#################################
#
# can_network(domain)
#
# Permissions for accessing the network.
# See types/network.te for the network types.
# See net_contexts for security contexts for network entities.
#
define(`base_can_network',`
#
# Allow the domain to create and use $2 sockets.
# Other kinds of sockets must be separately authorized for use.
allow $1 self:$2_socket create_socket_perms;

#
# Allow the domain to send or receive using any network interface.
# netif_type is a type attribute for all network interface types.
#
allow $1 netif_type:netif { $2_send rawip_send };
allow $1 netif_type:netif { $2_recv rawip_recv };

#
# Allow the domain to send to or receive from any node.
# node_type is a type attribute for all node types.
#
allow $1 node_type:node { $2_send rawip_send };
allow $1 node_type:node { $2_recv rawip_recv };

#
# Allow the domain to send to or receive from any port.
# port_type is a type attribute for all port types.
#
allow $1 $3:{ $2_socket } { send_msg recv_msg };

# XXX Allow binding to any node type.  Remove once
# individual rules have been added to all domains that 
# bind sockets. 
allow $1 node_type: { $2_socket } node_bind;
')dnl end can_network definition

#################################
#
# can_network(domain)
#
# Permissions for accessing the network.
# See types/network.te for the network types.
# See net_contexts for security contexts for network entities.
#
define(`can_network',`

ifelse($2, `', `
base_can_network($1, udp, port_type)
base_can_network($1, tcp, port_type)
allow $1 self:tcp_socket { listen accept };
', `
ifelse($3, `', `
base_can_network($1, $2, $3)
', `
base_can_network($1, $2, port_type)
') dnl ifelse $3
ifelse($2, `tcp', `
allow $1 self:tcp_socket { listen accept };
')
')

#
# Allow the domain to send NFS client requests via the socket
# created by mount.
#
allow $1 mount_t:udp_socket rw_socket_perms;

#
# Allow access to network files including /etc/resolv.conf
#
allow $1 net_conf_t:file r_file_perms;
')dnl end can_network definition