* [refpolicy] [PATCH] network: Enable "network_peer_controls" and fix some remaining issues
2009-02-02 22:28 [refpolicy] [PATCH] network: Enable "network_peer_controls" and fix some remaining issues Paul Moore
@ 2009-02-03 16:33 ` Christopher J. PeBenito
2009-02-03 20:23 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2009-02-03 16:33 UTC (permalink / raw)
To: refpolicy
On Mon, 2009-02-02 at 17:28 -0500, Paul Moore wrote:
> plain text document attachment (network-in_out_basic)
> We added the network_peer_controls capability back in Linux Kernel 2.6.25 but
> didn't activate the capability because more work was needed to ensure a smooth
> transition to the new controls. This patch enables the network_peer_controls
> capability and fixes a few remaining issues with its use. With this patch
> applied to the Fedora Rawhide SELinux policy (selinux-policy-3.6.3-12.fc11) I
> am able to interact with the machine over the network without any new AVC
> denials.
Merged, with some rearrangement. I also plan on adding similar
interfaces for all netifs and all nodes, for completeness.
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
> policy/modules/kernel/corenetwork.if.in | 108 ++++++++++++++++++++++++++++++++
> policy/modules/kernel/kernel.te | 4 -
> policy/policy_capabilities | 2
> 3 files changed, 112 insertions(+), 2 deletions(-)
>
> Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
> +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
> @@ -140,6 +140,60 @@ interface(`corenet_server_packet',`
>
> ########################################
> ## <summary>
> +## Allow outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the outgoing network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_if',`
> + gen_require(`
> + type netif_t;
> + ')
> +
> + allow $1 netif_t:netif { egress };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the incoming network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_if',`
> + gen_require(`
> + type netif_t;
> + ')
> +
> + allow $1 netif_t:netif { ingress };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming and outgoing network traffic on the generic interfaces.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_if',`
> + corenet_in_generic_if($1)
> + corenet_out_generic_if($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive TCP network traffic on the generic interfaces.
> ## </summary>
> ## <param name="domain">
> @@ -435,6 +489,60 @@ interface(`corenet_raw_sendrecv_all_if',
>
> ########################################
> ## <summary>
> +## Allow outgoing network traffic to generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the outgoing network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_out_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:node { sendto };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming network traffic from generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the incoming network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_in_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:node { recvfrom };
> +')
> +
> +########################################
> +## <summary>
> +## Allow incoming and outgoing network traffic with generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The peer label of the network traffic.
> +## </summary>
> +## </param>
> +## <infoflow type="both" weight="10"/>
> +#
> +interface(`corenet_inout_generic_node',`
> + corenet_in_generic_node($1)
> + corenet_out_generic_node($1)
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive TCP network traffic on generic nodes.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te
> +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te
> @@ -221,8 +221,10 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> -# Forwarded network traffic
> +# Allow unlabeled network traffic
> allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> +corenet_in_generic_if(unlabeled_t)
> +corenet_in_generic_node(unlabeled_t)
>
> corenet_all_recvfrom_unlabeled(kernel_t)
> corenet_all_recvfrom_netlabel(kernel_t)
> Index: refpolicy_svn_repo/policy/policy_capabilities
> ===================================================================
> --- refpolicy_svn_repo.orig/policy/policy_capabilities
> +++ refpolicy_svn_repo/policy/policy_capabilities
> @@ -17,7 +17,7 @@
> # netif: ingress egress
> # peer: recv
> #
> -#policycap network_peer_controls;
> +policycap network_peer_controls;
>
> # Enable additional access controls for opening
> # a file (and similar objects).
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
^ permalink raw reply [flat|nested] 3+ messages in thread