* [PATCH 0/5] New labeled networking permissions for 2.6.25
@ 2008-02-26 18:40 paul.moore
2008-02-26 18:40 ` [PATCH 1/5] REFPOL: Add new labeled networking permissions paul.moore
` (5 more replies)
0 siblings, 6 replies; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux
The following patches add the new labeled networking permission to the
Reference Policy as previously discussed. It is important to note that
while this patchset adds the permissions required it doesn't enable the
"network_peer_controls" policy capability.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/5] REFPOL: Add new labeled networking permissions
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
@ 2008-02-26 18:40 ` paul.moore
2008-03-19 13:19 ` Christopher J. PeBenito
2008-02-26 18:40 ` [PATCH 2/5] REFPOL: Allow network admin domains to receive unlabeled traffic paul.moore
` (4 subsequent siblings)
5 siblings, 1 reply; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
The 2.6.25 kernel will introduce a new set of labeled networking controls to
SELinux and this patch makes the necessary changes to the Reference Policy
to support unlabeled network traffic with the new controls.
A description of the new/improved labeled networking controls was posted to
the SELinux list back in early January 2008.
* http://marc.info/?l=selinux&m=119991234501200&w=2
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/kernel/corenetwork.if.in | 69 +++++++++++++++++++++++---------
policy/modules/kernel/corenetwork.if.m4 | 20 ++++-----
policy/modules/kernel/kernel.if | 30 +++++++++++++
policy/modules/kernel/kernel.te | 3 +
4 files changed, 94 insertions(+), 28 deletions(-)
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_
type netif_t;
')
- allow $1 netif_t:netif { tcp_send tcp_recv };
+ allow $1 netif_t:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if',
type netif_t;
')
- allow $1 netif_t:netif udp_send;
+ allow $1 netif_t:netif { udp_send egress };
')
########################################
@@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge
type netif_t;
')
- dontaudit $1 netif_t:netif udp_send;
+ dontaudit $1 netif_t:netif { udp_send egress };
')
########################################
@@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i
type netif_t;
')
- allow $1 netif_t:netif udp_recv;
+ allow $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive
type netif_t;
')
- dontaudit $1 netif_t:netif udp_recv;
+ dontaudit $1 netif_t:netif { udp_recv ingress };
')
########################################
@@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if',
type netif_t;
')
- allow $1 netif_t:netif rawip_send;
+ allow $1 netif_t:netif { rawip_send egress };
')
########################################
@@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i
type netif_t;
')
- allow $1 netif_t:netif rawip_recv;
+ allow $1 netif_t:netif { rawip_recv ingress };
')
########################################
@@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_
type node_t;
')
- allow $1 node_t:node { tcp_send tcp_recv };
+ allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node
type node_t;
')
- allow $1 node_t:node udp_send;
+ allow $1 node_t:node { udp_send sendto };
')
########################################
@@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n
type node_t;
')
- allow $1 node_t:node udp_recv;
+ allow $1 node_t:node { udp_recv recvfrom };
')
########################################
@@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node
type node_t;
')
- allow $1 node_t:node rawip_send;
+ allow $1 node_t:node { rawip_send sendto };
')
########################################
@@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n
type node_t;
')
- allow $1 node_t:node rawip_recv;
+ allow $1 node_t:node { rawip_recv recvfrom };
')
########################################
@@ -1737,6 +1737,7 @@ interface(`corenet_tcp_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1791,6 +1792,7 @@ interface(`corenet_dontaudit_tcp_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
')
@@ -1844,6 +1846,7 @@ interface(`corenet_udp_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1898,6 +1901,7 @@ interface(`corenet_dontaudit_udp_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
')
@@ -1951,6 +1955,7 @@ interface(`corenet_raw_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -2005,6 +2010,7 @@ interface(`corenet_dontaudit_raw_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
@@ -2064,6 +2070,7 @@ interface(`corenet_all_recvfrom_netlabel
type netlabel_peer_t;
')
+ allow $1 netlabel_peer_t:peer recv;
allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2104,6 +2111,7 @@ interface(`corenet_dontaudit_all_recvfro
type netlabel_peer_t;
')
+ dontaudit $1 netlabel_peer_t:peer recv;
dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
@@ -2135,8 +2143,10 @@ interface(`corenet_tcp_recvfrom_labeled'
allow $1 $2:{ association tcp_socket } recvfrom;
allow $2 $1:{ association tcp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_tcp_recvfrom_netlabel($1)
corenet_tcp_recvfrom_netlabel($2)
')
@@ -2160,8 +2170,9 @@ interface(`corenet_udp_recvfrom_labeled'
allow $2 self:association sendto;
allow $1 $2:{ association udp_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_udp_recvfrom_netlabel($1)
')
@@ -2184,8 +2195,9 @@ interface(`corenet_raw_recvfrom_labeled'
allow $2 self:association sendto;
allow $1 $2:{ association rawip_socket } recvfrom;
- # Netlabel (CIPSO)-based labeled networking
- # currently only supports MLS portion of label
+ allow $1 $2:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
corenet_raw_recvfrom_netlabel($1)
')
@@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa
########################################
## <summary>
+## Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Receive packets from an unlabeled peer,
+## these packets do not have any peer labeling
+## information present.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_recvfrom_unlabeled_peer',`
+ kernel_recvfrom_unlabeled_peer($1)
+')
+
+########################################
+## <summary>
## Send all client packets.
## </summary>
## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.m4
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.m4
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.m4
@@ -28,7 +28,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif { tcp_send tcp_recv };
+ allow dollarsone $1_$2:netif { tcp_send tcp_recv egress ingress };
')
########################################
@@ -47,7 +47,7 @@ interface(`corenet_udp_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_send;
+ allow dollarsone $1_$2:netif { udp_send egress };
')
########################################
@@ -66,7 +66,7 @@ interface(`corenet_udp_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif udp_recv;
+ allow dollarsone $1_$2:netif { udp_recv ingress };
')
########################################
@@ -101,7 +101,7 @@ interface(`corenet_raw_send_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_send;
+ allow dollarsone $1_$2:netif { rawip_send egress };
')
########################################
@@ -120,7 +120,7 @@ interface(`corenet_raw_receive_$1_if',`
$3 $1_$2;
')
- allow dollarsone $1_$2:netif rawip_recv;
+ allow dollarsone $1_$2:netif { rawip_recv ingress };
')
########################################
@@ -163,7 +163,7 @@ interface(`corenet_tcp_sendrecv_$1_node'
$3 $1_$2;
')
- allow dollarsone $1_$2:node { tcp_send tcp_recv };
+ allow dollarsone $1_$2:node { tcp_send tcp_recv sendto recvfrom };
')
########################################
@@ -182,7 +182,7 @@ interface(`corenet_udp_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_send;
+ allow dollarsone $1_$2:node { udp_send sendto };
')
########################################
@@ -201,7 +201,7 @@ interface(`corenet_udp_receive_$1_node',
$3 $1_$2;
')
- allow dollarsone $1_$2:node udp_recv;
+ allow dollarsone $1_$2:node { udp_recv recvfrom };
')
########################################
@@ -236,7 +236,7 @@ interface(`corenet_raw_send_$1_node',`
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_send;
+ allow dollarsone $1_$2:node { rawip_send sendto };
')
########################################
@@ -255,7 +255,7 @@ interface(`corenet_raw_receive_$1_node',
$3 $1_$2;
')
- allow dollarsone $1_$2:node rawip_recv;
+ allow dollarsone $1_$2:node { rawip_recv recvfrom };
')
########################################
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2493,6 +2493,36 @@ interface(`kernel_sendrecv_unlabeled_pac
########################################
## <summary>
+## Receive packets from an unlabeled peer.
+## </summary>
+## <desc>
+## <p>
+## Receive packets from an unlabeled peer,
+## these packets do not have any peer labeling
+## information present.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_recvfrom_unlabeled_peer() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_recvfrom_unlabeled_peer',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:peer recv;
+')
+
+########################################
+## <summary>
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
@@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+# Forwarded traffic
+allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+
corenet_all_recvfrom_unlabeled(kernel_t)
corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 2/5] REFPOL: Allow network admin domains to receive unlabeled traffic
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
2008-02-26 18:40 ` [PATCH 1/5] REFPOL: Add new labeled networking permissions paul.moore
@ 2008-02-26 18:40 ` paul.moore
2008-02-26 18:40 ` [PATCH 3/5] REFPOL: Allow network apps " paul.moore
` (3 subsequent siblings)
5 siblings, 0 replies; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
This patch adds the corenet_recvfrom_unlabeled_peer() interface call to
all of the admin modules which need to receive data over the network.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/admin/amanda.te | 5 ++++-
policy/modules/admin/apt.te | 1 +
policy/modules/admin/backup.te | 1 +
policy/modules/admin/dpkg.te | 1 +
policy/modules/admin/firstboot.te | 1 +
policy/modules/admin/mrtg.te | 1 +
policy/modules/admin/netutils.te | 3 +++
policy/modules/admin/portage.if | 2 ++
policy/modules/admin/rpm.te | 1 +
policy/modules/admin/sxid.te | 1 +
policy/modules/admin/vpn.te | 1 +
11 files changed, 17 insertions(+), 1 deletion(-)
Index: refpolicy_svn_repo/policy/modules/admin/amanda.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/amanda.te
+++ refpolicy_svn_repo/policy/modules/admin/amanda.te
@@ -1,4 +1,5 @@
+
policy_module(amanda,1.8.0)
#######################################
@@ -115,8 +116,9 @@ kernel_dontaudit_read_proc_symlinks(aman
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
-corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_recvfrom_unlabeled_peer(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
+corenet_recvfrom_unlabeled_peer(amanda_t)
corenet_tcp_sendrecv_all_if(amanda_t)
corenet_udp_sendrecv_all_if(amanda_t)
corenet_raw_sendrecv_all_if(amanda_t)
@@ -197,6 +199,7 @@ corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_recvfrom_unlabeled_peer(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_all_if(amanda_recover_t)
corenet_udp_sendrecv_all_if(amanda_recover_t)
Index: refpolicy_svn_repo/policy/modules/admin/apt.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/apt.te
+++ refpolicy_svn_repo/policy/modules/admin/apt.te
@@ -73,6 +73,7 @@ corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
corenet_all_recvfrom_unlabeled(apt_t)
+corenet_recvfrom_unlabeled_peer(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
Index: refpolicy_svn_repo/policy/modules/admin/backup.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/backup.te
+++ refpolicy_svn_repo/policy/modules/admin/backup.te
@@ -38,6 +38,7 @@ corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
corenet_all_recvfrom_unlabeled(backup_t)
+corenet_recvfrom_unlabeled_peer(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
Index: refpolicy_svn_repo/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/dpkg.te
+++ refpolicy_svn_repo/policy/modules/admin/dpkg.te
@@ -91,6 +91,7 @@ corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_recvfrom_unlabeled_peer(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
Index: refpolicy_svn_repo/policy/modules/admin/firstboot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/firstboot.te
+++ refpolicy_svn_repo/policy/modules/admin/firstboot.te
@@ -42,6 +42,7 @@ kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_recvfrom_unlabeled_peer(firstboot_t)
corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
Index: refpolicy_svn_repo/policy/modules/admin/mrtg.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/mrtg.te
+++ refpolicy_svn_repo/policy/modules/admin/mrtg.te
@@ -64,6 +64,7 @@ corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_recvfrom_unlabeled_peer(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
Index: refpolicy_svn_repo/policy/modules/admin/netutils.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/netutils.te
+++ refpolicy_svn_repo/policy/modules/admin/netutils.te
@@ -52,6 +52,7 @@ files_tmp_filetrans(netutils_t, netutils
kernel_search_proc(netutils_t)
corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_recvfrom_unlabeled_peer(netutils_t)
corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
@@ -109,6 +110,7 @@ allow ping_t self:rawip_socket { create
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
corenet_all_recvfrom_unlabeled(ping_t)
+corenet_recvfrom_unlabeled_peer(ping_t)
corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
@@ -173,6 +175,7 @@ kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_recvfrom_unlabeled_peer(traceroute_t)
corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
Index: refpolicy_svn_repo/policy/modules/admin/portage.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/portage.if
+++ refpolicy_svn_repo/policy/modules/admin/portage.if
@@ -153,6 +153,7 @@ interface(`portage_compile_domain',`
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
@@ -244,6 +245,7 @@ interface(`portage_fetch_domain',`
corecmd_exec_bin($1)
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
Index: refpolicy_svn_repo/policy/modules/admin/rpm.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/rpm.te
+++ refpolicy_svn_repo/policy/modules/admin/rpm.te
@@ -95,6 +95,7 @@ kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_recvfrom_unlabeled_peer(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
Index: refpolicy_svn_repo/policy/modules/admin/sxid.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/sxid.te
+++ refpolicy_svn_repo/policy/modules/admin/sxid.te
@@ -42,6 +42,7 @@ corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_recvfrom_unlabeled_peer(sxid_t)
corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
Index: refpolicy_svn_repo/policy/modules/admin/vpn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/admin/vpn.te
+++ refpolicy_svn_repo/policy/modules/admin/vpn.te
@@ -47,6 +47,7 @@ kernel_read_kernel_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_recvfrom_unlabeled_peer(vpnc_t)
corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 3/5] REFPOL: Allow network apps domains to receive unlabeled traffic
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
2008-02-26 18:40 ` [PATCH 1/5] REFPOL: Add new labeled networking permissions paul.moore
2008-02-26 18:40 ` [PATCH 2/5] REFPOL: Allow network admin domains to receive unlabeled traffic paul.moore
@ 2008-02-26 18:40 ` paul.moore
2008-02-26 18:40 ` [PATCH 4/5] REFPOL: Allow network service " paul.moore
` (2 subsequent siblings)
5 siblings, 0 replies; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
This patch adds the corenet_recvfrom_unlabeled_peer() interface call to
all of the apps modules which need to receive data over the network.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/apps/calamaris.te | 1 +
policy/modules/apps/evolution.if | 3 +++
policy/modules/apps/games.if | 1 +
policy/modules/apps/gift.if | 2 ++
policy/modules/apps/gpg.if | 2 ++
policy/modules/apps/irc.if | 1 +
policy/modules/apps/java.if | 1 +
policy/modules/apps/mozilla.if | 1 +
policy/modules/apps/screen.if | 1 +
policy/modules/apps/thunderbird.if | 1 +
policy/modules/apps/uml.if | 1 +
policy/modules/apps/vmware.te | 1 +
policy/modules/apps/webalizer.te | 1 +
policy/modules/apps/yam.te | 1 +
14 files changed, 18 insertions(+)
Index: refpolicy_svn_repo/policy/modules/apps/calamaris.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/calamaris.te
+++ refpolicy_svn_repo/policy/modules/apps/calamaris.te
@@ -41,6 +41,7 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_recvfrom_unlabeled_peer(calamaris_t)
corenet_all_recvfrom_netlabel(calamaris_t)
corenet_tcp_sendrecv_generic_if(calamaris_t)
corenet_udp_sendrecv_generic_if(calamaris_t)
Index: refpolicy_svn_repo/policy/modules/apps/evolution.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/evolution.if
+++ refpolicy_svn_repo/policy/modules/apps/evolution.if
@@ -184,6 +184,7 @@ template(`evolution_per_role_template',`
corecmd_exec_bin($1_evolution_t)
corenet_all_recvfrom_unlabeled($1_evolution_t)
+ corenet_recvfrom_unlabeled_peer($1_evolution_t)
corenet_all_recvfrom_netlabel($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
@@ -675,6 +676,7 @@ template(`evolution_per_role_template',`
# Obtain weather data via http (read server name from xml file in /usr)
corenet_all_recvfrom_unlabeled($1_evolution_server_t)
+ corenet_recvfrom_unlabeled_peer($1_evolution_server_t)
corenet_all_recvfrom_netlabel($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
@@ -753,6 +755,7 @@ template(`evolution_per_role_template',`
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
+ corenet_recvfrom_unlabeled_peer($1_evolution_webcal_t)
corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
Index: refpolicy_svn_repo/policy/modules/apps/games.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/games.if
+++ refpolicy_svn_repo/policy/modules/apps/games.if
@@ -92,6 +92,7 @@ template(`games_per_role_template',`
corecmd_exec_bin($1_games_t)
corenet_all_recvfrom_unlabeled($1_games_t)
+ corenet_recvfrom_unlabeled_peer($1_games_t)
corenet_all_recvfrom_netlabel($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
Index: refpolicy_svn_repo/policy/modules/apps/gift.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/gift.if
+++ refpolicy_svn_repo/policy/modules/apps/gift.if
@@ -95,6 +95,7 @@ template(`gift_per_role_template',`
# Connect to gift daemon
corenet_all_recvfrom_unlabeled($1_gift_t)
+ corenet_recvfrom_unlabeled_peer($1_gift_t)
corenet_all_recvfrom_netlabel($1_gift_t)
corenet_tcp_sendrecv_generic_if($1_gift_t)
corenet_tcp_sendrecv_all_nodes($1_gift_t)
@@ -155,6 +156,7 @@ template(`gift_per_role_template',`
# Serve content on various p2p networks. Ports can be random.
corenet_all_recvfrom_unlabeled($1_giftd_t)
+ corenet_recvfrom_unlabeled_peer($1_giftd_t)
corenet_all_recvfrom_netlabel($1_giftd_t)
corenet_tcp_sendrecv_generic_if($1_giftd_t)
corenet_udp_sendrecv_generic_if($1_giftd_t)
Index: refpolicy_svn_repo/policy/modules/apps/gpg.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/gpg.if
+++ refpolicy_svn_repo/policy/modules/apps/gpg.if
@@ -95,6 +95,7 @@ template(`gpg_per_role_template',`
ps_process_pattern($2,$1_gpg_t)
corenet_all_recvfrom_unlabeled($1_gpg_t)
+ corenet_recvfrom_unlabeled_peer($1_gpg_t)
corenet_all_recvfrom_netlabel($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
@@ -159,6 +160,7 @@ template(`gpg_per_role_template',`
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+ corenet_recvfrom_unlabeled_peer($1_gpg_helper_t)
corenet_all_recvfrom_netlabel($1_gpg_helper_t)
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
Index: refpolicy_svn_repo/policy/modules/apps/irc.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/irc.if
+++ refpolicy_svn_repo/policy/modules/apps/irc.if
@@ -90,6 +90,7 @@ template(`irc_per_role_template',`
kernel_read_proc_symlinks($1_irc_t)
corenet_all_recvfrom_unlabeled($1_irc_t)
+ corenet_recvfrom_unlabeled_peer($1_irc_t)
corenet_all_recvfrom_netlabel($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
Index: refpolicy_svn_repo/policy/modules/apps/java.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/java.if
+++ refpolicy_svn_repo/policy/modules/apps/java.if
@@ -97,6 +97,7 @@ template(`java_per_role_template',`
corecmd_search_bin($1_javaplugin_t)
corenet_all_recvfrom_unlabeled($1_javaplugin_t)
+ corenet_recvfrom_unlabeled_peer($1_javaplugin_t)
corenet_all_recvfrom_netlabel($1_javaplugin_t)
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
Index: refpolicy_svn_repo/policy/modules/apps/mozilla.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/mozilla.if
+++ refpolicy_svn_repo/policy/modules/apps/mozilla.if
@@ -126,6 +126,7 @@ template(`mozilla_per_role_template',`
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled($1_mozilla_t)
+ corenet_recvfrom_unlabeled_peer($1_mozilla_t)
corenet_all_recvfrom_netlabel($1_mozilla_t)
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
corenet_raw_sendrecv_generic_if($1_mozilla_t)
Index: refpolicy_svn_repo/policy/modules/apps/screen.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/screen.if
+++ refpolicy_svn_repo/policy/modules/apps/screen.if
@@ -111,6 +111,7 @@ template(`screen_per_role_template',`
corecmd_bin_domtrans($1_screen_t,$2)
corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_recvfrom_unlabeled_peer($1_screen_t)
corenet_all_recvfrom_netlabel($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
Index: refpolicy_svn_repo/policy/modules/apps/thunderbird.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/thunderbird.if
+++ refpolicy_svn_repo/policy/modules/apps/thunderbird.if
@@ -104,6 +104,7 @@ template(`thunderbird_per_role_template'
corecmd_exec_shell($1_thunderbird_t)
corenet_all_recvfrom_unlabeled($1_thunderbird_t)
+ corenet_recvfrom_unlabeled_peer($1_thunderbird_t)
corenet_all_recvfrom_netlabel($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
Index: refpolicy_svn_repo/policy/modules/apps/uml.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/uml.if
+++ refpolicy_svn_repo/policy/modules/apps/uml.if
@@ -151,6 +151,7 @@ template(`uml_per_role_template',`
corecmd_exec_bin($1_uml_t)
corenet_all_recvfrom_unlabeled($1_uml_t)
+ corenet_recvfrom_unlabeled_peer($1_uml_t)
corenet_all_recvfrom_netlabel($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
corenet_udp_sendrecv_generic_if($1_uml_t)
Index: refpolicy_svn_repo/policy/modules/apps/vmware.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/vmware.te
+++ refpolicy_svn_repo/policy/modules/apps/vmware.te
@@ -46,6 +46,7 @@ kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_recvfrom_unlabeled_peer(vmware_host_t)
corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
Index: refpolicy_svn_repo/policy/modules/apps/webalizer.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/webalizer.te
+++ refpolicy_svn_repo/policy/modules/apps/webalizer.te
@@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_recvfrom_unlabeled_peer(webalizer_t)
corenet_all_recvfrom_netlabel(webalizer_t)
corenet_tcp_sendrecv_all_if(webalizer_t)
corenet_tcp_sendrecv_all_nodes(webalizer_t)
Index: refpolicy_svn_repo/policy/modules/apps/yam.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/apps/yam.te
+++ refpolicy_svn_repo/policy/modules/apps/yam.te
@@ -60,6 +60,7 @@ corecmd_exec_bin(yam_t)
# Rsync and lftp need to network. They also set files attributes to
# match whats on the remote server.
corenet_all_recvfrom_unlabeled(yam_t)
+corenet_recvfrom_unlabeled_peer(yam_t)
corenet_all_recvfrom_netlabel(yam_t)
corenet_tcp_sendrecv_generic_if(yam_t)
corenet_tcp_sendrecv_all_nodes(yam_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 4/5] REFPOL: Allow network service domains to receive unlabeled traffic
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
` (2 preceding siblings ...)
2008-02-26 18:40 ` [PATCH 3/5] REFPOL: Allow network apps " paul.moore
@ 2008-02-26 18:40 ` paul.moore
2008-02-26 18:40 ` [PATCH 5/5] REFPOL: Allow network system " paul.moore
2008-02-26 21:52 ` [PATCH 0/5] New labeled networking permissions for 2.6.25 Eric Paris
5 siblings, 0 replies; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
This patch adds the corenet_recvfrom_unlabeled_peer() interface call to
all of the service modules which need to receive data over the network.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/services/afs.te | 5 +++++
policy/modules/services/amavis.te | 1 +
policy/modules/services/apache.if | 2 ++
policy/modules/services/apache.te | 2 ++
policy/modules/services/apcupsd.te | 2 ++
policy/modules/services/arpwatch.te | 1 +
policy/modules/services/asterisk.te | 1 +
policy/modules/services/automount.te | 1 +
policy/modules/services/avahi.te | 1 +
policy/modules/services/bind.te | 2 ++
policy/modules/services/bitlbee.te | 1 +
policy/modules/services/bluetooth.te | 1 +
policy/modules/services/canna.te | 1 +
policy/modules/services/ccs.te | 1 +
policy/modules/services/cipe.te | 1 +
policy/modules/services/clamav.te | 2 ++
policy/modules/services/clockspeed.te | 2 ++
policy/modules/services/comsat.te | 1 +
policy/modules/services/courier.if | 1 +
policy/modules/services/cron.if | 1 +
policy/modules/services/cron.te | 1 +
policy/modules/services/cups.te | 5 +++++
policy/modules/services/cvs.te | 1 +
policy/modules/services/cyrus.te | 1 +
policy/modules/services/dante.te | 1 +
policy/modules/services/dbskk.te | 1 +
policy/modules/services/dbus.if | 1 +
policy/modules/services/dcc.te | 6 ++++++
policy/modules/services/ddclient.te | 1 +
policy/modules/services/dhcp.te | 1 +
policy/modules/services/dictd.te | 1 +
policy/modules/services/distcc.te | 1 +
policy/modules/services/djbdns.if | 1 +
policy/modules/services/dnsmasq.te | 1 +
policy/modules/services/dovecot.te | 1 +
policy/modules/services/exim.te | 1 +
policy/modules/services/fetchmail.te | 1 +
policy/modules/services/finger.te | 1 +
policy/modules/services/ftp.te | 1 +
policy/modules/services/gatekeeper.te | 1 +
policy/modules/services/hal.te | 1 +
policy/modules/services/howl.te | 1 +
policy/modules/services/i18n_input.te | 1 +
policy/modules/services/imaze.te | 1 +
policy/modules/services/inetd.te | 2 ++
policy/modules/services/inn.te | 1 +
policy/modules/services/ircd.te | 1 +
policy/modules/services/jabber.te | 1 +
policy/modules/services/kerberos.if | 1 +
policy/modules/services/kerberos.te | 2 ++
policy/modules/services/ktalk.te | 1 +
policy/modules/services/ldap.te | 1 +
policy/modules/services/lpd.if | 1 +
policy/modules/services/lpd.te | 2 ++
policy/modules/services/mailman.if | 1 +
policy/modules/services/monop.te | 1 +
policy/modules/services/mta.if | 1 +
policy/modules/services/munin.te | 1 +
policy/modules/services/mysql.te | 1 +
policy/modules/services/nagios.te | 1 +
policy/modules/services/nessus.te | 1 +
policy/modules/services/networkmanager.te | 1 +
policy/modules/services/nis.if | 1 +
policy/modules/services/nis.te | 4 ++++
policy/modules/services/nscd.te | 1 +
policy/modules/services/nsd.te | 2 ++
policy/modules/services/ntop.te | 1 +
policy/modules/services/ntp.te | 1 +
policy/modules/services/nx.te | 1 +
policy/modules/services/oav.te | 2 ++
policy/modules/services/openvpn.te | 1 +
policy/modules/services/pcscd.te | 1 +
policy/modules/services/pegasus.te | 1 +
policy/modules/services/perdition.te | 1 +
policy/modules/services/portmap.te | 2 ++
policy/modules/services/portslave.te | 1 +
policy/modules/services/postfix.if | 1 +
policy/modules/services/postfix.te | 2 ++
policy/modules/services/postfixpolicyd.te | 1 +
policy/modules/services/postgresql.te | 1 +
policy/modules/services/postgrey.te | 1 +
policy/modules/services/ppp.te | 2 ++
policy/modules/services/privoxy.te | 1 +
policy/modules/services/procmail.te | 1 +
policy/modules/services/pyzor.te | 1 +
policy/modules/services/qmail.te | 1 +
policy/modules/services/radius.te | 1 +
policy/modules/services/radvd.te | 1 +
policy/modules/services/razor.if | 1 +
policy/modules/services/razor.te | 1 +
policy/modules/services/rdisc.te | 1 +
policy/modules/services/rhgb.te | 1 +
policy/modules/services/ricci.te | 1 +
policy/modules/services/rlogin.te | 1 +
policy/modules/services/roundup.te | 1 +
policy/modules/services/rpc.if | 1 +
policy/modules/services/rpcbind.te | 1 +
policy/modules/services/rshd.te | 1 +
policy/modules/services/rsync.te | 1 +
policy/modules/services/rwho.te | 1 +
policy/modules/services/samba.te | 6 ++++++
policy/modules/services/sasl.te | 1 +
policy/modules/services/sendmail.te | 1 +
policy/modules/services/setroubleshoot.te | 1 +
policy/modules/services/smartmon.te | 1 +
policy/modules/services/snmp.te | 1 +
policy/modules/services/snort.te | 1 +
policy/modules/services/soundserver.te | 1 +
policy/modules/services/spamassassin.if | 2 ++
policy/modules/services/spamassassin.te | 1 +
policy/modules/services/squid.te | 1 +
policy/modules/services/ssh.if | 2 ++
policy/modules/services/stunnel.te | 1 +
policy/modules/services/tcpd.te | 1 +
policy/modules/services/telnet.te | 1 +
policy/modules/services/tftp.te | 1 +
policy/modules/services/timidity.te | 1 +
policy/modules/services/tor.te | 1 +
policy/modules/services/transproxy.te | 1 +
policy/modules/services/ucspitcp.te | 2 ++
policy/modules/services/uucp.te | 1 +
policy/modules/services/uwimap.te | 1 +
policy/modules/services/watchdog.te | 1 +
policy/modules/services/xfs.te | 1 +
policy/modules/services/xprint.te | 1 +
policy/modules/services/xserver.if | 1 +
policy/modules/services/xserver.te | 1 +
policy/modules/services/zebra.te | 1 +
128 files changed, 166 insertions(+)
Index: refpolicy_svn_repo/policy/modules/services/afs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/afs.te
+++ refpolicy_svn_repo/policy/modules/services/afs.te
@@ -90,6 +90,7 @@ domtrans_pattern(afs_bosserver_t, afs_vl
kernel_read_kernel_sysctls(afs_bosserver_t)
corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_recvfrom_unlabeled_peer(afs_bosserver_t)
corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
@@ -155,6 +156,7 @@ corenet_udp_sendrecv_all_nodes(afs_fsser
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_recvfrom_unlabeled_peer(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
@@ -209,6 +211,7 @@ manage_files_pattern(afs_kaserver_t,afs_
kernel_read_kernel_sysctls(afs_kaserver_t)
corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_recvfrom_unlabeled_peer(afs_kaserver_t)
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
@@ -257,6 +260,7 @@ manage_files_pattern(afs_ptserver_t,afs_
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_recvfrom_unlabeled_peer(afs_ptserver_t)
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -299,6 +303,7 @@ manage_files_pattern(afs_vlserver_t,afs_
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_recvfrom_unlabeled_peer(afs_vlserver_t)
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
Index: refpolicy_svn_repo/policy/modules/services/amavis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/amavis.te
+++ refpolicy_svn_repo/policy/modules/services/amavis.te
@@ -102,6 +102,7 @@ kernel_dontaudit_read_system_state(amavi
corecmd_exec_bin(amavis_t)
corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_recvfrom_unlabeled_peer(amavis_t)
corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.if
+++ refpolicy_svn_repo/policy/modules/services/apache.if
@@ -182,6 +182,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_recvfrom_unlabeled_peer(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
@@ -202,6 +203,7 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_recvfrom_unlabeled_peer(httpd_$1_script_t)
corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.te
+++ refpolicy_svn_repo/policy/modules/services/apache.te
@@ -291,6 +291,7 @@ kernel_read_kernel_sysctls(httpd_t)
kernel_read_system_state(httpd_t)
corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_recvfrom_unlabeled_peer(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
@@ -617,6 +618,7 @@ tunable_policy(`httpd_can_network_connec
allow httpd_suexec_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_recvfrom_unlabeled_peer(httpd_suexec_t)
corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
Index: refpolicy_svn_repo/policy/modules/services/apcupsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apcupsd.te
+++ refpolicy_svn_repo/policy/modules/services/apcupsd.te
@@ -52,6 +52,7 @@ corecmd_exec_bin(apcupsd_t)
corecmd_exec_shell(apcupsd_t)
corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_recvfrom_unlabeled_peer(apcupsd_t)
corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_all_nodes(apcupsd_t)
@@ -106,6 +107,7 @@ optional_policy(`
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+ corenet_recvfrom_unlabeled_peer(httpd_apcupsd_cgi_script_t)
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_if(httpd_apcupsd_cgi_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
Index: refpolicy_svn_repo/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/arpwatch.te
+++ refpolicy_svn_repo/policy/modules/services/arpwatch.te
@@ -48,6 +48,7 @@ kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_recvfrom_unlabeled_peer(arpwatch_t)
corenet_all_recvfrom_netlabel(arpwatch_t)
corenet_tcp_sendrecv_all_if(arpwatch_t)
corenet_udp_sendrecv_all_if(arpwatch_t)
Index: refpolicy_svn_repo/policy/modules/services/asterisk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/asterisk.te
+++ refpolicy_svn_repo/policy/modules/services/asterisk.te
@@ -83,6 +83,7 @@ corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_recvfrom_unlabeled_peer(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
Index: refpolicy_svn_repo/policy/modules/services/automount.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/automount.te
+++ refpolicy_svn_repo/policy/modules/services/automount.te
@@ -77,6 +77,7 @@ corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
corenet_all_recvfrom_unlabeled(automount_t)
+corenet_recvfrom_unlabeled_peer(automount_t)
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
Index: refpolicy_svn_repo/policy/modules/services/avahi.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/avahi.te
+++ refpolicy_svn_repo/policy/modules/services/avahi.te
@@ -38,6 +38,7 @@ kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_recvfrom_unlabeled_peer(avahi_t)
corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_all_if(avahi_t)
corenet_udp_sendrecv_all_if(avahi_t)
Index: refpolicy_svn_repo/policy/modules/services/bind.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bind.te
+++ refpolicy_svn_repo/policy/modules/services/bind.te
@@ -103,6 +103,7 @@ kernel_read_network_state(named_t)
corecmd_search_bin(named_t)
corenet_all_recvfrom_unlabeled(named_t)
+corenet_recvfrom_unlabeled_peer(named_t)
corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
corenet_udp_sendrecv_all_if(named_t)
@@ -217,6 +218,7 @@ allow ndc_t named_zone_t:dir search;
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_recvfrom_unlabeled_peer(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
Index: refpolicy_svn_repo/policy/modules/services/bitlbee.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bitlbee.te
+++ refpolicy_svn_repo/policy/modules/services/bitlbee.te
@@ -35,6 +35,7 @@ manage_files_pattern(bitlbee_t, bitlbee_
files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
corenet_all_recvfrom_unlabeled(bitlbee_t)
+corenet_recvfrom_unlabeled_peer(bitlbee_t)
corenet_udp_sendrecv_generic_if(bitlbee_t)
corenet_udp_sendrecv_generic_node(bitlbee_t)
corenet_udp_sendrecv_lo_node(bitlbee_t)
Index: refpolicy_svn_repo/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bluetooth.te
+++ refpolicy_svn_repo/policy/modules/services/bluetooth.te
@@ -78,6 +78,7 @@ kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_recvfrom_unlabeled_peer(bluetooth_t)
corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
Index: refpolicy_svn_repo/policy/modules/services/canna.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/canna.te
+++ refpolicy_svn_repo/policy/modules/services/canna.te
@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
corenet_all_recvfrom_unlabeled(canna_t)
+corenet_recvfrom_unlabeled_peer(canna_t)
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
Index: refpolicy_svn_repo/policy/modules/services/ccs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ccs.te
+++ refpolicy_svn_repo/policy/modules/services/ccs.te
@@ -78,6 +78,7 @@ corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_recvfrom_unlabeled_peer(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_all_if(ccs_t)
corenet_udp_sendrecv_all_if(ccs_t)
Index: refpolicy_svn_repo/policy/modules/services/cipe.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cipe.te
+++ refpolicy_svn_repo/policy/modules/services/cipe.te
@@ -30,6 +30,7 @@ corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_recvfrom_unlabeled_peer(ciped_t)
corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
Index: refpolicy_svn_repo/policy/modules/services/clamav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clamav.te
+++ refpolicy_svn_repo/policy/modules/services/clamav.te
@@ -89,6 +89,7 @@ kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_recvfrom_unlabeled_peer(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
@@ -159,6 +160,7 @@ allow freshclam_t clamd_var_log_t:dir se
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_recvfrom_unlabeled_peer(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
Index: refpolicy_svn_repo/policy/modules/services/clockspeed.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clockspeed.te
+++ refpolicy_svn_repo/policy/modules/services/clockspeed.te
@@ -28,6 +28,7 @@ allow clockspeed_cli_t self:udp_socket c
read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_recvfrom_unlabeled_peer(clockspeed_cli_t)
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -56,6 +57,7 @@ manage_files_pattern(clockspeed_srv_t,cl
manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_recvfrom_unlabeled_peer(clockspeed_srv_t)
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
Index: refpolicy_svn_repo/policy/modules/services/comsat.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/comsat.te
+++ refpolicy_svn_repo/policy/modules/services/comsat.te
@@ -41,6 +41,7 @@ kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_recvfrom_unlabeled_peer(comsat_t)
corenet_all_recvfrom_netlabel(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
corenet_udp_sendrecv_all_if(comsat_t)
Index: refpolicy_svn_repo/policy/modules/services/courier.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/courier.if
+++ refpolicy_svn_repo/policy/modules/services/courier.if
@@ -49,6 +49,7 @@ template(`courier_domain_template',`
corecmd_exec_bin(courier_$1_t)
corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_recvfrom_unlabeled_peer(courier_$1_t)
corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.if
+++ refpolicy_svn_repo/policy/modules/services/cron.if
@@ -94,6 +94,7 @@ template(`cron_per_role_template',`
files_dontaudit_search_boot($1_crond_t)
corenet_all_recvfrom_unlabeled($1_crond_t)
+ corenet_recvfrom_unlabeled_peer($1_crond_t)
corenet_all_recvfrom_netlabel($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.te
+++ refpolicy_svn_repo/policy/modules/services/cron.te
@@ -281,6 +281,7 @@ files_dontaudit_search_boot(system_crond
corecmd_exec_all_executables(system_crond_t)
corenet_all_recvfrom_unlabeled(system_crond_t)
+corenet_recvfrom_unlabeled_peer(system_crond_t)
corenet_all_recvfrom_netlabel(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cups.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cups.te
+++ refpolicy_svn_repo/policy/modules/services/cups.te
@@ -133,6 +133,7 @@ kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_recvfrom_unlabeled_peer(cupsd_t)
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
@@ -316,6 +317,7 @@ kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_recvfrom_unlabeled_peer(cupsd_config_t)
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
@@ -449,6 +451,7 @@ kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_recvfrom_unlabeled_peer(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
@@ -515,6 +518,7 @@ kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_recvfrom_unlabeled_peer(hplip_t)
corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
@@ -607,6 +611,7 @@ kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_recvfrom_unlabeled_peer(ptal_t)
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
Index: refpolicy_svn_repo/policy/modules/services/cvs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cvs.te
+++ refpolicy_svn_repo/policy/modules/services/cvs.te
@@ -56,6 +56,7 @@ kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_recvfrom_unlabeled_peer(cvs_t)
corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
Index: refpolicy_svn_repo/policy/modules/services/cyrus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cyrus.te
+++ refpolicy_svn_repo/policy/modules/services/cyrus.te
@@ -61,6 +61,7 @@ kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_recvfrom_unlabeled_peer(cyrus_t)
corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
Index: refpolicy_svn_repo/policy/modules/services/dante.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dante.te
+++ refpolicy_svn_repo/policy/modules/services/dante.te
@@ -39,6 +39,7 @@ kernel_list_proc(dante_t)
kernel_read_proc_symlinks(dante_t)
corenet_all_recvfrom_unlabeled(dante_t)
+corenet_recvfrom_unlabeled_peer(dante_t)
corenet_all_recvfrom_netlabel(dante_t)
corenet_tcp_sendrecv_generic_if(dante_t)
corenet_udp_sendrecv_generic_if(dante_t)
Index: refpolicy_svn_repo/policy/modules/services/dbskk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbskk.te
+++ refpolicy_svn_repo/policy/modules/services/dbskk.te
@@ -49,6 +49,7 @@ kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_recvfrom_unlabeled_peer(dbskkd_t)
corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_all_if(dbskkd_t)
corenet_udp_sendrecv_all_if(dbskkd_t)
Index: refpolicy_svn_repo/policy/modules/services/dbus.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbus.if
+++ refpolicy_svn_repo/policy/modules/services/dbus.if
@@ -121,6 +121,7 @@ template(`dbus_per_role_template',`
corecmd_read_bin_sockets($1_dbusd_t)
corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_recvfrom_unlabeled_peer($1_dbusd_t)
corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
Index: refpolicy_svn_repo/policy/modules/services/dcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dcc.te
+++ refpolicy_svn_repo/policy/modules/services/dcc.te
@@ -97,6 +97,7 @@ read_files_pattern(cdcc_t,dcc_var_t,dcc_
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_recvfrom_unlabeled_peer(cdcc_t)
corenet_all_recvfrom_netlabel(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
@@ -140,6 +141,7 @@ read_files_pattern(dcc_client_t,dcc_var_
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_recvfrom_unlabeled_peer(dcc_client_t)
corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
@@ -183,6 +185,7 @@ manage_lnk_files_pattern(dcc_dbclean_t,d
kernel_read_system_state(dcc_dbclean_t)
corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_recvfrom_unlabeled_peer(dcc_dbclean_t)
corenet_all_recvfrom_netlabel(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
@@ -244,6 +247,7 @@ kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_recvfrom_unlabeled_peer(dccd_t)
corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
@@ -320,6 +324,7 @@ kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_recvfrom_unlabeled_peer(dccifd_t)
corenet_all_recvfrom_netlabel(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
@@ -392,6 +397,7 @@ kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_recvfrom_unlabeled_peer(dccm_t)
corenet_all_recvfrom_netlabel(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
Index: refpolicy_svn_repo/policy/modules/services/ddclient.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ddclient.te
+++ refpolicy_svn_repo/policy/modules/services/ddclient.te
@@ -65,6 +65,7 @@ corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_recvfrom_unlabeled_peer(ddclient_t)
corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
Index: refpolicy_svn_repo/policy/modules/services/dhcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dhcp.te
+++ refpolicy_svn_repo/policy/modules/services/dhcp.te
@@ -53,6 +53,7 @@ kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_recvfrom_unlabeled_peer(dhcpd_t)
corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/dictd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dictd.te
+++ refpolicy_svn_repo/policy/modules/services/dictd.te
@@ -38,6 +38,7 @@ kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_recvfrom_unlabeled_peer(dictd_t)
corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
corenet_raw_sendrecv_all_if(dictd_t)
Index: refpolicy_svn_repo/policy/modules/services/distcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/distcc.te
+++ refpolicy_svn_repo/policy/modules/services/distcc.te
@@ -46,6 +46,7 @@ kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_recvfrom_unlabeled_peer(distccd_t)
corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_all_if(distccd_t)
corenet_udp_sendrecv_all_if(distccd_t)
Index: refpolicy_svn_repo/policy/modules/services/djbdns.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/djbdns.if
+++ refpolicy_svn_repo/policy/modules/services/djbdns.if
@@ -33,6 +33,7 @@ template(`djbdns_daemontools_domain_temp
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_recvfrom_unlabeled_peer(djbdns_$1_t)
corenet_all_recvfrom_netlabel(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dnsmasq.te
+++ refpolicy_svn_repo/policy/modules/services/dnsmasq.te
@@ -43,6 +43,7 @@ kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_recvfrom_unlabeled_peer(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
Index: refpolicy_svn_repo/policy/modules/services/dovecot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dovecot.te
+++ refpolicy_svn_repo/policy/modules/services/dovecot.te
@@ -70,6 +70,7 @@ kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_recvfrom_unlabeled_peer(dovecot_t)
corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_all_if(dovecot_t)
corenet_tcp_sendrecv_all_nodes(dovecot_t)
Index: refpolicy_svn_repo/policy/modules/services/exim.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/exim.te
+++ refpolicy_svn_repo/policy/modules/services/exim.te
@@ -70,6 +70,7 @@ kernel_read_kernel_sysctls(exim_t)
corecmd_search_bin(exim_t)
corenet_all_recvfrom_unlabeled(exim_t)
+corenet_recvfrom_unlabeled_peer(exim_t)
corenet_tcp_sendrecv_all_if(exim_t)
corenet_tcp_sendrecv_all_nodes(exim_t)
corenet_tcp_sendrecv_all_ports(exim_t)
Index: refpolicy_svn_repo/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/fetchmail.te
+++ refpolicy_svn_repo/policy/modules/services/fetchmail.te
@@ -47,6 +47,7 @@ kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_recvfrom_unlabeled_peer(fetchmail_t)
corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_udp_sendrecv_generic_if(fetchmail_t)
Index: refpolicy_svn_repo/policy/modules/services/finger.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/finger.te
+++ refpolicy_svn_repo/policy/modules/services/finger.te
@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_recvfrom_unlabeled_peer(fingerd_t)
corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
corenet_udp_sendrecv_all_if(fingerd_t)
Index: refpolicy_svn_repo/policy/modules/services/ftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ftp.te
+++ refpolicy_svn_repo/policy/modules/services/ftp.te
@@ -130,6 +130,7 @@ dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_recvfrom_unlabeled_peer(ftpd_t)
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/gatekeeper.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/gatekeeper.te
+++ refpolicy_svn_repo/policy/modules/services/gatekeeper.te
@@ -54,6 +54,7 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_recvfrom_unlabeled_peer(gatekeeper_t)
corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
Index: refpolicy_svn_repo/policy/modules/services/hal.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/hal.te
+++ refpolicy_svn_repo/policy/modules/services/hal.te
@@ -99,6 +99,7 @@ auth_read_pam_console_data(hald_t)
corecmd_exec_all_executables(hald_t)
corenet_all_recvfrom_unlabeled(hald_t)
+corenet_recvfrom_unlabeled_peer(hald_t)
corenet_all_recvfrom_netlabel(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
Index: refpolicy_svn_repo/policy/modules/services/howl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/howl.te
+++ refpolicy_svn_repo/policy/modules/services/howl.te
@@ -35,6 +35,7 @@ kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
corenet_all_recvfrom_unlabeled(howl_t)
+corenet_recvfrom_unlabeled_peer(howl_t)
corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_all_if(howl_t)
corenet_udp_sendrecv_all_if(howl_t)
Index: refpolicy_svn_repo/policy/modules/services/i18n_input.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/i18n_input.te
+++ refpolicy_svn_repo/policy/modules/services/i18n_input.te
@@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_recvfrom_unlabeled_peer(i18n_input_t)
corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_udp_sendrecv_generic_if(i18n_input_t)
Index: refpolicy_svn_repo/policy/modules/services/imaze.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/imaze.te
+++ refpolicy_svn_repo/policy/modules/services/imaze.te
@@ -56,6 +56,7 @@ kernel_list_proc(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_recvfrom_unlabeled_peer(imazesrv_t)
corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
Index: refpolicy_svn_repo/policy/modules/services/inetd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inetd.te
+++ refpolicy_svn_repo/policy/modules/services/inetd.te
@@ -61,6 +61,7 @@ kernel_tcp_recvfrom_unlabeled(inetd_t)
# base networking:
corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_recvfrom_unlabeled_peer(inetd_t)
corenet_all_recvfrom_netlabel(inetd_t)
corenet_tcp_sendrecv_all_if(inetd_t)
corenet_udp_sendrecv_all_if(inetd_t)
@@ -194,6 +195,7 @@ kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_recvfrom_unlabeled_peer(inetd_child_t)
corenet_all_recvfrom_netlabel(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
corenet_udp_sendrecv_all_if(inetd_child_t)
Index: refpolicy_svn_repo/policy/modules/services/inn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inn.te
+++ refpolicy_svn_repo/policy/modules/services/inn.te
@@ -64,6 +64,7 @@ kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
corenet_all_recvfrom_unlabeled(innd_t)
+corenet_recvfrom_unlabeled_peer(innd_t)
corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_all_if(innd_t)
corenet_udp_sendrecv_all_if(innd_t)
Index: refpolicy_svn_repo/policy/modules/services/ircd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ircd.te
+++ refpolicy_svn_repo/policy/modules/services/ircd.te
@@ -51,6 +51,7 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_search_bin(ircd_t)
corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_recvfrom_unlabeled_peer(ircd_t)
corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_udp_sendrecv_generic_if(ircd_t)
Index: refpolicy_svn_repo/policy/modules/services/jabber.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/jabber.te
+++ refpolicy_svn_repo/policy/modules/services/jabber.te
@@ -45,6 +45,7 @@ kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_recvfrom_unlabeled_peer(jabberd_t)
corenet_all_recvfrom_netlabel(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
corenet_udp_sendrecv_generic_if(jabberd_t)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.if
+++ refpolicy_svn_repo/policy/modules/services/kerberos.if
@@ -48,6 +48,7 @@ interface(`kerberos_use',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.te
+++ refpolicy_svn_repo/policy/modules/services/kerberos.te
@@ -93,6 +93,7 @@ kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_recvfrom_unlabeled_peer(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_udp_sendrecv_all_if(kadmind_t)
@@ -188,6 +189,7 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_recvfrom_unlabeled_peer(krb5kdc_t)
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_udp_sendrecv_all_if(krb5kdc_t)
Index: refpolicy_svn_repo/policy/modules/services/ktalk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ktalk.te
+++ refpolicy_svn_repo/policy/modules/services/ktalk.te
@@ -54,6 +54,7 @@ kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_recvfrom_unlabeled_peer(ktalkd_t)
corenet_all_recvfrom_netlabel(ktalkd_t)
corenet_tcp_sendrecv_all_if(ktalkd_t)
corenet_udp_sendrecv_all_if(ktalkd_t)
Index: refpolicy_svn_repo/policy/modules/services/ldap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ldap.te
+++ refpolicy_svn_repo/policy/modules/services/ldap.te
@@ -77,6 +77,7 @@ kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_recvfrom_unlabeled_peer(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.if
+++ refpolicy_svn_repo/policy/modules/services/lpd.if
@@ -104,6 +104,7 @@ template(`lpd_per_role_template',`
kernel_read_kernel_sysctls($1_lpr_t)
corenet_all_recvfrom_unlabeled($1_lpr_t)
+ corenet_recvfrom_unlabeled_peer($1_lpr_t)
corenet_all_recvfrom_netlabel($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.te
+++ refpolicy_svn_repo/policy/modules/services/lpd.te
@@ -73,6 +73,7 @@ allow checkpc_t printconf_t:dir { getatt
kernel_read_system_state(checkpc_t)
corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_recvfrom_unlabeled_peer(checkpc_t)
corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
@@ -154,6 +155,7 @@ kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_recvfrom_unlabeled_peer(lpd_t)
corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
Index: refpolicy_svn_repo/policy/modules/services/mailman.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mailman.if
+++ refpolicy_svn_repo/policy/modules/services/mailman.if
@@ -49,6 +49,7 @@ template(`mailman_domain_template', `
kernel_read_system_state(mailman_$1_t)
corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_recvfrom_unlabeled_peer(mailman_$1_t)
corenet_all_recvfrom_netlabel(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/monop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/monop.te
+++ refpolicy_svn_repo/policy/modules/services/monop.te
@@ -44,6 +44,7 @@ kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_recvfrom_unlabeled_peer(monopd_t)
corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_udp_sendrecv_generic_if(monopd_t)
Index: refpolicy_svn_repo/policy/modules/services/mta.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mta.if
+++ refpolicy_svn_repo/policy/modules/services/mta.if
@@ -72,6 +72,7 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_recvfrom_unlabeled_peer($1_mail_t)
corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
Index: refpolicy_svn_repo/policy/modules/services/munin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/munin.te
+++ refpolicy_svn_repo/policy/modules/services/munin.te
@@ -66,6 +66,7 @@ kernel_read_kernel_sysctls(munin_t)
corecmd_exec_bin(munin_t)
corenet_all_recvfrom_unlabeled(munin_t)
+corenet_recvfrom_unlabeled_peer(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_udp_sendrecv_generic_if(munin_t)
Index: refpolicy_svn_repo/policy/modules/services/mysql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mysql.te
+++ refpolicy_svn_repo/policy/modules/services/mysql.te
@@ -62,6 +62,7 @@ kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_recvfrom_unlabeled_peer(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
Index: refpolicy_svn_repo/policy/modules/services/nagios.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nagios.te
+++ refpolicy_svn_repo/policy/modules/services/nagios.te
@@ -67,6 +67,7 @@ corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_recvfrom_unlabeled_peer(nagios_t)
corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
Index: refpolicy_svn_repo/policy/modules/services/nessus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nessus.te
+++ refpolicy_svn_repo/policy/modules/services/nessus.te
@@ -58,6 +58,7 @@ kernel_read_kernel_sysctls(nessusd_t)
corecmd_exec_bin(nessusd_t)
corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_recvfrom_unlabeled_peer(nessusd_t)
corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
Index: refpolicy_svn_repo/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/networkmanager.te
+++ refpolicy_svn_repo/policy/modules/services/networkmanager.te
@@ -44,6 +44,7 @@ kernel_read_kernel_sysctls(NetworkManage
kernel_load_module(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_recvfrom_unlabeled_peer(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
Index: refpolicy_svn_repo/policy/modules/services/nis.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.if
+++ refpolicy_svn_repo/policy/modules/services/nis.if
@@ -38,6 +38,7 @@ interface(`nis_use_ypbind_uncond',`
allow $1 var_yp_t:file read_file_perms;
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
Index: refpolicy_svn_repo/policy/modules/services/nis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.te
+++ refpolicy_svn_repo/policy/modules/services/nis.te
@@ -70,6 +70,7 @@ kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_recvfrom_unlabeled_peer(ypbind_t)
corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
@@ -147,6 +148,7 @@ kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_recvfrom_unlabeled_peer(yppasswdd_t)
corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -236,6 +238,7 @@ kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_recvfrom_unlabeled_peer(ypserv_t)
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
@@ -304,6 +307,7 @@ allow ypxfr_t ypserv_t:udp_socket { read
allow ypxfr_t ypserv_conf_t:file { getattr read };
corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_recvfrom_unlabeled_peer(ypxfr_t)
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
Index: refpolicy_svn_repo/policy/modules/services/nscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nscd.te
+++ refpolicy_svn_repo/policy/modules/services/nscd.te
@@ -66,6 +66,7 @@ auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_recvfrom_unlabeled_peer(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
Index: refpolicy_svn_repo/policy/modules/services/nsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nsd.te
+++ refpolicy_svn_repo/policy/modules/services/nsd.te
@@ -63,6 +63,7 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_recvfrom_unlabeled_peer(nsd_t)
corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
@@ -144,6 +145,7 @@ corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_recvfrom_unlabeled_peer(nsd_crond_t)
corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/ntop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ntop.te
+++ refpolicy_svn_repo/policy/modules/services/ntop.te
@@ -63,6 +63,7 @@ kernel_list_proc(ntop_t)
kernel_read_proc_symlinks(ntop_t)
corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_recvfrom_unlabeled_peer(ntop_t)
corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_udp_sendrecv_generic_if(ntop_t)
Index: refpolicy_svn_repo/policy/modules/services/ntp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ntp.te
+++ refpolicy_svn_repo/policy/modules/services/ntp.te
@@ -62,6 +62,7 @@ kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_recvfrom_unlabeled_peer(ntpd_t)
corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
corenet_udp_sendrecv_all_if(ntpd_t)
Index: refpolicy_svn_repo/policy/modules/services/nx.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nx.te
+++ refpolicy_svn_repo/policy/modules/services/nx.te
@@ -52,6 +52,7 @@ corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_recvfrom_unlabeled_peer(nx_server_t)
corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
Index: refpolicy_svn_repo/policy/modules/services/oav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/oav.te
+++ refpolicy_svn_repo/policy/modules/services/oav.te
@@ -50,6 +50,7 @@ read_lnk_files_pattern(oav_update_t,oav_
corecmd_exec_all_executables(oav_update_t)
corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_recvfrom_unlabeled_peer(oav_update_t)
corenet_all_recvfrom_netlabel(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
@@ -105,6 +106,7 @@ kernel_read_kernel_sysctls(scannerdaemon
corecmd_exec_all_executables(scannerdaemon_t)
corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_recvfrom_unlabeled_peer(scannerdaemon_t)
corenet_all_recvfrom_netlabel(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/openvpn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/openvpn.te
+++ refpolicy_svn_repo/policy/modules/services/openvpn.te
@@ -63,6 +63,7 @@ corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_recvfrom_unlabeled_peer(openvpn_t)
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
Index: refpolicy_svn_repo/policy/modules/services/pcscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pcscd.te
+++ refpolicy_svn_repo/policy/modules/services/pcscd.te
@@ -32,6 +32,7 @@ manage_sock_files_pattern(pcscd_t,pcscd_
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_recvfrom_unlabeled_peer(pcscd_t)
corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_all_if(pcscd_t)
corenet_tcp_sendrecv_all_nodes(pcscd_t)
Index: refpolicy_svn_repo/policy/modules/services/pegasus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pegasus.te
+++ refpolicy_svn_repo/policy/modules/services/pegasus.te
@@ -67,6 +67,7 @@ kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_recvfrom_unlabeled_peer(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_all_if(pegasus_t)
corenet_tcp_sendrecv_all_nodes(pegasus_t)
Index: refpolicy_svn_repo/policy/modules/services/perdition.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/perdition.te
+++ refpolicy_svn_repo/policy/modules/services/perdition.te
@@ -38,6 +38,7 @@ kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_recvfrom_unlabeled_peer(perdition_t)
corenet_all_recvfrom_netlabel(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_udp_sendrecv_generic_if(perdition_t)
Index: refpolicy_svn_repo/policy/modules/services/portmap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portmap.te
+++ refpolicy_svn_repo/policy/modules/services/portmap.te
@@ -46,6 +46,7 @@ kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_recvfrom_unlabeled_peer(portmap_t)
corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
@@ -119,6 +120,7 @@ allow portmap_helper_t portmap_var_run_t
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_recvfrom_unlabeled_peer(portmap_helper_t)
corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
Index: refpolicy_svn_repo/policy/modules/services/portslave.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portslave.te
+++ refpolicy_svn_repo/policy/modules/services/portslave.te
@@ -56,6 +56,7 @@ corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_recvfrom_unlabeled_peer(portslave_t)
corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.if
+++ refpolicy_svn_repo/policy/modules/services/postfix.if
@@ -121,6 +121,7 @@ template(`postfix_server_domain_template
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_recvfrom_unlabeled_peer(postfix_$1_t)
corenet_all_recvfrom_netlabel(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.te
+++ refpolicy_svn_repo/policy/modules/services/postfix.te
@@ -139,6 +139,7 @@ rename_files_pattern(postfix_master_t,po
kernel_read_all_sysctls(postfix_master_t)
corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_recvfrom_unlabeled_peer(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
@@ -315,6 +316,7 @@ kernel_dontaudit_list_proc(postfix_map_t
kernel_dontaudit_read_system_state(postfix_map_t)
corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_recvfrom_unlabeled_peer(postfix_map_t)
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
Index: refpolicy_svn_repo/policy/modules/services/postfixpolicyd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfixpolicyd.te
+++ refpolicy_svn_repo/policy/modules/services/postfixpolicyd.te
@@ -34,6 +34,7 @@ manage_files_pattern(postfix_policyd_t,
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+corenet_recvfrom_unlabeled_peer(postfix_policyd_t)
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
corenet_tcp_sendrecv_all_nodes(postfix_policyd_t)
corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
Index: refpolicy_svn_repo/policy/modules/services/postgresql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgresql.te
+++ refpolicy_svn_repo/policy/modules/services/postgresql.te
@@ -82,6 +82,7 @@ kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_recvfrom_unlabeled_peer(postgresql_t)
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
Index: refpolicy_svn_repo/policy/modules/services/postgrey.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgrey.te
+++ refpolicy_svn_repo/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ kernel_read_kernel_sysctls(postgrey_t)
corecmd_search_bin(postgrey_t)
corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_recvfrom_unlabeled_peer(postgrey_t)
corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_all_nodes(postgrey_t)
Index: refpolicy_svn_repo/policy/modules/services/ppp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ppp.te
+++ refpolicy_svn_repo/policy/modules/services/ppp.te
@@ -125,6 +125,7 @@ dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_recvfrom_unlabeled_peer(pppd_t)
corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
@@ -250,6 +251,7 @@ kernel_read_proc_symlinks(pptp_t)
dev_read_sysfs(pptp_t)
corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_recvfrom_unlabeled_peer(pptp_t)
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
Index: refpolicy_svn_repo/policy/modules/services/privoxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/privoxy.te
+++ refpolicy_svn_repo/policy/modules/services/privoxy.te
@@ -41,6 +41,7 @@ kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_recvfrom_unlabeled_peer(privoxy_t)
corenet_all_recvfrom_netlabel(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
Index: refpolicy_svn_repo/policy/modules/services/procmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/procmail.te
+++ refpolicy_svn_repo/policy/modules/services/procmail.te
@@ -36,6 +36,7 @@ kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_recvfrom_unlabeled_peer(procmail_t)
corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
Index: refpolicy_svn_repo/policy/modules/services/pyzor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pyzor.te
+++ refpolicy_svn_repo/policy/modules/services/pyzor.te
@@ -108,6 +108,7 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_recvfrom_unlabeled_peer(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
Index: refpolicy_svn_repo/policy/modules/services/qmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/qmail.te
+++ refpolicy_svn_repo/policy/modules/services/qmail.te
@@ -171,6 +171,7 @@ allow qmail_remote_t self:udp_socket cre
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_recvfrom_unlabeled_peer(qmail_remote_t)
corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
Index: refpolicy_svn_repo/policy/modules/services/radius.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radius.te
+++ refpolicy_svn_repo/policy/modules/services/radius.te
@@ -64,6 +64,7 @@ kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_recvfrom_unlabeled_peer(radiusd_t)
corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_all_if(radiusd_t)
corenet_udp_sendrecv_all_if(radiusd_t)
Index: refpolicy_svn_repo/policy/modules/services/radvd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radvd.te
+++ refpolicy_svn_repo/policy/modules/services/radvd.te
@@ -39,6 +39,7 @@ kernel_read_network_state(radvd_t)
kernel_read_system_state(radvd_t)
corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_recvfrom_unlabeled_peer(radvd_t)
corenet_all_recvfrom_netlabel(radvd_t)
corenet_tcp_sendrecv_all_if(radvd_t)
corenet_udp_sendrecv_all_if(radvd_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.if
+++ refpolicy_svn_repo/policy/modules/services/razor.if
@@ -68,6 +68,7 @@ template(`razor_common_domain_template',
corecmd_exec_bin($1_t)
corenet_all_recvfrom_unlabeled($1_t)
+ corenet_recvfrom_unlabeled_peer($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.te
+++ refpolicy_svn_repo/policy/modules/services/razor.te
@@ -42,6 +42,7 @@ manage_files_pattern(razor_t,razor_var_l
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
corenet_all_recvfrom_unlabeled(razor_t)
+corenet_recvfrom_unlabeled_peer(razor_t)
corenet_all_recvfrom_netlabel(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
Index: refpolicy_svn_repo/policy/modules/services/rdisc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rdisc.te
+++ refpolicy_svn_repo/policy/modules/services/rdisc.te
@@ -27,6 +27,7 @@ kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_recvfrom_unlabeled_peer(rdisc_t)
corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
Index: refpolicy_svn_repo/policy/modules/services/rhgb.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rhgb.te
+++ refpolicy_svn_repo/policy/modules/services/rhgb.te
@@ -48,6 +48,7 @@ corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_recvfrom_unlabeled_peer(rhgb_t)
corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_udp_sendrecv_generic_if(rhgb_t)
Index: refpolicy_svn_repo/policy/modules/services/ricci.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ricci.te
+++ refpolicy_svn_repo/policy/modules/services/ricci.te
@@ -121,6 +121,7 @@ kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_recvfrom_unlabeled_peer(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
Index: refpolicy_svn_repo/policy/modules/services/rlogin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rlogin.te
+++ refpolicy_svn_repo/policy/modules/services/rlogin.te
@@ -51,6 +51,7 @@ kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_recvfrom_unlabeled_peer(rlogind_t)
corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
Index: refpolicy_svn_repo/policy/modules/services/roundup.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/roundup.te
+++ refpolicy_svn_repo/policy/modules/services/roundup.te
@@ -44,6 +44,7 @@ dev_read_sysfs(roundup_t)
corecmd_exec_bin(roundup_t)
corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_recvfrom_unlabeled_peer(roundup_t)
corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_udp_sendrecv_generic_if(roundup_t)
Index: refpolicy_svn_repo/policy/modules/services/rpc.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rpc.if
+++ refpolicy_svn_repo/policy/modules/services/rpc.if
@@ -70,6 +70,7 @@ template(`rpc_domain_template', `
dev_read_rand($1_t)
corenet_all_recvfrom_unlabeled($1_t)
+ corenet_recvfrom_unlabeled_peer($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
Index: refpolicy_svn_repo/policy/modules/services/rpcbind.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rpcbind.te
+++ refpolicy_svn_repo/policy/modules/services/rpcbind.te
@@ -40,6 +40,7 @@ files_var_lib_filetrans(rpcbind_t,rpcbin
kernel_read_network_state(rpcbind_t)
corenet_all_recvfrom_unlabeled(rpcbind_t)
+corenet_recvfrom_unlabeled_peer(rpcbind_t)
corenet_all_recvfrom_netlabel(rpcbind_t)
corenet_tcp_sendrecv_all_if(rpcbind_t)
corenet_udp_sendrecv_all_if(rpcbind_t)
Index: refpolicy_svn_repo/policy/modules/services/rshd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rshd.te
+++ refpolicy_svn_repo/policy/modules/services/rshd.te
@@ -24,6 +24,7 @@ allow rshd_t self:tcp_socket create_stre
kernel_read_kernel_sysctls(rshd_t)
corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_recvfrom_unlabeled_peer(rshd_t)
corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
Index: refpolicy_svn_repo/policy/modules/services/rsync.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rsync.te
+++ refpolicy_svn_repo/policy/modules/services/rsync.te
@@ -71,6 +71,7 @@ kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_recvfrom_unlabeled_peer(rsync_t)
corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_all_if(rsync_t)
corenet_udp_sendrecv_all_if(rsync_t)
Index: refpolicy_svn_repo/policy/modules/services/rwho.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rwho.te
+++ refpolicy_svn_repo/policy/modules/services/rwho.te
@@ -38,6 +38,7 @@ files_spool_filetrans(rwho_t,rwho_spool_
kernel_read_system_state(rwho_t)
corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_recvfrom_unlabeled_peer(rwho_t)
corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_all_if(rwho_t)
corenet_udp_sendrecv_all_nodes(rwho_t)
Index: refpolicy_svn_repo/policy/modules/services/samba.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/samba.te
+++ refpolicy_svn_repo/policy/modules/services/samba.te
@@ -165,6 +165,7 @@ manage_lnk_files_pattern(samba_net_t,sam
kernel_read_proc_symlinks(samba_net_t)
corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_recvfrom_unlabeled_peer(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
@@ -265,6 +266,7 @@ corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_recvfrom_unlabeled_peer(smbd_t)
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
@@ -422,6 +424,7 @@ kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_recvfrom_unlabeled_peer(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
@@ -498,6 +501,7 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_recvfrom_unlabeled_peer(smbmount_t)
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
@@ -586,6 +590,7 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
corenet_all_recvfrom_unlabeled(swat_t)
+corenet_recvfrom_unlabeled_peer(swat_t)
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
@@ -684,6 +689,7 @@ kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_recvfrom_unlabeled_peer(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
Index: refpolicy_svn_repo/policy/modules/services/sasl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sasl.te
+++ refpolicy_svn_repo/policy/modules/services/sasl.te
@@ -48,6 +48,7 @@ kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_recvfrom_unlabeled_peer(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_all_if(saslauthd_t)
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
Index: refpolicy_svn_repo/policy/modules/services/sendmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sendmail.te
+++ refpolicy_svn_repo/policy/modules/services/sendmail.te
@@ -49,6 +49,7 @@ kernel_read_kernel_sysctls(sendmail_t)
kernel_read_system_state(sendmail_t)
corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_recvfrom_unlabeled_peer(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
Index: refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/setroubleshoot.te
+++ refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
@@ -58,6 +58,7 @@ corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_recvfrom_unlabeled_peer(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
Index: refpolicy_svn_repo/policy/modules/services/smartmon.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/smartmon.te
+++ refpolicy_svn_repo/policy/modules/services/smartmon.te
@@ -43,6 +43,7 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_recvfrom_unlabeled_peer(fsdaemon_t)
corenet_all_recvfrom_netlabel(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/snmp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snmp.te
+++ refpolicy_svn_repo/policy/modules/services/snmp.te
@@ -54,6 +54,7 @@ corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_recvfrom_unlabeled_peer(snmpd_t)
corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
Index: refpolicy_svn_repo/policy/modules/services/snort.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snort.te
+++ refpolicy_svn_repo/policy/modules/services/snort.te
@@ -56,6 +56,7 @@ kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
corenet_all_recvfrom_unlabeled(snort_t)
+corenet_recvfrom_unlabeled_peer(snort_t)
corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
Index: refpolicy_svn_repo/policy/modules/services/soundserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/soundserver.te
+++ refpolicy_svn_repo/policy/modules/services/soundserver.te
@@ -63,6 +63,7 @@ kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_recvfrom_unlabeled_peer(soundd_t)
corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.if
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.if
@@ -96,6 +96,7 @@ template(`spamassassin_per_role_template
kernel_read_kernel_sysctls($1_spamc_t)
corenet_all_recvfrom_unlabeled($1_spamc_t)
+ corenet_recvfrom_unlabeled_peer($1_spamc_t)
corenet_all_recvfrom_netlabel($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
corenet_udp_sendrecv_generic_if($1_spamc_t)
@@ -267,6 +268,7 @@ template(`spamassassin_per_role_template
allow $1_spamassassin_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1_spamassassin_t)
+ corenet_recvfrom_unlabeled_peer($1_spamassassin_t)
corenet_all_recvfrom_netlabel($1_spamassassin_t)
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.te
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.te
@@ -91,6 +91,7 @@ kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_recvfrom_unlabeled_peer(spamd_t)
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
Index: refpolicy_svn_repo/policy/modules/services/squid.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/squid.te
+++ refpolicy_svn_repo/policy/modules/services/squid.te
@@ -76,6 +76,7 @@ kernel_read_system_state(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
corenet_all_recvfrom_unlabeled(squid_t)
+corenet_recvfrom_unlabeled_peer(squid_t)
corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
Index: refpolicy_svn_repo/policy/modules/services/ssh.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ssh.if
+++ refpolicy_svn_repo/policy/modules/services/ssh.if
@@ -109,6 +109,7 @@ template(`ssh_basic_client_template',`
kernel_read_kernel_sysctls($1_ssh_t)
corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_recvfrom_unlabeled_peer($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
@@ -465,6 +466,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
corenet_all_recvfrom_unlabeled($1_t)
+ corenet_recvfrom_unlabeled_peer($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
Index: refpolicy_svn_repo/policy/modules/services/stunnel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/stunnel.te
+++ refpolicy_svn_repo/policy/modules/services/stunnel.te
@@ -55,6 +55,7 @@ kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_recvfrom_unlabeled_peer(stunnel_t)
corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
Index: refpolicy_svn_repo/policy/modules/services/tcpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tcpd.te
+++ refpolicy_svn_repo/policy/modules/services/tcpd.te
@@ -24,6 +24,7 @@ manage_files_pattern(tcpd_t, tcpd_tmp_t,
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_recvfrom_unlabeled_peer(tcpd_t)
corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/telnet.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/telnet.te
+++ refpolicy_svn_repo/policy/modules/services/telnet.te
@@ -49,6 +49,7 @@ kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_recvfrom_unlabeled_peer(telnetd_t)
corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
Index: refpolicy_svn_repo/policy/modules/services/tftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tftp.te
+++ refpolicy_svn_repo/policy/modules/services/tftp.te
@@ -56,6 +56,7 @@ kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_recvfrom_unlabeled_peer(tftpd_t)
corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_all_if(tftpd_t)
corenet_udp_sendrecv_all_if(tftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/timidity.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/timidity.te
+++ refpolicy_svn_repo/policy/modules/services/timidity.te
@@ -41,6 +41,7 @@ kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_recvfrom_unlabeled_peer(timidity_t)
corenet_all_recvfrom_netlabel(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
Index: refpolicy_svn_repo/policy/modules/services/tor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tor.te
+++ refpolicy_svn_repo/policy/modules/services/tor.te
@@ -64,6 +64,7 @@ kernel_read_system_state(tor_t)
# networking basics
corenet_all_recvfrom_unlabeled(tor_t)
+corenet_recvfrom_unlabeled_peer(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
corenet_tcp_sendrecv_all_nodes(tor_t)
Index: refpolicy_svn_repo/policy/modules/services/transproxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/transproxy.te
+++ refpolicy_svn_repo/policy/modules/services/transproxy.te
@@ -31,6 +31,7 @@ kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_recvfrom_unlabeled_peer(transproxy_t)
corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_all_nodes(transproxy_t)
Index: refpolicy_svn_repo/policy/modules/services/ucspitcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ucspitcp.te
+++ refpolicy_svn_repo/policy/modules/services/ucspitcp.te
@@ -26,6 +26,7 @@ ucspitcp_service_domain(rblsmtpd_t, rbls
corecmd_search_bin(rblsmtpd_t)
corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_recvfrom_unlabeled_peer(rblsmtpd_t)
corenet_all_recvfrom_netlabel(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
@@ -60,6 +61,7 @@ corecmd_search_bin(ucspitcp_t)
# base networking:
corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_recvfrom_unlabeled_peer(ucspitcp_t)
corenet_all_recvfrom_netlabel(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
Index: refpolicy_svn_repo/policy/modules/services/uucp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uucp.te
+++ refpolicy_svn_repo/policy/modules/services/uucp.te
@@ -70,6 +70,7 @@ kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_recvfrom_unlabeled_peer(uucpd_t)
corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_all_if(uucpd_t)
corenet_udp_sendrecv_all_if(uucpd_t)
Index: refpolicy_svn_repo/policy/modules/services/uwimap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uwimap.te
+++ refpolicy_svn_repo/policy/modules/services/uwimap.te
@@ -40,6 +40,7 @@ kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_recvfrom_unlabeled_peer(imapd_t)
corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
Index: refpolicy_svn_repo/policy/modules/services/watchdog.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/watchdog.te
+++ refpolicy_svn_repo/policy/modules/services/watchdog.te
@@ -44,6 +44,7 @@ corecmd_exec_shell(watchdog_t)
# cjp: why networking?
corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_recvfrom_unlabeled_peer(watchdog_t)
corenet_all_recvfrom_netlabel(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
Index: refpolicy_svn_repo/policy/modules/services/xfs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xfs.te
+++ refpolicy_svn_repo/policy/modules/services/xfs.te
@@ -39,6 +39,7 @@ kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_recvfrom_unlabeled_peer(xfs_t)
corenet_all_recvfrom_netlabel(xfs_t)
corenet_tcp_sendrecv_generic_if(xfs_t)
corenet_tcp_sendrecv_all_nodes(xfs_t)
Index: refpolicy_svn_repo/policy/modules/services/xprint.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xprint.te
+++ refpolicy_svn_repo/policy/modules/services/xprint.te
@@ -34,6 +34,7 @@ corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_recvfrom_unlabeled_peer(xprint_t)
corenet_all_recvfrom_netlabel(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.if
+++ refpolicy_svn_repo/policy/modules/services/xserver.if
@@ -95,6 +95,7 @@ template(`xserver_common_domain_template
corecmd_exec_shell($1_xserver_t)
corenet_all_recvfrom_unlabeled($1_xserver_t)
+ corenet_recvfrom_unlabeled_peer($1_xserver_t)
corenet_all_recvfrom_netlabel($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.te
+++ refpolicy_svn_repo/policy/modules/services/xserver.te
@@ -175,6 +175,7 @@ corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_recvfrom_unlabeled_peer(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
Index: refpolicy_svn_repo/policy/modules/services/zebra.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/zebra.te
+++ refpolicy_svn_repo/policy/modules/services/zebra.te
@@ -68,6 +68,7 @@ kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_recvfrom_unlabeled_peer(zebra_t)
corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_all_if(zebra_t)
corenet_udp_sendrecv_all_if(zebra_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 5/5] REFPOL: Allow network system domains to receive unlabeled traffic
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
` (3 preceding siblings ...)
2008-02-26 18:40 ` [PATCH 4/5] REFPOL: Allow network service " paul.moore
@ 2008-02-26 18:40 ` paul.moore
2008-02-26 21:52 ` [PATCH 0/5] New labeled networking permissions for 2.6.25 Eric Paris
5 siblings, 0 replies; 14+ messages in thread
From: paul.moore @ 2008-02-26 18:40 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore
This patch adds the corenet_recvfrom_unlabeled_peer() interface call to
all of the system modules which need to receive data over the network.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/system/hotplug.te | 1 +
policy/modules/system/init.te | 1 +
policy/modules/system/ipsec.te | 2 ++
policy/modules/system/iscsi.te | 1 +
policy/modules/system/logging.te | 1 +
policy/modules/system/lvm.te | 1 +
policy/modules/system/mount.te | 1 +
policy/modules/system/sysnetwork.if | 3 +++
policy/modules/system/sysnetwork.te | 1 +
policy/modules/system/userdomain.if | 1 +
policy/modules/system/xen.te | 1 +
11 files changed, 14 insertions(+)
Index: refpolicy_svn_repo/policy/modules/system/hotplug.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/hotplug.te
+++ refpolicy_svn_repo/policy/modules/system/hotplug.te
@@ -52,6 +52,7 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_recvfrom_unlabeled_peer(hotplug_t)
corenet_all_recvfrom_netlabel(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
Index: refpolicy_svn_repo/policy/modules/system/init.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/init.te
+++ refpolicy_svn_repo/policy/modules/system/init.te
@@ -236,6 +236,7 @@ kernel_dontaudit_getattr_message_if(init
files_read_kernel_symbol_table(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_recvfrom_unlabeled_peer(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
Index: refpolicy_svn_repo/policy/modules/system/ipsec.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/ipsec.te
+++ refpolicy_svn_repo/policy/modules/system/ipsec.te
@@ -96,6 +96,7 @@ kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
+corenet_recvfrom_unlabeled_peer(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
@@ -301,6 +302,7 @@ kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
+corenet_recvfrom_unlabeled_peer(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
Index: refpolicy_svn_repo/policy/modules/system/iscsi.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/iscsi.te
+++ refpolicy_svn_repo/policy/modules/system/iscsi.te
@@ -57,6 +57,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_r
kernel_read_system_state(iscsid_t)
corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_recvfrom_unlabeled_peer(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_all_if(iscsid_t)
corenet_tcp_sendrecv_all_nodes(iscsid_t)
Index: refpolicy_svn_repo/policy/modules/system/logging.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/logging.te
+++ refpolicy_svn_repo/policy/modules/system/logging.te
@@ -311,6 +311,7 @@ init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_recvfrom_unlabeled_peer(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
Index: refpolicy_svn_repo/policy/modules/system/lvm.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/lvm.te
+++ refpolicy_svn_repo/policy/modules/system/lvm.te
@@ -70,6 +70,7 @@ corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_recvfrom_unlabeled_peer(clvmd_t)
corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
Index: refpolicy_svn_repo/policy/modules/system/mount.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/mount.te
+++ refpolicy_svn_repo/policy/modules/system/mount.te
@@ -143,6 +143,7 @@ tunable_policy(`allow_mount_anyfile',`
optional_policy(`
# for nfs
corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_recvfrom_unlabeled_peer(mount_t)
corenet_all_recvfrom_netlabel(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.if
+++ refpolicy_svn_repo/policy/modules/system/sysnetwork.if
@@ -481,6 +481,7 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
@@ -513,6 +514,7 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
@@ -543,6 +545,7 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
+ corenet_recvfrom_unlabeled_peer($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.te
+++ refpolicy_svn_repo/policy/modules/system/sysnetwork.te
@@ -85,6 +85,7 @@ kernel_read_kernel_sysctls(dhcpc_t)
kernel_use_fds(dhcpc_t)
corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_recvfrom_unlabeled_peer(dhcpc_t)
corenet_all_recvfrom_netlabel(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
Index: refpolicy_svn_repo/policy/modules/system/userdomain.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/userdomain.if
+++ refpolicy_svn_repo/policy/modules/system/userdomain.if
@@ -539,6 +539,7 @@ template(`userdom_basic_networking_templ
allow $1_t self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1_t)
+ corenet_recvfrom_unlabeled_peer($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
Index: refpolicy_svn_repo/policy/modules/system/xen.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/system/xen.te
+++ refpolicy_svn_repo/policy/modules/system/xen.te
@@ -143,6 +143,7 @@ corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
corenet_all_recvfrom_unlabeled(xend_t)
+corenet_recvfrom_unlabeled_peer(xend_t)
corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/5] New labeled networking permissions for 2.6.25
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
` (4 preceding siblings ...)
2008-02-26 18:40 ` [PATCH 5/5] REFPOL: Allow network system " paul.moore
@ 2008-02-26 21:52 ` Eric Paris
2008-02-26 22:08 ` Paul Moore
5 siblings, 1 reply; 14+ messages in thread
From: Eric Paris @ 2008-02-26 21:52 UTC (permalink / raw)
To: paul.moore@hp.com, selinux
On 2/26/08, paul.moore@hp.com <paul.moore@hp.com> wrote:
> It is important to note that
> while this patchset adds the permissions required it doesn't enable the
> "network_peer_controls" policy capability.
Darn it, I'm trying to play with a new capability for something I'm
writing and I just read this whole patch set (before i read 0/5) to
see where you decided to define it so I could copy that in my policy.
Thanks for not doing the one thing I was hunting for!
So, does anyone have a good idea suggestions where we should turn
on/off these new capabilities? I know it has to be in the base module
in the end, but I don't know what file to put them in. I might just
throw it in kernel.te for now for me to keep testing but I assume we
are going to want all of these definitions in one place? Are we going
to want them all over as long as they end up being built into base?
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/5] New labeled networking permissions for 2.6.25
2008-02-26 21:52 ` [PATCH 0/5] New labeled networking permissions for 2.6.25 Eric Paris
@ 2008-02-26 22:08 ` Paul Moore
2008-02-27 13:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Paul Moore @ 2008-02-26 22:08 UTC (permalink / raw)
To: Eric Paris; +Cc: selinux
On Tuesday 26 February 2008 4:52:34 pm Eric Paris wrote:
> On 2/26/08, paul.moore@hp.com <paul.moore@hp.com> wrote:
> > It is important to note that
> > while this patchset adds the permissions required it doesn't
> > enable the "network_peer_controls" policy capability.
>
> Darn it, I'm trying to play with a new capability for something I'm
> writing and I just read this whole patch set (before i read 0/5) to
> see where you decided to define it so I could copy that in my policy.
> Thanks for not doing the one thing I was hunting for!
Well, thanks for looking at the code ;)
I currently enable the functionality with a simple module which consists
solely of the lines below:
policy_module(peer_test,0.0.2)
policycap network_peer_controls;
# dummy type - not used
type peer_test_t;
However, be warned that the policy toolchain in rawhide won't compile
this correctly at present (well, as of this morning anyway) so you have
to get the bits from SVN. This is one of the reasons why I didn't
submit a patch enabling the policy capabilities (that and there needs
to be more testing done first).
> So, does anyone have a good idea suggestions where we should turn
> on/off these new capabilities? I know it has to be in the base
> module in the end, but I don't know what file to put them in. I
> might just throw it in kernel.te for now for me to keep testing but I
> assume we are going to want all of these definitions in one place?
> Are we going to want them all over as long as they end up being built
> into base?
I have no idea but I suspect Chris has given this some thought and
probably has some ideas. I tend to think putting them in one place is
probably a good idea ...
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/5] New labeled networking permissions for 2.6.25
2008-02-26 22:08 ` Paul Moore
@ 2008-02-27 13:23 ` Christopher J. PeBenito
2008-02-27 14:35 ` Paul Moore
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-02-27 13:23 UTC (permalink / raw)
To: Paul Moore; +Cc: Eric Paris, selinux
On Tue, 2008-02-26 at 17:08 -0500, Paul Moore wrote:
> On Tuesday 26 February 2008 4:52:34 pm Eric Paris wrote:
> > On 2/26/08, paul.moore@hp.com <paul.moore@hp.com> wrote:
> > > It is important to note that
> > > while this patchset adds the permissions required it doesn't
> > > enable the "network_peer_controls" policy capability.
[...]
> > So, does anyone have a good idea suggestions where we should turn
> > on/off these new capabilities? I know it has to be in the base
> > module in the end, but I don't know what file to put them in. I
> > might just throw it in kernel.te for now for me to keep testing but I
> > assume we are going to want all of these definitions in one place?
> > Are we going to want them all over as long as they end up being built
> > into base?
>
> I have no idea but I suspect Chris has given this some thought and
> probably has some ideas. I tend to think putting them in one place is
> probably a good idea ...
I haven't thought about this much, but my initial idea would be to have
a specific file, maybe policy/polcaps or policy/capabilites.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 0/5] New labeled networking permissions for 2.6.25
2008-02-27 13:23 ` Christopher J. PeBenito
@ 2008-02-27 14:35 ` Paul Moore
0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2008-02-27 14:35 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: Eric Paris, selinux
On Wednesday 27 February 2008 8:23:41 am Christopher J. PeBenito wrote:
> On Tue, 2008-02-26 at 17:08 -0500, Paul Moore wrote:
> > On Tuesday 26 February 2008 4:52:34 pm Eric Paris wrote:
> > > On 2/26/08, paul.moore@hp.com <paul.moore@hp.com> wrote:
> > > > It is important to note that
> > > > while this patchset adds the permissions required it doesn't
> > > > enable the "network_peer_controls" policy capability.
>
> [...]
>
> > > So, does anyone have a good idea suggestions where we should turn
> > > on/off these new capabilities? I know it has to be in the base
> > > module in the end, but I don't know what file to put them in. I
> > > might just throw it in kernel.te for now for me to keep testing
> > > but I assume we are going to want all of these definitions in one
> > > place? Are we going to want them all over as long as they end up
> > > being built into base?
> >
> > I have no idea but I suspect Chris has given this some thought and
> > probably has some ideas. I tend to think putting them in one place
> > is probably a good idea ...
>
> I haven't thought about this much, but my initial idea would be to
> have a specific file, maybe policy/polcaps or policy/capabilites.
Sounds good to me.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/5] REFPOL: Add new labeled networking permissions
2008-02-26 18:40 ` [PATCH 1/5] REFPOL: Add new labeled networking permissions paul.moore
@ 2008-03-19 13:19 ` Christopher J. PeBenito
2008-03-19 18:24 ` Paul Moore
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-03-19 13:19 UTC (permalink / raw)
To: paul.moore; +Cc: selinux
On Tue, 2008-02-26 at 13:40 -0500, paul.moore@hp.com wrote:
> The 2.6.25 kernel will introduce a new set of labeled networking controls to
> SELinux and this patch makes the necessary changes to the Reference Policy
> to support unlabeled network traffic with the new controls.
>
> A description of the new/improved labeled networking controls was posted to
> the SELinux list back in early January 2008.
>
> * http://marc.info/?l=selinux&m=119991234501200&w=2
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
> policy/modules/kernel/corenetwork.if.in | 69 +++++++++++++++++++++++---------
Is there a reason why you skipped adding ingress/egress to the "all"
interfaces (e.g. corenet_udp_receive_all_if)?
> policy/modules/kernel/corenetwork.if.m4 | 20 ++++-----
> policy/modules/kernel/kernel.if | 30 +++++++++++++
> policy/modules/kernel/kernel.te | 3 +
> 4 files changed, 94 insertions(+), 28 deletions(-)
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa
>
> ########################################
> ## <summary>
> +## Receive packets from an unlabeled peer.
> +## </summary>
> +## <desc>
> +## <p>
> +## Receive packets from an unlabeled peer,
> +## these packets do not have any peer labeling
> +## information present.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_recvfrom_unlabeled_peer',`
> + kernel_recvfrom_unlabeled_peer($1)
> +')
Seems unnecessary since it seems like it should be called from
corenet_(tcp|udp|raw)_recvfrom_unlabeled?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/5] REFPOL: Add new labeled networking permissions
2008-03-19 13:19 ` Christopher J. PeBenito
@ 2008-03-19 18:24 ` Paul Moore
2008-03-20 12:50 ` Christopher J. PeBenito
0 siblings, 1 reply; 14+ messages in thread
From: Paul Moore @ 2008-03-19 18:24 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux
On Wednesday 19 March 2008 9:19:53 am Christopher J. PeBenito wrote:
> On Tue, 2008-02-26 at 13:40 -0500, paul.moore@hp.com wrote:
> > The 2.6.25 kernel will introduce a new set of labeled networking
> > controls to SELinux and this patch makes the necessary changes to
> > the Reference Policy to support unlabeled network traffic with the
> > new controls.
> >
> > A description of the new/improved labeled networking controls was
> > posted to the SELinux list back in early January 2008.
> >
> > * http://marc.info/?l=selinux&m=119991234501200&w=2
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> > ---
> > policy/modules/kernel/corenetwork.if.in | 69
> > +++++++++++++++++++++++---------
>
> Is there a reason why you skipped adding ingress/egress to the "all"
> interfaces (e.g. corenet_udp_receive_all_if)?
Nope, or at least not one that I can remember right now. I just went
through and added ingress/egress to the netif permissions as well as
sendto/recvfrom to the node permissions. Thanks.
> > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> > @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa
> >
> > ########################################
> > ## <summary>
> > +## Receive packets from an unlabeled peer.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## Receive packets from an unlabeled peer,
> > +## these packets do not have any peer labeling
> > +## information present.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`corenet_recvfrom_unlabeled_peer',`
> > + kernel_recvfrom_unlabeled_peer($1)
> > +')
>
> Seems unnecessary since it seems like it should be called from
> corenet_(tcp|udp|raw)_recvfrom_unlabeled?
Okay, would you prefer to add kernel_recvfrom_unlabeled_peer() to
corenet_{tcp,udp,raw}_recvfrom_unlabeled() or simply add the new allow
rule to kernel_{tcp,udp,raw}_recvfrom_unlabeled()?
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/5] REFPOL: Add new labeled networking permissions
2008-03-19 18:24 ` Paul Moore
@ 2008-03-20 12:50 ` Christopher J. PeBenito
2008-03-20 15:08 ` Paul Moore
0 siblings, 1 reply; 14+ messages in thread
From: Christopher J. PeBenito @ 2008-03-20 12:50 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On Wed, 2008-03-19 at 14:24 -0400, Paul Moore wrote:
> On Wednesday 19 March 2008 9:19:53 am Christopher J. PeBenito wrote:
> > On Tue, 2008-02-26 at 13:40 -0500, paul.moore@hp.com wrote:
> > > The 2.6.25 kernel will introduce a new set of labeled networking
> > > controls to SELinux and this patch makes the necessary changes to
> > > the Reference Policy to support unlabeled network traffic with the
> > > new controls.
> > >
> > > A description of the new/improved labeled networking controls was
> > > posted to the SELinux list back in early January 2008.
> > >
> > > * http://marc.info/?l=selinux&m=119991234501200&w=2
> > > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> > > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> > > @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa
> > >
> > > ########################################
> > > ## <summary>
> > > +## Receive packets from an unlabeled peer.
> > > +## </summary>
> > > +## <desc>
> > > +## <p>
> > > +## Receive packets from an unlabeled peer,
> > > +## these packets do not have any peer labeling
> > > +## information present.
> > > +## </p>
> > > +## </desc>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`corenet_recvfrom_unlabeled_peer',`
> > > + kernel_recvfrom_unlabeled_peer($1)
> > > +')
> >
> > Seems unnecessary since it seems like it should be called from
> > corenet_(tcp|udp|raw)_recvfrom_unlabeled?
>
> Okay, would you prefer to add kernel_recvfrom_unlabeled_peer() to
> corenet_{tcp,udp,raw}_recvfrom_unlabeled() or simply add the new allow
> rule to kernel_{tcp,udp,raw}_recvfrom_unlabeled()?
The latter seems the best choice.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/5] REFPOL: Add new labeled networking permissions
2008-03-20 12:50 ` Christopher J. PeBenito
@ 2008-03-20 15:08 ` Paul Moore
0 siblings, 0 replies; 14+ messages in thread
From: Paul Moore @ 2008-03-20 15:08 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: selinux
On Thursday 20 March 2008 8:50:56 am Christopher J. PeBenito wrote:
> On Wed, 2008-03-19 at 14:24 -0400, Paul Moore wrote:
> > On Wednesday 19 March 2008 9:19:53 am Christopher J. PeBenito wrote:
> > > > refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> > > > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> > > > @@ -2380,6 +2392,27 @@ interface(`corenet_sendrecv_unlabeled_pa
> > > >
> > > > ########################################
> > > > ## <summary>
> > > > +## Receive packets from an unlabeled peer.
> > > > +## </summary>
> > > > +## <desc>
> > > > +## <p>
> > > > +## Receive packets from an unlabeled peer,
> > > > +## these packets do not have any peer labeling
> > > > +## information present.
> > > > +## </p>
> > > > +## </desc>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain allowed access.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`corenet_recvfrom_unlabeled_peer',`
> > > > + kernel_recvfrom_unlabeled_peer($1)
> > > > +')
> > >
> > > Seems unnecessary since it seems like it should be called from
> > > corenet_(tcp|udp|raw)_recvfrom_unlabeled?
> >
> > Okay, would you prefer to add kernel_recvfrom_unlabeled_peer() to
> > corenet_{tcp,udp,raw}_recvfrom_unlabeled() or simply add the new
> > allow rule to kernel_{tcp,udp,raw}_recvfrom_unlabeled()?
>
> The latter seems the best choice.
Okey dokey, I'm kinda swamped right now but I'll get an updated
patch[set] out next week.
Thanks.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2008-03-20 15:08 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-26 18:40 [PATCH 0/5] New labeled networking permissions for 2.6.25 paul.moore
2008-02-26 18:40 ` [PATCH 1/5] REFPOL: Add new labeled networking permissions paul.moore
2008-03-19 13:19 ` Christopher J. PeBenito
2008-03-19 18:24 ` Paul Moore
2008-03-20 12:50 ` Christopher J. PeBenito
2008-03-20 15:08 ` Paul Moore
2008-02-26 18:40 ` [PATCH 2/5] REFPOL: Allow network admin domains to receive unlabeled traffic paul.moore
2008-02-26 18:40 ` [PATCH 3/5] REFPOL: Allow network apps " paul.moore
2008-02-26 18:40 ` [PATCH 4/5] REFPOL: Allow network service " paul.moore
2008-02-26 18:40 ` [PATCH 5/5] REFPOL: Allow network system " paul.moore
2008-02-26 21:52 ` [PATCH 0/5] New labeled networking permissions for 2.6.25 Eric Paris
2008-02-26 22:08 ` Paul Moore
2008-02-27 13:23 ` Christopher J. PeBenito
2008-02-27 14:35 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.