ refpolicy_svn_repo/policy/modules/services/timidity.te
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(timidity_t)
# read /proc/cpuinfo
kernel_read_system_state(timidity_t)
-corenet_non_ipsec_sendrecv(timidity_t)
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
corenet_tcp_sendrecv_all_nodes(timidity_t)
Index: refpolicy_svn_repo/policy/modules/services/tor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tor.te
+++ refpolicy_svn_repo/policy/modules/services/tor.te
@@ -63,7 +63,8 @@ files_pid_filetrans(tor_t,tor_var_run_t,
kernel_read_system_state(tor_t)
# networking basics
-corenet_non_ipsec_sendrecv(tor_t)
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
corenet_tcp_sendrecv_all_nodes(tor_t)
corenet_tcp_sendrecv_all_ports(tor_t)
Index: refpolicy_svn_repo/policy/modules/services/transproxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/transproxy.te
+++ refpolicy_svn_repo/policy/modules/services/transproxy.te
@@ -30,7 +30,8 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
-corenet_non_ipsec_sendrecv(transproxy_t)
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_all_nodes(transproxy_t)
corenet_tcp_sendrecv_all_ports(transproxy_t)
Index: refpolicy_svn_repo/policy/modules/services/ucspitcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ucspitcp.te
+++ refpolicy_svn_repo/policy/modules/services/ucspitcp.te
@@ -25,13 +25,14 @@ ucspitcp_service_domain(rblsmtpd_t, rbls
corecmd_search_bin(rblsmtpd_t)
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
-corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -58,7 +59,8 @@ allow ucspitcp_t self:udp_socket create_
corecmd_search_bin(ucspitcp_t)
# base networking:
-corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
Index: refpolicy_svn_repo/policy/modules/services/uucp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uucp.te
+++ refpolicy_svn_repo/policy/modules/services/uucp.te
@@ -70,7 +70,8 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
-corenet_non_ipsec_sendrecv(uucpd_t)
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_all_if(uucpd_t)
corenet_udp_sendrecv_all_if(uucpd_t)
corenet_tcp_sendrecv_all_nodes(uucpd_t)
Index: refpolicy_svn_repo/policy/modules/services/uwimap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uwimap.te
+++ refpolicy_svn_repo/policy/modules/services/uwimap.te
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
-corenet_non_ipsec_sendrecv(imapd_t)
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
corenet_tcp_sendrecv_all_ports(imapd_t)
Index: refpolicy_svn_repo/policy/modules/services/watchdog.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/watchdog.te
+++ refpolicy_svn_repo/policy/modules/services/watchdog.te
@@ -43,7 +43,8 @@ kernel_unmount_proc(watchdog_t)
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
-corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_all_nodes(watchdog_t)
Index: refpolicy_svn_repo/policy/modules/services/xprint.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xprint.te
+++ refpolicy_svn_repo/policy/modules/services/xprint.te
@@ -33,7 +33,8 @@ kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
-corenet_non_ipsec_sendrecv(xprint_t)
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
corenet_tcp_sendrecv_all_nodes(xprint_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.if
+++ refpolicy_svn_repo/policy/modules/services/xserver.if
@@ -94,7 +94,8 @@ template(`xserver_common_domain_template
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
- corenet_non_ipsec_sendrecv($1_xserver_t)
+ corenet_all_recvfrom_unlabeled($1_xserver_t)
+ corenet_all_recvfrom_netlabel($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
corenet_tcp_sendrecv_all_nodes($1_xserver_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.te
+++ refpolicy_svn_repo/policy/modules/services/xserver.te
@@ -177,7 +177,8 @@ kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-corenet_non_ipsec_sendrecv(xdm_t)
+corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
Index: refpolicy_svn_repo/policy/modules/services/zebra.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/zebra.te
+++ refpolicy_svn_repo/policy/modules/services/zebra.te
@@ -67,7 +67,8 @@ kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
-corenet_non_ipsec_sendrecv(zebra_t)
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_all_if(zebra_t)
corenet_udp_sendrecv_all_if(zebra_t)
corenet_raw_sendrecv_all_if(zebra_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCHv2 4/5] Add NetLabel labeled and unlabeled support to the application domains
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
` (2 preceding siblings ...)
2007-06-21 23:15 ` [PATCHv2 3/5] Add NetLabel labeled and unlabeled support to the service domains Paul Moore
@ 2007-06-21 23:15 ` Paul Moore
2007-06-21 23:15 ` [PATCHv2 5/5] Add NetLabel labeled and unlabeled support to the administrative domains Paul Moore
2007-06-27 15:38 ` [PATCHv2 0/5] Labeled network policy patches Christopher J. PeBenito
5 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
This patch adds calls to the NetLabel corenet policy interfaces to grant the
relevant application domains access to NetLabel labeled and unlabeled packets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/apps/calamaris.te | 3 ++-
policy/modules/apps/evolution.if | 9 ++++++---
policy/modules/apps/games.if | 3 ++-
policy/modules/apps/gift.if | 6 ++++--
policy/modules/apps/gpg.if | 6 ++++--
policy/modules/apps/irc.if | 3 ++-
policy/modules/apps/java.if | 3 ++-
policy/modules/apps/mozilla.if | 3 ++-
policy/modules/apps/screen.if | 3 ++-
policy/modules/apps/thunderbird.if | 3 ++-
policy/modules/apps/uml.if | 3 ++-
policy/modules/apps/vmware.te | 3 ++-
policy/modules/apps/webalizer.te | 3 ++-
policy/modules/apps/yam.te | 3 ++-
14 files changed, 36 insertions(+), 18 deletions(-)
Index: refpolicy_svn_repo/policy/modules/apps/calamaris.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/calamaris.te
+++ refpolicy_svn_repo/policy/modules/apps/calamaris.te
@@ -40,7 +40,8 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
-corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
corenet_tcp_sendrecv_generic_if(calamaris_t)
corenet_udp_sendrecv_generic_if(calamaris_t)
corenet_tcp_sendrecv_all_nodes(calamaris_t)
Index: refpolicy_svn_repo/policy/modules/apps/evolution.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/evolution.if
+++ refpolicy_svn_repo/policy/modules/apps/evolution.if
@@ -188,7 +188,8 @@ template(`evolution_per_role_template',`
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corenet_non_ipsec_sendrecv($1_evolution_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_t)
+ corenet_all_recvfrom_netlabel($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
corenet_raw_sendrecv_generic_if($1_evolution_t)
@@ -681,7 +682,8 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
- corenet_non_ipsec_sendrecv($1_evolution_server_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_server_t)
+ corenet_all_recvfrom_netlabel($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
@@ -758,7 +760,8 @@ template(`evolution_per_role_template',`
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
- corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
+ corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
Index: refpolicy_svn_repo/policy/modules/apps/games.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/games.if
+++ refpolicy_svn_repo/policy/modules/apps/games.if
@@ -92,7 +92,8 @@ template(`games_per_role_template',`
corecmd_exec_bin($1_games_t)
- corenet_non_ipsec_sendrecv($1_games_t)
+ corenet_all_recvfrom_unlabeled($1_games_t)
+ corenet_all_recvfrom_netlabel($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
corenet_tcp_sendrecv_all_nodes($1_games_t)
Index: refpolicy_svn_repo/policy/modules/apps/gift.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/gift.if
+++ refpolicy_svn_repo/policy/modules/apps/gift.if
@@ -96,7 +96,8 @@ template(`gift_per_role_template',`
kernel_read_system_state($1_giftd_t)
# Connect to gift daemon
- corenet_non_ipsec_sendrecv($1_gift_t)
+ corenet_all_recvfrom_unlabeled($1_gift_t)
+ corenet_all_recvfrom_netlabel($1_gift_t)
corenet_tcp_sendrecv_generic_if($1_gift_t)
corenet_tcp_sendrecv_all_nodes($1_gift_t)
corenet_tcp_sendrecv_giftd_port($1_gift_t)
@@ -155,7 +156,8 @@ template(`gift_per_role_template',`
kernel_read_kernel_sysctls($1_giftd_t)
# Serve content on various p2p networks. Ports can be random.
- corenet_non_ipsec_sendrecv($1_giftd_t)
+ corenet_all_recvfrom_unlabeled($1_giftd_t)
+ corenet_all_recvfrom_netlabel($1_giftd_t)
corenet_tcp_sendrecv_generic_if($1_giftd_t)
corenet_udp_sendrecv_generic_if($1_giftd_t)
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
Index: refpolicy_svn_repo/policy/modules/apps/gpg.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/gpg.if
+++ refpolicy_svn_repo/policy/modules/apps/gpg.if
@@ -98,7 +98,8 @@ template(`gpg_per_role_template',`
# allow ps to show gpg
ps_process_pattern($2,$1_gpg_t)
- corenet_non_ipsec_sendrecv($1_gpg_t)
+ corenet_all_recvfrom_unlabeled($1_gpg_t)
+ corenet_all_recvfrom_netlabel($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
@@ -161,6 +162,8 @@ template(`gpg_per_role_template',`
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+ corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+ corenet_all_recvfrom_netlabel($1_gpg_helper_t)
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
@@ -169,7 +172,6 @@ template(`gpg_per_role_template',`
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_non_ipsec_sendrecv($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
Index: refpolicy_svn_repo/policy/modules/apps/irc.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/irc.if
+++ refpolicy_svn_repo/policy/modules/apps/irc.if
@@ -90,7 +90,8 @@ template(`irc_per_role_template',`
kernel_read_proc_symlinks($1_irc_t)
- corenet_non_ipsec_sendrecv($1_irc_t)
+ corenet_all_recvfrom_unlabeled($1_irc_t)
+ corenet_all_recvfrom_netlabel($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
Index: refpolicy_svn_repo/policy/modules/apps/java.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/java.if
+++ refpolicy_svn_repo/policy/modules/apps/java.if
@@ -97,7 +97,8 @@ template(`java_per_role_template',`
# Search bin directory under javaplugin for javaplugin executable
corecmd_search_bin($1_javaplugin_t)
- corenet_non_ipsec_sendrecv($1_javaplugin_t)
+ corenet_all_recvfrom_unlabeled($1_javaplugin_t)
+ corenet_all_recvfrom_netlabel($1_javaplugin_t)
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
Index: refpolicy_svn_repo/policy/modules/apps/mozilla.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/mozilla.if
+++ refpolicy_svn_repo/policy/modules/apps/mozilla.if
@@ -126,7 +126,8 @@ template(`mozilla_per_role_template',`
corecmd_exec_bin($1_mozilla_t)
# Browse the web, connect to printer
- corenet_non_ipsec_sendrecv($1_mozilla_t)
+ corenet_all_recvfrom_unlabeled($1_mozilla_t)
+ corenet_all_recvfrom_netlabel($1_mozilla_t)
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
corenet_raw_sendrecv_generic_if($1_mozilla_t)
corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
Index: refpolicy_svn_repo/policy/modules/apps/screen.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/screen.if
+++ refpolicy_svn_repo/policy/modules/apps/screen.if
@@ -111,7 +111,8 @@ template(`screen_per_role_template',`
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
- corenet_non_ipsec_sendrecv($1_screen_t)
+ corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_all_recvfrom_netlabel($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_all_nodes($1_screen_t)
Index: refpolicy_svn_repo/policy/modules/apps/thunderbird.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/thunderbird.if
+++ refpolicy_svn_repo/policy/modules/apps/thunderbird.if
@@ -105,7 +105,8 @@ template(`thunderbird_per_role_template'
# Startup shellscript
corecmd_exec_shell($1_thunderbird_t)
- corenet_non_ipsec_sendrecv($1_thunderbird_t)
+ corenet_all_recvfrom_unlabeled($1_thunderbird_t)
+ corenet_all_recvfrom_netlabel($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
Index: refpolicy_svn_repo/policy/modules/apps/uml.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/uml.if
+++ refpolicy_svn_repo/policy/modules/apps/uml.if
@@ -152,7 +152,8 @@ template(`uml_per_role_template',`
# for xterm
corecmd_exec_bin($1_uml_t)
- corenet_non_ipsec_sendrecv($1_uml_t)
+ corenet_all_recvfrom_unlabeled($1_uml_t)
+ corenet_all_recvfrom_netlabel($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
corenet_udp_sendrecv_generic_if($1_uml_t)
corenet_tcp_sendrecv_all_nodes($1_uml_t)
Index: refpolicy_svn_repo/policy/modules/apps/vmware.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/vmware.te
+++ refpolicy_svn_repo/policy/modules/apps/vmware.te
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(vmware_host_t
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
-corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
corenet_raw_sendrecv_generic_if(vmware_host_t)
Index: refpolicy_svn_repo/policy/modules/apps/webalizer.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/webalizer.te
+++ refpolicy_svn_repo/policy/modules/apps/webalizer.te
@@ -61,7 +61,8 @@ files_var_lib_filetrans(webalizer_t,weba
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
-corenet_non_ipsec_sendrecv(webalizer_t)
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
corenet_tcp_sendrecv_all_if(webalizer_t)
corenet_tcp_sendrecv_all_nodes(webalizer_t)
corenet_tcp_sendrecv_all_ports(webalizer_t)
Index: refpolicy_svn_repo/policy/modules/apps/yam.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/yam.te
+++ refpolicy_svn_repo/policy/modules/apps/yam.te
@@ -60,7 +60,8 @@ corecmd_exec_bin(yam_t)
# Rsync and lftp need to network. They also set files attributes to
# match whats on the remote server.
-corenet_non_ipsec_sendrecv(yam_t)
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
corenet_tcp_sendrecv_generic_if(yam_t)
corenet_tcp_sendrecv_all_nodes(yam_t)
corenet_tcp_sendrecv_all_ports(yam_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCHv2 5/5] Add NetLabel labeled and unlabeled support to the administrative domains
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
` (3 preceding siblings ...)
2007-06-21 23:15 ` [PATCHv2 4/5] Add NetLabel labeled and unlabeled support to the application domains Paul Moore
@ 2007-06-21 23:15 ` Paul Moore
2007-06-27 15:38 ` [PATCHv2 0/5] Labeled network policy patches Christopher J. PeBenito
5 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-21 23:15 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
This patch adds calls to the NetLabel corenet policy interfaces to grant the
relevant administrative domains access to NetLabel labeled and unlabeled
packets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/admin/amanda.te | 6 ++++--
policy/modules/admin/apt.te | 3 ++-
policy/modules/admin/backup.te | 3 ++-
policy/modules/admin/dpkg.te | 3 ++-
policy/modules/admin/firstboot.te | 3 ++-
policy/modules/admin/mrtg.te | 3 ++-
policy/modules/admin/netutils.te | 9 ++++++---
policy/modules/admin/portage.if | 6 ++++--
policy/modules/admin/rpm.te | 3 ++-
policy/modules/admin/sxid.te | 3 ++-
policy/modules/admin/vpn.te | 3 ++-
11 files changed, 30 insertions(+), 15 deletions(-)
Index: refpolicy_svn_repo/policy/modules/admin/amanda.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/amanda.te
+++ refpolicy_svn_repo/policy/modules/admin/amanda.te
@@ -113,7 +113,8 @@ kernel_dontaudit_read_proc_symlinks(aman
# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
-corenet_non_ipsec_sendrecv(amanda_t)
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_all_if(amanda_t)
corenet_udp_sendrecv_all_if(amanda_t)
corenet_raw_sendrecv_all_if(amanda_t)
@@ -200,7 +201,8 @@ files_tmp_filetrans(amanda_recover_t,ama
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
-corenet_non_ipsec_sendrecv(amanda_recover_t)
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_all_if(amanda_recover_t)
corenet_udp_sendrecv_all_if(amanda_recover_t)
corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
Index: refpolicy_svn_repo/policy/modules/admin/apt.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/apt.te
+++ refpolicy_svn_repo/policy/modules/admin/apt.te
@@ -72,7 +72,8 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_non_ipsec_sendrecv(apt_t)
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
corenet_tcp_sendrecv_all_nodes(apt_t)
Index: refpolicy_svn_repo/policy/modules/admin/backup.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/backup.te
+++ refpolicy_svn_repo/policy/modules/admin/backup.te
@@ -36,7 +36,8 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
-corenet_non_ipsec_sendrecv(backup_t)
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
Index: refpolicy_svn_repo/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/dpkg.te
+++ refpolicy_svn_repo/policy/modules/admin/dpkg.te
@@ -90,7 +90,8 @@ kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
-corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
Index: refpolicy_svn_repo/policy/modules/admin/firstboot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/firstboot.te
+++ refpolicy_svn_repo/policy/modules/admin/firstboot.te
@@ -41,7 +41,8 @@ unconfined_domain(firstboot_t)
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corenet_non_ipsec_sendrecv(firstboot_t)
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
Index: refpolicy_svn_repo/policy/modules/admin/mrtg.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/mrtg.te
+++ refpolicy_svn_repo/policy/modules/admin/mrtg.te
@@ -63,7 +63,8 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_non_ipsec_sendrecv(mrtg_t)
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_all_nodes(mrtg_t)
Index: refpolicy_svn_repo/policy/modules/admin/netutils.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/netutils.te
+++ refpolicy_svn_repo/policy/modules/admin/netutils.te
@@ -53,7 +53,8 @@ files_tmp_filetrans(netutils_t, netutils
kernel_search_proc(netutils_t)
-corenet_non_ipsec_sendrecv(netutils_t)
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
@@ -114,7 +115,8 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-corenet_non_ipsec_sendrecv(ping_t)
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
@@ -184,7 +186,8 @@ allow traceroute_t self:udp_socket creat
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
-corenet_non_ipsec_sendrecv(traceroute_t)
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
Index: refpolicy_svn_repo/policy/modules/admin/portage.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/portage.if
+++ refpolicy_svn_repo/policy/modules/admin/portage.if
@@ -152,7 +152,8 @@ interface(`portage_compile_domain',`
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
@@ -242,7 +243,8 @@ interface(`portage_fetch_domain',`
corecmd_exec_bin($1)
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
Index: refpolicy_svn_repo/policy/modules/admin/rpm.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/rpm.te
+++ refpolicy_svn_repo/policy/modules/admin/rpm.te
@@ -91,7 +91,8 @@ kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_non_ipsec_sendrecv(rpm_t)
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
Index: refpolicy_svn_repo/policy/modules/admin/sxid.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/sxid.te
+++ refpolicy_svn_repo/policy/modules/admin/sxid.te
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
-corenet_non_ipsec_sendrecv(sxid_t)
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
corenet_tcp_sendrecv_all_nodes(sxid_t)
Index: refpolicy_svn_repo/policy/modules/admin/vpn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/vpn.te
+++ refpolicy_svn_repo/policy/modules/admin/vpn.te
@@ -48,7 +48,8 @@ kernel_read_network_state(vpnc_t)
kernel_read_kernel_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
-corenet_non_ipsec_sendrecv(vpnc_t)
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
corenet_raw_sendrecv_all_if(vpnc_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCHv2 0/5] Labeled network policy patches
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
` (4 preceding siblings ...)
2007-06-21 23:15 ` [PATCHv2 5/5] Add NetLabel labeled and unlabeled support to the administrative domains Paul Moore
@ 2007-06-27 15:38 ` Christopher J. PeBenito
2007-06-27 19:38 ` Paul Moore
5 siblings, 1 reply; 8+ messages in thread
From: Christopher J. PeBenito @ 2007-06-27 15:38 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On Thu, 2007-06-21 at 19:15 -0400, Paul Moore wrote:
> The latest revision of the labeled policy patches which enable both labeled
> and unlabeled policy support for NetLabel. This revision takes into account
> Chris' feedback from the first version and reduces the number of interface
> calls in each domain down to two at present: one for unlabeled access, one for
> NetLabel access. The older, transport layer specific interfaces, are still
> present for use by third-party modules but are not used in the default policy
> modules.
Merged.
The existing corenetwork interfaces still have to remain for
compatibility, I just put them back. There were also some places that
still were using the old interfaces, which I also fixed. The diff on
what I fixed:
diff -urN refpolicy.old/policy/modules/kernel/corenetwork.if.in refpolicy/policy/modules/kernel/corenetwork.if.in
--- refpolicy.old/policy/modules/kernel/corenetwork.if.in 2007-06-27 11:20:04.171919834 -0400
+++ refpolicy/policy/modules/kernel/corenetwork.if.in 2007-06-27 11:23:21.881357000 -0400
@@ -1567,6 +1567,11 @@
## </summary>
## <desc>
## <p>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session. (Deprecated)
+## </p>
+## <p>
## The corenet_all_recvfrom_unlabeled() interface should be used instead
## of this one.
## </p>
@@ -1578,7 +1583,8 @@
## </param>
#
interface(`corenet_non_ipsec_sendrecv',`
- kernel_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+ corenet_all_recvfrom_unlabeled($1)
')
########################################
@@ -1589,6 +1595,11 @@
## </summary>
## <desc>
## <p>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </p>
+## <p>
## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
## used instead of this one.
## </p>
@@ -1600,7 +1611,23 @@
## </param>
#
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
- kernel_dontaudit_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+ corenet_dontaudit_all_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+## Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+ corenet_tcp_recvfrom_netlabel($1)
')
########################################
@@ -1651,6 +1678,22 @@
## </summary>
## </param>
#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+ corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
gen_require(`
type netlabel_peer_t;
@@ -1689,6 +1732,21 @@
## </summary>
## </param>
#
+interface(`corenet_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+ corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`corenet_udp_recvfrom_netlabel',`
gen_require(`
type netlabel_peer_t;
@@ -1727,6 +1785,22 @@
## </summary>
## </param>
#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+ corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
gen_require(`
type netlabel_peer_t;
@@ -1765,6 +1839,21 @@
## </summary>
## </param>
#
+interface(`corenet_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+ corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`corenet_raw_recvfrom_netlabel',`
gen_require(`
type netlabel_peer_t;
@@ -1803,6 +1892,22 @@
## </summary>
## </param>
#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+ corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
gen_require(`
type netlabel_peer_t;
diff -urN refpolicy.old/policy/modules/kernel/corenetwork.te.in refpolicy/policy/modules/kernel/corenetwork.te.in
--- refpolicy.old/policy/modules/kernel/corenetwork.te.in 2007-06-27 11:25:14.077580351 -0400
+++ refpolicy/policy/modules/kernel/corenetwork.te.in 2007-06-27 11:23:21.881357000 -0400
@@ -41,7 +41,7 @@
# connections using NetLabel which do not carry full SELinux contexts.
#
type netlabel_peer_t;
-sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
#
# port_t is the default type of INET port numbers.
diff -urN refpolicy.old/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
--- refpolicy.old/policy/modules/kernel/kernel.te 2007-06-27 11:25:22.206043566 -0400
+++ refpolicy/policy/modules/kernel/kernel.te 2007-06-27 11:23:21.881357000 -0400
@@ -205,7 +205,8 @@
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
-corenet_non_ipsec_sendrecv(kernel_t)
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
diff -urN refpolicy.old/policy/modules/services/bind.te refpolicy/policy/modules/services/bind.te
--- refpolicy.old/policy/modules/services/bind.te 2007-06-27 11:20:28.805323612 -0400
+++ refpolicy/policy/modules/services/bind.te 2007-06-27 11:23:21.881357000 -0400
@@ -232,6 +232,8 @@
kernel_read_kernel_sysctls(ndc_t)
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
diff -urN refpolicy.old/policy/modules/services/cups.te refpolicy/policy/modules/services/cups.te
--- refpolicy.old/policy/modules/services/cups.te 2007-06-27 11:20:28.813324068 -0400
+++ refpolicy/policy/modules/services/cups.te 2007-06-27 11:23:21.881357000 -0400
@@ -135,7 +135,6 @@
corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
-corenet_all_recvfrom_unlabeled(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
corenet_raw_sendrecv_all_if(cupsd_t)
diff -urN refpolicy.old/policy/modules/services/ntp.te refpolicy/policy/modules/services/ntp.te
--- refpolicy.old/policy/modules/services/ntp.te 2007-04-17 09:28:09.865803000 -0400
+++ refpolicy/policy/modules/services/ntp.te 2007-06-27 11:23:21.881357000 -0400
@@ -61,7 +61,8 @@
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
-corenet_non_ipsec_sendrecv(ntpd_t)
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
corenet_udp_sendrecv_all_if(ntpd_t)
corenet_tcp_sendrecv_all_nodes(ntpd_t)
diff -urN refpolicy.old/policy/modules/system/ipsec.te refpolicy/policy/modules/system/ipsec.te
--- refpolicy.old/policy/modules/system/ipsec.te 2007-06-27 11:22:37.444654350 -0400
+++ refpolicy/policy/modules/system/ipsec.te 2007-06-27 11:23:21.881357000 -0400
@@ -307,7 +307,7 @@
kernel_read_network_state(racoon_t)
-corenet_non_ipsec_sendrecv(racoon_t)
+corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCHv2 0/5] Labeled network policy patches
2007-06-27 15:38 ` [PATCHv2 0/5] Labeled network policy patches Christopher J. PeBenito
@ 2007-06-27 19:38 ` Paul Moore
0 siblings, 0 replies; 8+ messages in thread
From: Paul Moore @ 2007-06-27 19:38 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux
On Wednesday, June 27 2007 11:38:00 am Christopher J. PeBenito wrote:
> On Thu, 2007-06-21 at 19:15 -0400, Paul Moore wrote:
> > The latest revision of the labeled policy patches which enable both
> > labeled and unlabeled policy support for NetLabel. This revision takes
> > into account Chris' feedback from the first version and reduces the
> > number of interface calls in each domain down to two at present: one for
> > unlabeled access, one for NetLabel access. The older, transport layer
> > specific interfaces, are still present for use by third-party modules but
> > are not used in the default policy modules.
>
> Merged.
Thanks Chris, I'll re-base the kernel patch against a more current kernel and
send it to the list before the end of the week.
> The existing corenetwork interfaces still have to remain for
> compatibility, I just put them back. There were also some places that
> still were using the old interfaces, which I also fixed.
Sorry about that, I thought I caught all the changes but it looked like I
missed a few. Thanks again.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-06-27 19:39 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-21 23:15 [PATCHv2 0/5] Labeled network policy patches Paul Moore
2007-06-21 23:15 ` [PATCHv2 1/5] Use the netmsg initial SID for NetLabel connections Paul Moore
2007-06-21 23:15 ` [PATCHv2 2/5] Add NetLabel labeled and unlabeled support to the system domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 3/5] Add NetLabel labeled and unlabeled support to the service domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 4/5] Add NetLabel labeled and unlabeled support to the application domains Paul Moore
2007-06-21 23:15 ` [PATCHv2 5/5] Add NetLabel labeled and unlabeled support to the administrative domains Paul Moore
2007-06-27 15:38 ` [PATCHv2 0/5] Labeled network policy patches Christopher J. PeBenito
2007-06-27 19:38 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.