* [PATCH 0/4] NetLabel and MLS fixes for Reference Policy
@ 2006-12-14 19:24 paul.moore
2006-12-14 19:24 ` [PATCH 1/4] Policy patches to add NetLabel to support to various domains paul.moore
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: paul.moore @ 2006-12-14 19:24 UTC (permalink / raw)
To: selinux; +Cc: cpebenito
This patchset addresses a few problems with the reference policy in SVN. The first is that when I sent the original NetLabel policy patches I forgot to actually assign NetLabel receive access to any of the application domains - oops. The other issues involve MLS socket overrides and their use in the inetd_t domain.
Most of the changes should have little impact on the policy and I've done some quick testing and everything looks okay to me. One note, telnet seem to be broken when used in strict-mls under the current policy (broken without this patchset) and I'm currently looking into that, I'll push another patch when I have that fixed.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] Policy patches to add NetLabel to support to various domains
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
@ 2006-12-14 19:24 ` paul.moore
2006-12-14 19:24 ` [PATCH 2/4] Policy patches to add NetLabel support for Raw IP sockets paul.moore
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-12-14 19:24 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
From: Paul Moore <paul.moore@hp.com>
The original NetLabel policy patch added the ability to receive NetLabel
packets to normal user domains but it forgot to give that ability to all of the
various other application domains. This patch adds that support, mostly
through the use of some variation on the following code snippet:
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(<domain>)
corenet_udp_recv_netlabel(<domain>)
')
Which was chosen as it seemed to be inline with the current policy.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/admin/amanda.te | 8 ++++++++
policy/modules/admin/apt.te | 4 ++++
policy/modules/admin/backup.te | 4 ++++
policy/modules/admin/dpkg.te | 4 ++++
policy/modules/admin/mrtg.te | 4 ++++
policy/modules/admin/netutils.te | 4 ++++
policy/modules/admin/portage.if | 4 ++++
policy/modules/admin/rpm.te | 4 ++++
policy/modules/admin/sxid.te | 4 ++++
policy/modules/apps/calamaris.te | 4 ++++
policy/modules/apps/evolution.if | 10 ++++++++++
policy/modules/apps/games.if | 4 ++++
policy/modules/apps/gift.if | 8 ++++++++
policy/modules/apps/gpg.if | 8 ++++++++
policy/modules/apps/irc.if | 4 ++++
policy/modules/apps/java.if | 4 ++++
policy/modules/apps/mozilla.if | 3 +++
policy/modules/apps/screen.if | 4 ++++
policy/modules/apps/thunderbird.if | 3 +++
policy/modules/apps/uml.if | 4 ++++
policy/modules/apps/vmware.te | 4 ++++
policy/modules/apps/webalizer.te | 3 +++
policy/modules/apps/yam.te | 3 +++
policy/modules/services/afs.te | 20 ++++++++++++++++++++
policy/modules/services/amavis.te | 3 +++
policy/modules/services/apache.if | 8 ++++++++
policy/modules/services/apache.te | 8 ++++++++
policy/modules/services/arpwatch.te | 4 ++++
policy/modules/services/asterisk.te | 4 ++++
policy/modules/services/automount.te | 4 ++++
policy/modules/services/avahi.te | 4 ++++
policy/modules/services/bind.te | 7 +++++++
policy/modules/services/bluetooth.te | 4 ++++
policy/modules/services/canna.te | 3 +++
policy/modules/services/ccs.te | 4 ++++
policy/modules/services/cipe.te | 3 +++
policy/modules/services/clamav.te | 6 ++++++
policy/modules/services/clockspeed.te | 6 ++++++
policy/modules/services/comsat.te | 4 ++++
policy/modules/services/courier.if | 4 ++++
policy/modules/services/courier.te | 3 +++
policy/modules/services/cron.if | 4 ++++
policy/modules/services/cron.te | 4 ++++
policy/modules/services/cups.te | 19 +++++++++++++++++++
policy/modules/services/cvs.te | 4 ++++
policy/modules/services/cyrus.te | 4 ++++
policy/modules/services/dante.te | 4 ++++
policy/modules/services/dbskk.te | 4 ++++
policy/modules/services/dbus.if | 3 +++
policy/modules/services/dcc.te | 18 ++++++++++++++++++
policy/modules/services/ddclient.te | 4 ++++
policy/modules/services/dictd.te | 4 ++++
policy/modules/services/distcc.te | 4 ++++
policy/modules/services/djbdns.if | 4 ++++
policy/modules/services/dnsmasq.te | 4 ++++
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/fetchmail.te | 4 ++++
policy/modules/services/finger.te | 4 ++++
policy/modules/services/ftp.te | 4 ++++
policy/modules/services/gatekeeper.te | 4 ++++
policy/modules/services/hal.te | 4 ++++
policy/modules/services/howl.te | 4 ++++
policy/modules/services/i18n_input.te | 4 ++++
policy/modules/services/imaze.te | 4 ++++
policy/modules/services/inetd.te | 4 ++++
policy/modules/services/inn.te | 4 ++++
policy/modules/services/ircd.te | 4 ++++
policy/modules/services/jabber.te | 4 ++++
policy/modules/services/kerberos.if | 4 ++++
policy/modules/services/kerberos.te | 8 ++++++++
policy/modules/services/ktalk.te | 4 ++++
policy/modules/services/ldap.te | 4 ++++
policy/modules/services/lpd.if | 4 ++++
policy/modules/services/lpd.te | 8 ++++++++
policy/modules/services/mailman.if | 4 ++++
policy/modules/services/monop.te | 4 ++++
policy/modules/services/mta.if | 3 +++
policy/modules/services/munin.te | 4 ++++
policy/modules/services/mysql.te | 4 ++++
policy/modules/services/nagios.te | 4 ++++
policy/modules/services/nessus.te | 4 ++++
policy/modules/services/networkmanager.te | 4 ++++
policy/modules/services/nis.if | 4 ++++
policy/modules/services/nis.te | 16 ++++++++++++++++
policy/modules/services/nscd.te | 4 ++++
policy/modules/services/nsd.te | 8 ++++++++
policy/modules/services/ntop.te | 4 ++++
policy/modules/services/ntp.te | 4 ++++
policy/modules/services/nx.te | 4 ++++
policy/modules/services/oav.te | 8 ++++++++
policy/modules/services/pegasus.te | 3 +++
policy/modules/services/perdition.te | 4 ++++
policy/modules/services/portmap.te | 8 ++++++++
policy/modules/services/portslave.te | 4 ++++
policy/modules/services/postfix.if | 4 ++++
policy/modules/services/postfix.te | 11 +++++++++++
policy/modules/services/postgresql.te | 4 ++++
policy/modules/services/postgrey.te | 3 +++
policy/modules/services/ppp.te | 7 +++++++
policy/modules/services/privoxy.te | 3 +++
policy/modules/services/procmail.te | 4 ++++
policy/modules/services/pyzor.te | 6 ++++++
policy/modules/services/qmail.te | 4 ++++
policy/modules/services/radius.te | 4 ++++
policy/modules/services/radvd.te | 4 ++++
policy/modules/services/razor.if | 3 +++
policy/modules/services/razor.te | 3 +++
policy/modules/services/rdisc.te | 3 +++
policy/modules/services/rhgb.te | 4 ++++
policy/modules/services/ricci.te | 7 +++++++
policy/modules/services/rlogin.te | 4 ++++
policy/modules/services/roundup.te | 4 ++++
policy/modules/services/rpc.if | 4 ++++
policy/modules/services/rshd.te | 4 ++++
policy/modules/services/rsync.te | 4 ++++
policy/modules/services/samba.te | 24 ++++++++++++++++++++++++
policy/modules/services/sasl.te | 3 +++
policy/modules/services/sendmail.te | 3 +++
policy/modules/services/setroubleshoot.te | 3 +++
policy/modules/services/smartmon.te | 3 +++
policy/modules/services/snmp.te | 4 ++++
policy/modules/services/snort.te | 4 ++++
policy/modules/services/soundserver.te | 4 ++++
policy/modules/services/spamassassin.if | 4 ++++
policy/modules/services/spamassassin.te | 4 ++++
policy/modules/services/squid.te | 4 ++++
policy/modules/services/ssh.if | 7 +++++++
policy/modules/services/stunnel.te | 4 ++++
policy/modules/services/tcpd.te | 3 +++
policy/modules/services/telnet.te | 4 ++++
policy/modules/services/tftp.te | 4 ++++
policy/modules/services/timidity.te | 4 ++++
policy/modules/services/tor.te | 3 +++
policy/modules/services/transproxy.te | 3 +++
policy/modules/services/ucspitcp.te | 8 ++++++++
policy/modules/services/uucp.te | 4 ++++
policy/modules/services/uwimap.te | 3 +++
policy/modules/services/watchdog.te | 4 ++++
policy/modules/services/xprint.te | 4 ++++
policy/modules/services/xserver.if | 4 ++++
policy/modules/services/xserver.te | 4 ++++
policy/modules/services/zebra.te | 4 ++++
policy/modules/system/hotplug.te | 4 ++++
policy/modules/system/iscsi.te | 3 +++
policy/modules/system/lvm.te | 5 +++++
policy/modules/system/mount.te | 4 ++++
policy/modules/system/sysnetwork.if | 12 ++++++++++++
147 files changed, 723 insertions(+)
Index: refpolicy/policy/modules/admin/amanda.te
===================================================================
--- refpolicy.orig/policy/modules/admin/amanda.te
+++ refpolicy/policy/modules/admin/amanda.te
@@ -125,6 +125,10 @@ corenet_udp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_all_nodes(amanda_t)
corenet_udp_bind_all_nodes(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(amanda_t)
+ corenet_udp_recv_netlabel(amanda_t)
+')
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -213,6 +217,10 @@ corenet_udp_bind_all_nodes(amanda_recove
corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t)
corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(amanda_recover_t)
+ corenet_udp_recv_netlabel(amanda_recover_t)
+')
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
Index: refpolicy/policy/modules/admin/apt.te
===================================================================
--- refpolicy.orig/policy/modules/admin/apt.te
+++ refpolicy/policy/modules/admin/apt.te
@@ -80,6 +80,10 @@ corenet_tcp_sendrecv_all_nodes(apt_t)
corenet_udp_sendrecv_all_nodes(apt_t)
corenet_tcp_sendrecv_all_ports(apt_t)
corenet_udp_sendrecv_all_ports(apt_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(apt_t)
+ corenet_udp_recv_netlabel(apt_t)
+')
# TODO: reall allow all these?
corenet_tcp_bind_all_nodes(apt_t)
corenet_udp_bind_all_nodes(apt_t)
Index: refpolicy/policy/modules/admin/backup.te
===================================================================
--- refpolicy.orig/policy/modules/admin/backup.te
+++ refpolicy/policy/modules/admin/backup.te
@@ -47,6 +47,10 @@ corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_connect_all_ports(backup_t)
corenet_sendrecv_all_client_packets(backup_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(backup_t)
+ corenet_udp_recv_netlabel(backup_t)
+')
dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)
Index: refpolicy/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/admin/dpkg.te
+++ refpolicy/policy/modules/admin/dpkg.te
@@ -101,6 +101,10 @@ corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dpkg_t)
+ corenet_udp_recv_netlabel(dpkg_t)
+')
dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
Index: refpolicy/policy/modules/admin/mrtg.te
===================================================================
--- refpolicy.orig/policy/modules/admin/mrtg.te
+++ refpolicy/policy/modules/admin/mrtg.te
@@ -73,6 +73,10 @@ corenet_tcp_sendrecv_all_ports(mrtg_t)
corenet_udp_sendrecv_all_ports(mrtg_t)
corenet_tcp_connect_all_ports(mrtg_t)
corenet_sendrecv_all_client_packets(mrtg_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(mrtg_t)
+ corenet_udp_recv_netlabel(mrtg_t)
+')
dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)
Index: refpolicy/policy/modules/admin/netutils.te
===================================================================
--- refpolicy.orig/policy/modules/admin/netutils.te
+++ refpolicy/policy/modules/admin/netutils.te
@@ -55,6 +55,10 @@ corenet_udp_sendrecv_all_ports(netutils_
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_udp_bind_generic_node(netutils_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(netutils_t)
+ corenet_udp_recv_netlabel(netutils_t)
+')
fs_getattr_xattr_fs(netutils_t)
Index: refpolicy/policy/modules/admin/portage.if
===================================================================
--- refpolicy.orig/policy/modules/admin/portage.if
+++ refpolicy/policy/modules/admin/portage.if
@@ -163,6 +163,10 @@ interface(`portage_compile_domain',`
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
dev_read_sysfs($1)
dev_read_rand($1)
Index: refpolicy/policy/modules/admin/rpm.te
===================================================================
--- refpolicy.orig/policy/modules/admin/rpm.te
+++ refpolicy/policy/modules/admin/rpm.te
@@ -102,6 +102,10 @@ corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
corenet_sendrecv_all_client_packets(rpm_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rpm_t)
+ corenet_udp_recv_netlabel(rpm_t)
+')
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
Index: refpolicy/policy/modules/admin/sxid.te
===================================================================
--- refpolicy.orig/policy/modules/admin/sxid.te
+++ refpolicy/policy/modules/admin/sxid.te
@@ -50,6 +50,10 @@ corenet_tcp_sendrecv_all_nodes(sxid_t)
corenet_udp_sendrecv_all_nodes(sxid_t)
corenet_tcp_sendrecv_all_ports(sxid_t)
corenet_udp_sendrecv_all_ports(sxid_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(sxid_t)
+ corenet_udp_recv_netlabel(sxid_t)
+')
dev_read_sysfs(sxid_t)
dev_getattr_all_blk_files(sxid_t)
Index: refpolicy/policy/modules/apps/calamaris.te
===================================================================
--- refpolicy.orig/policy/modules/apps/calamaris.te
+++ refpolicy/policy/modules/apps/calamaris.te
@@ -47,6 +47,10 @@ corenet_tcp_sendrecv_all_nodes(calamaris
corenet_udp_sendrecv_all_nodes(calamaris_t)
corenet_tcp_sendrecv_all_ports(calamaris_t)
corenet_udp_sendrecv_all_ports(calamaris_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(calamaris_t)
+ corenet_udp_recv_netlabel(calamaris_t)
+')
dev_read_urand(calamaris_t)
Index: refpolicy/policy/modules/apps/evolution.if
===================================================================
--- refpolicy.orig/policy/modules/apps/evolution.if
+++ refpolicy/policy/modules/apps/evolution.if
@@ -209,6 +209,10 @@ template(`evolution_per_role_template',`
corenet_sendrecv_innd_client_packets($1_evolution_t)
corenet_sendrecv_ldap_client_packets($1_evolution_t)
corenet_sendrecv_ipp_client_packets($1_evolution_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_evolution_t)
+ corenet_udp_recv_netlabel($1_evolution_t)
+ ')
# not sure about this bind
corenet_udp_bind_all_nodes($1_evolution_t)
corenet_udp_bind_generic_port($1_evolution_t)
@@ -642,6 +646,9 @@ template(`evolution_per_role_template',`
corenet_tcp_connect_http_port($1_evolution_server_t)
corenet_sendrecv_http_client_packets($1_evolution_server_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_server_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_evolution_server_t)
+ ')
files_read_etc_files($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
@@ -719,6 +726,9 @@ template(`evolution_per_role_template',`
corenet_tcp_connect_http_port($1_evolution_webcal_t)
corenet_sendrecv_http_client_packets($1_evolution_webcal_t)
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_evolution_webcal_t)
+ ')
# Networking capability - connect to website and handle ics link
sysnet_read_config($1_evolution_webcal_t)
Index: refpolicy/policy/modules/apps/games.if
===================================================================
--- refpolicy.orig/policy/modules/apps/games.if
+++ refpolicy/policy/modules/apps/games.if
@@ -100,6 +100,10 @@ template(`games_per_role_template',`
corenet_tcp_connect_generic_port($1_games_t)
corenet_sendrecv_generic_client_packets($1_games_t)
corenet_sendrecv_generic_server_packets($1_games_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_games_t)
+ corenet_udp_recv_netlabel($1_games_t)
+ ')
dev_read_sound($1_games_t)
dev_write_sound($1_games_t)
Index: refpolicy/policy/modules/apps/gift.if
===================================================================
--- refpolicy.orig/policy/modules/apps/gift.if
+++ refpolicy/policy/modules/apps/gift.if
@@ -102,6 +102,10 @@ template(`gift_per_role_template',`
corenet_tcp_sendrecv_giftd_port($1_gift_t)
corenet_tcp_connect_giftd_port($1_gift_t)
corenet_sendrecv_giftd_client_packets($1_gift_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_gift_t)
+ corenet_udp_recv_netlabel($1_gift_t)
+ ')
fs_search_auto_mountpoints($1_gift_t)
@@ -168,6 +172,10 @@ template(`gift_per_role_template',`
corenet_udp_bind_all_ports($1_giftd_t)
corenet_tcp_connect_all_ports($1_giftd_t)
corenet_sendrecv_all_client_packets($1_giftd_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_giftd_t)
+ corenet_udp_recv_netlabel($1_giftd_t)
+ ')
files_read_usr_files($1_giftd_t)
# Read /etc/mtab
Index: refpolicy/policy/modules/apps/gpg.if
===================================================================
--- refpolicy.orig/policy/modules/apps/gpg.if
+++ refpolicy/policy/modules/apps/gpg.if
@@ -105,6 +105,10 @@ template(`gpg_per_role_template',`
corenet_udp_sendrecv_all_ports($1_gpg_t)
corenet_tcp_connect_all_ports($1_gpg_t)
corenet_sendrecv_all_client_packets($1_gpg_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_gpg_t)
+ corenet_udp_recv_netlabel($1_gpg_t)
+ ')
dev_read_rand($1_gpg_t)
dev_read_urand($1_gpg_t)
@@ -171,6 +175,10 @@ template(`gpg_per_role_template',`
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_gpg_helper_t)
+ corenet_udp_recv_netlabel($1_gpg_helper_t)
+ ')
dev_read_urand($1_gpg_helper_t)
Index: refpolicy/policy/modules/apps/irc.if
===================================================================
--- refpolicy.orig/policy/modules/apps/irc.if
+++ refpolicy/policy/modules/apps/irc.if
@@ -98,6 +98,10 @@ template(`irc_per_role_template',`
corenet_tcp_sendrecv_all_ports($1_irc_t)
corenet_udp_sendrecv_all_ports($1_irc_t)
corenet_sendrecv_ircd_client_packets($1_irc_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_irc_t)
+ corenet_udp_recv_netlabel($1_irc_t)
+ ')
# cjp: this seems excessive:
corenet_tcp_connect_all_ports($1_irc_t)
corenet_sendrecv_all_client_packets($1_irc_t)
Index: refpolicy/policy/modules/apps/java.if
===================================================================
--- refpolicy.orig/policy/modules/apps/java.if
+++ refpolicy/policy/modules/apps/java.if
@@ -106,6 +106,10 @@ template(`java_per_role_template',`
corenet_udp_sendrecv_all_ports($1_javaplugin_t)
corenet_tcp_connect_all_ports($1_javaplugin_t)
corenet_sendrecv_all_client_packets($1_javaplugin_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_javaplugin_t)
+ corenet_udp_recv_netlabel($1_javaplugin_t)
+ ')
dev_read_sound($1_javaplugin_t)
dev_write_sound($1_javaplugin_t)
Index: refpolicy/policy/modules/apps/mozilla.if
===================================================================
--- refpolicy.orig/policy/modules/apps/mozilla.if
+++ refpolicy/policy/modules/apps/mozilla.if
@@ -142,6 +142,9 @@ template(`mozilla_per_role_template',`
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
corenet_sendrecv_ipp_client_packets($1_mozilla_t)
corenet_sendrecv_generic_client_packets($1_mozilla_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_mozilla_t)
+ ')
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
corenet_dontaudit_tcp_bind_generic_port($1_mozilla_t)
Index: refpolicy/policy/modules/apps/screen.if
===================================================================
--- refpolicy.orig/policy/modules/apps/screen.if
+++ refpolicy/policy/modules/apps/screen.if
@@ -124,6 +124,10 @@ template(`screen_per_role_template',`
corenet_tcp_sendrecv_all_ports($1_screen_t)
corenet_udp_sendrecv_all_ports($1_screen_t)
corenet_tcp_connect_all_ports($1_screen_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_screen_t)
+ corenet_udp_recv_netlabel($1_screen_t)
+ ')
dev_dontaudit_getattr_all_chr_files($1_screen_t)
dev_dontaudit_getattr_all_blk_files($1_screen_t)
Index: refpolicy/policy/modules/apps/thunderbird.if
===================================================================
--- refpolicy.orig/policy/modules/apps/thunderbird.if
+++ refpolicy/policy/modules/apps/thunderbird.if
@@ -121,6 +121,9 @@ template(`thunderbird_per_role_template'
corenet_sendrecv_smtp_client_packets($1_thunderbird_t)
corenet_sendrecv_pop_client_packets($1_thunderbird_t)
corenet_sendrecv_http_client_packets($1_thunderbird_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_thunderbird_t)
+ ')
files_list_tmp($1_thunderbird_t)
files_read_usr_files($1_thunderbird_t)
Index: refpolicy/policy/modules/apps/uml.if
===================================================================
--- refpolicy.orig/policy/modules/apps/uml.if
+++ refpolicy/policy/modules/apps/uml.if
@@ -159,6 +159,10 @@ template(`uml_per_role_template',`
corenet_tcp_connect_all_ports($1_uml_t)
corenet_sendrecv_all_client_packets($1_uml_t)
corenet_rw_tun_tap_dev($1_uml_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_uml_t)
+ corenet_udp_recv_netlabel($1_uml_t)
+ ')
domain_use_interactive_fds($1_uml_t)
Index: refpolicy/policy/modules/apps/vmware.te
===================================================================
--- refpolicy.orig/policy/modules/apps/vmware.te
+++ refpolicy/policy/modules/apps/vmware.te
@@ -58,6 +58,10 @@ corenet_raw_bind_all_nodes(vmware_host_t
corenet_tcp_connect_all_ports(vmware_host_t)
corenet_sendrecv_all_client_packets(vmware_host_t)
corenet_sendrecv_all_server_packets(vmware_host_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(vmware_host_t)
+ corenet_udp_recv_netlabel(vmware_host_t)
+')
dev_read_sysfs(vmware_host_t)
dev_rw_vmware(vmware_host_t)
Index: refpolicy/policy/modules/apps/webalizer.te
===================================================================
--- refpolicy.orig/policy/modules/apps/webalizer.te
+++ refpolicy/policy/modules/apps/webalizer.te
@@ -65,6 +65,9 @@ corenet_non_ipsec_sendrecv(webalizer_t)
corenet_tcp_sendrecv_all_if(webalizer_t)
corenet_tcp_sendrecv_all_nodes(webalizer_t)
corenet_tcp_sendrecv_all_ports(webalizer_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(webalizer_t)
+')
fs_search_auto_mountpoints(webalizer_t)
Index: refpolicy/policy/modules/apps/yam.te
===================================================================
--- refpolicy.orig/policy/modules/apps/yam.te
+++ refpolicy/policy/modules/apps/yam.te
@@ -68,6 +68,9 @@ corenet_tcp_connect_http_port(yam_t)
corenet_tcp_connect_rsync_port(yam_t)
corenet_sendrecv_http_client_packets(yam_t)
corenet_sendrecv_rsync_client_packets(yam_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(yam_t)
+')
# mktemp
dev_read_urand(yam_t)
Index: refpolicy/policy/modules/services/afs.te
===================================================================
--- refpolicy.orig/policy/modules/services/afs.te
+++ refpolicy/policy/modules/services/afs.te
@@ -99,6 +99,10 @@ corenet_udp_sendrecv_all_ports(afs_bosse
corenet_udp_bind_all_nodes(afs_bosserver_t)
corenet_udp_bind_afs_bos_port(afs_bosserver_t)
corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(afs_bosserver_t)
+ corenet_udp_recv_netlabel(afs_bosserver_t)
+')
files_read_etc_files(afs_bosserver_t)
files_list_home(afs_bosserver_t)
@@ -159,6 +163,10 @@ corenet_udp_bind_all_nodes(afs_fsserver_
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
corenet_udp_bind_afs_fs_port(afs_fsserver_t)
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(afs_fsserver_t)
+ corenet_udp_recv_netlabel(afs_fsserver_t)
+')
files_read_etc_files(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
@@ -218,6 +226,10 @@ corenet_udp_bind_afs_ka_port(afs_kaserve
corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_sendrecv_afs_ka_server_packets(afs_kaserver_t)
corenet_sendrecv_kerberos_server_packets(afs_kaserver_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(afs_kaserver_t)
+ corenet_udp_recv_netlabel(afs_kaserver_t)
+')
files_read_etc_files(afs_kaserver_t)
files_list_home(afs_kaserver_t)
@@ -263,6 +275,10 @@ corenet_udp_sendrecv_all_ports(afs_ptser
corenet_udp_bind_all_nodes(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(afs_ptserver_t)
+ corenet_udp_recv_netlabel(afs_ptserver_t)
+')
files_read_etc_files(afs_ptserver_t)
@@ -304,6 +320,10 @@ corenet_udp_sendrecv_all_ports(afs_vlser
corenet_udp_bind_all_nodes(afs_vlserver_t)
corenet_udp_bind_afs_vl_port(afs_vlserver_t)
corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(afs_vlserver_t)
+ corenet_udp_recv_netlabel(afs_vlserver_t)
+')
files_read_etc_files(afs_vlserver_t)
Index: refpolicy/policy/modules/services/amavis.te
===================================================================
--- refpolicy.orig/policy/modules/services/amavis.te
+++ refpolicy/policy/modules/services/amavis.te
@@ -104,6 +104,9 @@ corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
corenet_tcp_bind_all_nodes(amavis_t)
corenet_udp_bind_all_nodes(amavis_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(amavis_t)
+')
# amavis uses well-defined ports
corenet_tcp_sendrecv_amavisd_recv_port(amavis_t)
corenet_tcp_sendrecv_amavisd_send_port(amavis_t)
Index: refpolicy/policy/modules/services/apache.if
===================================================================
--- refpolicy.orig/policy/modules/services/apache.if
+++ refpolicy/policy/modules/services/apache.if
@@ -192,6 +192,10 @@ template(`apache_content_template',`
corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(httpd_$1_script_t)
+ corenet_udp_recv_netlabel(httpd_$1_script_t)
+ ')
sysnet_read_config(httpd_$1_script_t)
')
@@ -209,6 +213,10 @@ template(`apache_content_template',`
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
corenet_tcp_connect_all_ports(httpd_$1_script_t)
corenet_sendrecv_all_client_packets(httpd_$1_script_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(httpd_$1_script_t)
+ corenet_udp_recv_netlabel(httpd_$1_script_t)
+ ')
sysnet_read_config(httpd_$1_script_t)
')
Index: refpolicy/policy/modules/services/apache.te
===================================================================
--- refpolicy.orig/policy/modules/services/apache.te
+++ refpolicy/policy/modules/services/apache.te
@@ -223,6 +223,10 @@ corenet_tcp_bind_all_nodes(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(httpd_t)
+ corenet_udp_recv_netlabel(httpd_t)
+')
# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)
@@ -570,6 +574,10 @@ tunable_policy(`httpd_can_network_connec
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(httpd_suexec_t)
+ corenet_udp_recv_netlabel(httpd_suexec_t)
+ ')
sysnet_read_config(httpd_suexec_t)
')
Index: refpolicy/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy.orig/policy/modules/services/arpwatch.te
+++ refpolicy/policy/modules/services/arpwatch.te
@@ -57,6 +57,10 @@ corenet_udp_sendrecv_all_nodes(arpwatch_
corenet_raw_sendrecv_all_nodes(arpwatch_t)
corenet_tcp_sendrecv_all_ports(arpwatch_t)
corenet_udp_sendrecv_all_ports(arpwatch_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(arpwatch_t)
+ corenet_udp_recv_netlabel(arpwatch_t)
+')
dev_read_sysfs(arpwatch_t)
Index: refpolicy/policy/modules/services/asterisk.te
===================================================================
--- refpolicy.orig/policy/modules/services/asterisk.te
+++ refpolicy/policy/modules/services/asterisk.te
@@ -94,6 +94,10 @@ corenet_udp_bind_all_nodes(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(asterisk_t)
+ corenet_udp_recv_netlabel(asterisk_t)
+')
# for VOIP voice channels.
corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
Index: refpolicy/policy/modules/services/automount.te
===================================================================
--- refpolicy.orig/policy/modules/services/automount.te
+++ refpolicy/policy/modules/services/automount.te
@@ -96,6 +96,10 @@ corenet_tcp_connect_portmap_port(automou
corenet_tcp_connect_all_ports(automount_t)
corenet_dontaudit_tcp_connect_all_reserved_ports(automount_t)
corenet_sendrecv_all_client_packets(automount_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(automount_t)
+ corenet_udp_recv_netlabel(automount_t)
+')
# Automount execs showmount when you browse /net. This is required until
# Someone writes a showmount policy
corenet_tcp_bind_reserved_port(automount_t)
Index: refpolicy/policy/modules/services/avahi.te
===================================================================
--- refpolicy.orig/policy/modules/services/avahi.te
+++ refpolicy/policy/modules/services/avahi.te
@@ -51,6 +51,10 @@ corenet_tcp_bind_howl_port(avahi_t)
corenet_udp_bind_howl_port(avahi_t)
corenet_send_howl_client_packets(avahi_t)
corenet_receive_howl_server_packets(avahi_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(avahi_t)
+ corenet_udp_recv_netlabel(avahi_t)
+')
dev_read_sysfs(avahi_t)
dev_read_urand(avahi_t)
Index: refpolicy/policy/modules/services/bind.te
===================================================================
--- refpolicy.orig/policy/modules/services/bind.te
+++ refpolicy/policy/modules/services/bind.te
@@ -110,6 +110,10 @@ corenet_sendrecv_dns_server_packets(name
corenet_sendrecv_dns_client_packets(named_t)
corenet_sendrecv_rndc_server_packets(named_t)
corenet_sendrecv_rndc_client_packets(named_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(named_t)
+ corenet_udp_recv_netlabel(named_t)
+')
dev_read_sysfs(named_t)
dev_read_rand(named_t)
@@ -234,6 +238,9 @@ corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
corenet_sendrecv_rndc_client_packets(ndc_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ndc_t)
+')
fs_getattr_xattr_fs(ndc_t)
Index: refpolicy/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy.orig/policy/modules/services/bluetooth.te
+++ refpolicy/policy/modules/services/bluetooth.te
@@ -90,6 +90,10 @@ corenet_udp_sendrecv_all_nodes(bluetooth
corenet_raw_sendrecv_all_nodes(bluetooth_t)
corenet_tcp_sendrecv_all_ports(bluetooth_t)
corenet_udp_sendrecv_all_ports(bluetooth_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(bluetooth_t)
+ corenet_udp_recv_netlabel(bluetooth_t)
+')
dev_read_sysfs(bluetooth_t)
dev_rw_usbfs(bluetooth_t)
Index: refpolicy/policy/modules/services/canna.te
===================================================================
--- refpolicy.orig/policy/modules/services/canna.te
+++ refpolicy/policy/modules/services/canna.te
@@ -53,6 +53,9 @@ corenet_tcp_sendrecv_all_nodes(canna_t)
corenet_tcp_sendrecv_all_ports(canna_t)
corenet_tcp_connect_all_ports(canna_t)
corenet_sendrecv_all_client_packets(canna_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(canna_t)
+')
dev_read_sysfs(canna_t)
Index: refpolicy/policy/modules/services/ccs.te
===================================================================
--- refpolicy.orig/policy/modules/services/ccs.te
+++ refpolicy/policy/modules/services/ccs.te
@@ -69,6 +69,10 @@ corenet_udp_bind_all_nodes(ccs_t)
corenet_tcp_bind_cluster_port(ccs_t)
corenet_udp_bind_cluster_port(ccs_t)
corenet_udp_bind_netsupport_port(ccs_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ccs_t)
+ corenet_udp_recv_netlabel(ccs_t)
+')
dev_read_urand(ccs_t)
Index: refpolicy/policy/modules/services/cipe.te
===================================================================
--- refpolicy.orig/policy/modules/services/cipe.te
+++ refpolicy/policy/modules/services/cipe.te
@@ -35,6 +35,9 @@ corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
corenet_udp_sendrecv_all_ports(ciped_t)
corenet_udp_bind_all_nodes(ciped_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(ciped_t)
+')
# cipe uses the afs3-bos port (udp 7007)
corenet_udp_bind_afs_bos_port(ciped_t)
corenet_sendrecv_afs_bos_server_packets(ciped_t)
Index: refpolicy/policy/modules/services/clamav.te
===================================================================
--- refpolicy.orig/policy/modules/services/clamav.te
+++ refpolicy/policy/modules/services/clamav.te
@@ -94,6 +94,9 @@ corenet_tcp_sendrecv_clamd_port(clamd_t)
corenet_tcp_bind_all_nodes(clamd_t)
corenet_tcp_bind_clamd_port(clamd_t)
corenet_sendrecv_clamd_server_packets(clamd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(clamd_t)
+')
dev_read_rand(clamd_t)
dev_read_urand(clamd_t)
@@ -169,6 +172,9 @@ corenet_tcp_sendrecv_all_ports(freshclam
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
corenet_sendrecv_http_client_packets(freshclam_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(freshclam_t)
+')
dev_read_rand(freshclam_t)
dev_read_urand(freshclam_t)
Index: refpolicy/policy/modules/services/clockspeed.te
===================================================================
--- refpolicy.orig/policy/modules/services/clockspeed.te
+++ refpolicy/policy/modules/services/clockspeed.te
@@ -33,6 +33,9 @@ corenet_udp_sendrecv_generic_if(clockspe
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(clockspeed_cli_t)
+')
files_list_var_lib(clockspeed_cli_t)
files_read_etc_files(clockspeed_cli_t)
@@ -62,6 +65,9 @@ corenet_udp_sendrecv_ntp_port(clockspeed
corenet_udp_bind_all_nodes(clockspeed_srv_t)
corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
corenet_sendrecv_clockspeed_server_packets(clockspeed_srv_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(clockspeed_srv_t)
+')
files_read_etc_files(clockspeed_srv_t)
files_list_var_lib(clockspeed_srv_t)
Index: refpolicy/policy/modules/services/comsat.te
===================================================================
--- refpolicy.orig/policy/modules/services/comsat.te
+++ refpolicy/policy/modules/services/comsat.te
@@ -46,6 +46,10 @@ corenet_udp_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_nodes(comsat_t)
corenet_udp_sendrecv_all_nodes(comsat_t)
corenet_udp_sendrecv_all_ports(comsat_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(comsat_t)
+ corenet_udp_recv_netlabel(comsat_t)
+')
dev_read_urand(comsat_t)
Index: refpolicy/policy/modules/services/courier.if
===================================================================
--- refpolicy.orig/policy/modules/services/courier.if
+++ refpolicy/policy/modules/services/courier.if
@@ -55,6 +55,10 @@ template(`courier_domain_template',`
corenet_udp_sendrecv_all_nodes(courier_$1_t)
corenet_tcp_sendrecv_all_ports(courier_$1_t)
corenet_udp_sendrecv_all_ports(courier_$1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(courier_$1_t)
+ corenet_udp_recv_netlabel(courier_$1_t)
+ ')
dev_read_sysfs(courier_$1_t)
Index: refpolicy/policy/modules/services/courier.te
===================================================================
--- refpolicy.orig/policy/modules/services/courier.te
+++ refpolicy/policy/modules/services/courier.te
@@ -121,6 +121,9 @@ corecmd_search_sbin(courier_tcpd_t)
corenet_tcp_bind_all_nodes(courier_tcpd_t)
corenet_tcp_bind_pop_port(courier_tcpd_t)
corenet_sendrecv_pop_server_packets(courier_tcpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(courier_tcpd_t)
+')
# for TLS
dev_read_rand(courier_tcpd_t)
Index: refpolicy/policy/modules/services/cron.if
===================================================================
--- refpolicy.orig/policy/modules/services/cron.if
+++ refpolicy/policy/modules/services/cron.if
@@ -103,6 +103,10 @@ template(`cron_per_role_template',`
corenet_udp_sendrecv_all_ports($1_crond_t)
corenet_tcp_connect_all_ports($1_crond_t)
corenet_sendrecv_all_client_packets($1_crond_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_crond_t)
+ corenet_udp_recv_netlabel($1_crond_t)
+ ')
dev_read_urand($1_crond_t)
Index: refpolicy/policy/modules/services/cron.te
===================================================================
--- refpolicy.orig/policy/modules/services/cron.te
+++ refpolicy/policy/modules/services/cron.te
@@ -321,6 +321,10 @@ ifdef(`targeted_policy',`
corenet_udp_sendrecv_all_nodes(system_crond_t)
corenet_tcp_sendrecv_all_ports(system_crond_t)
corenet_udp_sendrecv_all_ports(system_crond_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(system_crond_t)
+ corenet_udp_recv_netlabel(system_crond_t)
+ ')
dev_getattr_all_blk_files(system_crond_t)
dev_getattr_all_chr_files(system_crond_t)
Index: refpolicy/policy/modules/services/cups.te
===================================================================
--- refpolicy.orig/policy/modules/services/cups.te
+++ refpolicy/policy/modules/services/cups.te
@@ -156,6 +156,10 @@ corenet_tcp_connect_all_ports(cupsd_t)
corenet_sendrecv_hplip_client_packets(cupsd_t)
corenet_sendrecv_ipp_client_packets(cupsd_t)
corenet_sendrecv_ipp_server_packets(cupsd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(cupsd_t)
+ corenet_udp_recv_netlabel(cupsd_t)
+')
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
@@ -349,6 +353,10 @@ corenet_tcp_sendrecv_all_nodes(cupsd_con
corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(cupsd_config_t)
+ corenet_udp_recv_netlabel(cupsd_config_t)
+')
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
@@ -509,6 +517,10 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd
corenet_tcp_bind_all_nodes(cupsd_lpd_t)
corenet_udp_bind_all_nodes(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(cupsd_lpd_t)
+ corenet_udp_recv_netlabel(cupsd_lpd_t)
+')
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
@@ -588,6 +600,10 @@ corenet_tcp_connect_hplip_port(hplip_t)
corenet_tcp_connect_ipp_port(hplip_t)
corenet_sendrecv_hplip_client_packets(hplip_t)
corenet_receive_hplip_server_packets(hplip_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(hplip_t)
+ corenet_udp_recv_netlabel(hplip_t)
+')
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
@@ -681,6 +697,9 @@ corenet_tcp_sendrecv_all_nodes(ptal_t)
corenet_tcp_sendrecv_all_ports(ptal_t)
corenet_tcp_bind_all_nodes(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ptal_t)
+')
dev_read_sysfs(ptal_t)
dev_read_usbfs(ptal_t)
Index: refpolicy/policy/modules/services/cvs.te
===================================================================
--- refpolicy.orig/policy/modules/services/cvs.te
+++ refpolicy/policy/modules/services/cvs.te
@@ -54,6 +54,10 @@ corenet_tcp_sendrecv_all_nodes(cvs_t)
corenet_udp_sendrecv_all_nodes(cvs_t)
corenet_tcp_sendrecv_all_ports(cvs_t)
corenet_udp_sendrecv_all_ports(cvs_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(cvs_t)
+ corenet_udp_recv_netlabel(cvs_t)
+')
dev_read_urand(cvs_t)
Index: refpolicy/policy/modules/services/cyrus.te
===================================================================
--- refpolicy.orig/policy/modules/services/cyrus.te
+++ refpolicy/policy/modules/services/cyrus.te
@@ -77,6 +77,10 @@ corenet_sendrecv_mail_server_packets(cyr
corenet_sendrecv_pop_server_packets(cyrus_t)
corenet_sendrecv_lmtp_server_packets(cyrus_t)
corenet_sendrecv_all_client_packets(cyrus_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(cyrus_t)
+ corenet_udp_recv_netlabel(cyrus_t)
+')
dev_read_rand(cyrus_t)
dev_read_urand(cyrus_t)
Index: refpolicy/policy/modules/services/dante.te
===================================================================
--- refpolicy.orig/policy/modules/services/dante.te
+++ refpolicy/policy/modules/services/dante.te
@@ -46,6 +46,10 @@ corenet_udp_sendrecv_all_nodes(dante_t)
corenet_tcp_sendrecv_all_ports(dante_t)
corenet_udp_sendrecv_all_ports(dante_t)
corenet_tcp_bind_all_nodes(dante_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dante_t)
+ corenet_udp_recv_netlabel(dante_t)
+')
#TODO: no portcons for this type
#allow dante_t socks_port_t:tcp_socket name_bind;
Index: refpolicy/policy/modules/services/dbskk.te
===================================================================
--- refpolicy.orig/policy/modules/services/dbskk.te
+++ refpolicy/policy/modules/services/dbskk.te
@@ -55,6 +55,10 @@ corenet_tcp_sendrecv_all_nodes(dbskkd_t)
corenet_udp_sendrecv_all_nodes(dbskkd_t)
corenet_tcp_sendrecv_all_ports(dbskkd_t)
corenet_udp_sendrecv_all_ports(dbskkd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dbskkd_t)
+ corenet_udp_recv_netlabel(dbskkd_t)
+')
dev_read_urand(dbskkd_t)
Index: refpolicy/policy/modules/services/dbus.if
===================================================================
--- refpolicy.orig/policy/modules/services/dbus.if
+++ refpolicy/policy/modules/services/dbus.if
@@ -108,6 +108,9 @@ template(`dbus_per_role_template',`
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
corenet_tcp_bind_all_nodes($1_dbusd_t)
corenet_tcp_bind_reserved_port($1_dbusd_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_dbusd_t)
+ ')
dev_read_urand($1_dbusd_t)
Index: refpolicy/policy/modules/services/dcc.te
===================================================================
--- refpolicy.orig/policy/modules/services/dcc.te
+++ refpolicy/policy/modules/services/dcc.te
@@ -103,6 +103,9 @@ corenet_non_ipsec_sendrecv(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(cdcc_t)
+')
files_read_etc_files(cdcc_t)
files_read_etc_runtime_files(cdcc_t)
@@ -145,6 +148,9 @@ corenet_non_ipsec_sendrecv(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(dcc_client_t)
+')
files_read_etc_files(dcc_client_t)
files_read_etc_runtime_files(dcc_client_t)
@@ -187,6 +193,9 @@ corenet_non_ipsec_sendrecv(dcc_dbclean_t
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(dcc_dbclean_t)
+')
files_read_etc_files(dcc_dbclean_t)
files_read_etc_runtime_files(dcc_dbclean_t)
@@ -250,6 +259,9 @@ corenet_udp_sendrecv_all_ports(dccd_t)
corenet_udp_bind_all_nodes(dccd_t)
corenet_udp_bind_dcc_port(dccd_t)
corenet_sendrecv_dcc_server_packets(dccd_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(dccd_t)
+')
dev_read_sysfs(dccd_t)
@@ -333,6 +345,9 @@ corenet_non_ipsec_sendrecv(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(dccifd_t)
+')
dev_read_sysfs(dccifd_t)
@@ -415,6 +430,9 @@ corenet_non_ipsec_sendrecv(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(dccm_t)
+')
dev_read_sysfs(dccm_t)
Index: refpolicy/policy/modules/services/ddclient.te
===================================================================
--- refpolicy.orig/policy/modules/services/ddclient.te
+++ refpolicy/policy/modules/services/ddclient.te
@@ -73,6 +73,10 @@ corenet_tcp_sendrecv_all_ports(ddclient_
corenet_udp_sendrecv_all_ports(ddclient_t)
corenet_tcp_connect_all_ports(ddclient_t)
corenet_sendrecv_all_client_packets(ddclient_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ddclient_t)
+ corenet_udp_recv_netlabel(ddclient_t)
+')
dev_read_sysfs(ddclient_t)
dev_read_urand(ddclient_t)
Index: refpolicy/policy/modules/services/dictd.te
===================================================================
--- refpolicy.orig/policy/modules/services/dictd.te
+++ refpolicy/policy/modules/services/dictd.te
@@ -49,6 +49,10 @@ corenet_udp_sendrecv_all_ports(dictd_t)
corenet_tcp_bind_all_nodes(dictd_t)
corenet_tcp_bind_dict_port(dictd_t)
corenet_sendrecv_dict_server_packets(dictd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dictd_t)
+ corenet_udp_recv_netlabel(dictd_t)
+')
dev_read_sysfs(dictd_t)
Index: refpolicy/policy/modules/services/distcc.te
===================================================================
--- refpolicy.orig/policy/modules/services/distcc.te
+++ refpolicy/policy/modules/services/distcc.te
@@ -54,6 +54,10 @@ corenet_udp_sendrecv_all_ports(distccd_t
corenet_tcp_bind_all_nodes(distccd_t)
corenet_tcp_bind_distccd_port(distccd_t)
corenet_sendrecv_distccd_server_packets(distccd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(distccd_t)
+ corenet_udp_recv_netlabel(distccd_t)
+')
dev_read_sysfs(distccd_t)
Index: refpolicy/policy/modules/services/djbdns.if
===================================================================
--- refpolicy.orig/policy/modules/services/djbdns.if
+++ refpolicy/policy/modules/services/djbdns.if
@@ -46,6 +46,10 @@ template(`djbdns_daemontools_domain_temp
corenet_udp_bind_generic_port(djbdns_$1_t)
corenet_sendrecv_dns_server_packets(djbdns_$1_t)
corenet_sendrecv_generic_server_packets(djbdns_$1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(djbdns_$1_t)
+ corenet_udp_recv_netlabel(djbdns_$1_t)
+ ')
files_search_var(djbdns_$1_t)
Index: refpolicy/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy.orig/policy/modules/services/dnsmasq.te
+++ refpolicy/policy/modules/services/dnsmasq.te
@@ -58,6 +58,10 @@ corenet_udp_bind_dns_port(dnsmasq_t)
corenet_udp_bind_dhcpd_port(dnsmasq_t)
corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dnsmasq_t)
+ corenet_udp_recv_netlabel(dnsmasq_t)
+')
dev_read_sysfs(dnsmasq_t)
dev_read_urand(dnsmasq_t)
Index: refpolicy/policy/modules/services/dovecot.te
===================================================================
--- refpolicy.orig/policy/modules/services/dovecot.te
+++ refpolicy/policy/modules/services/dovecot.te
@@ -79,6 +79,9 @@ corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
corenet_sendrecv_all_client_packets(dovecot_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(dovecot_t)
+')
dev_read_sysfs(dovecot_t)
dev_read_urand(dovecot_t)
Index: refpolicy/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/fetchmail.te
+++ refpolicy/policy/modules/services/fetchmail.te
@@ -57,6 +57,10 @@ corenet_tcp_sendrecv_pop_port(fetchmail_
corenet_tcp_sendrecv_smtp_port(fetchmail_t)
corenet_tcp_connect_all_ports(fetchmail_t)
corenet_sendrecv_all_client_packets(fetchmail_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(fetchmail_t)
+ corenet_udp_recv_netlabel(fetchmail_t)
+')
dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
Index: refpolicy/policy/modules/services/finger.te
===================================================================
--- refpolicy.orig/policy/modules/services/finger.te
+++ refpolicy/policy/modules/services/finger.te
@@ -56,6 +56,10 @@ corenet_tcp_sendrecv_all_ports(fingerd_t
corenet_udp_sendrecv_all_ports(fingerd_t)
corenet_tcp_bind_all_nodes(fingerd_t)
corenet_tcp_bind_fingerd_port(fingerd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(fingerd_t)
+ corenet_udp_recv_netlabel(fingerd_t)
+')
dev_read_sysfs(fingerd_t)
Index: refpolicy/policy/modules/services/ftp.te
===================================================================
--- refpolicy.orig/policy/modules/services/ftp.te
+++ refpolicy/policy/modules/services/ftp.te
@@ -104,6 +104,10 @@ corenet_tcp_bind_ftp_data_port(ftpd_t)
corenet_tcp_bind_generic_port(ftpd_t)
corenet_tcp_connect_all_ports(ftpd_t)
corenet_sendrecv_ftp_server_packets(ftpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ftpd_t)
+ corenet_udp_recv_netlabel(ftpd_t)
+')
domain_use_interactive_fds(ftpd_t)
Index: refpolicy/policy/modules/services/gatekeeper.te
===================================================================
--- refpolicy.orig/policy/modules/services/gatekeeper.te
+++ refpolicy/policy/modules/services/gatekeeper.te
@@ -65,6 +65,10 @@ corenet_udp_bind_all_nodes(gatekeeper_t)
corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
corenet_udp_bind_gatekeeper_port(gatekeeper_t)
corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(gatekeeper_t)
+ corenet_udp_recv_netlabel(gatekeeper_t)
+')
dev_read_sysfs(gatekeeper_t)
# for SSP
Index: refpolicy/policy/modules/services/hal.te
===================================================================
--- refpolicy.orig/policy/modules/services/hal.te
+++ refpolicy/policy/modules/services/hal.te
@@ -70,6 +70,10 @@ corenet_tcp_sendrecv_all_nodes(hald_t)
corenet_udp_sendrecv_all_nodes(hald_t)
corenet_tcp_sendrecv_all_ports(hald_t)
corenet_udp_sendrecv_all_ports(hald_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(hald_t)
+ corenet_udp_recv_netlabel(hald_t)
+')
dev_rw_usbfs(hald_t)
dev_read_urand(hald_t)
Index: refpolicy/policy/modules/services/howl.te
===================================================================
--- refpolicy.orig/policy/modules/services/howl.te
+++ refpolicy/policy/modules/services/howl.te
@@ -46,6 +46,10 @@ corenet_udp_bind_all_nodes(howl_t)
corenet_tcp_bind_howl_port(howl_t)
corenet_udp_bind_howl_port(howl_t)
corenet_sendrecv_howl_server_packets(howl_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(howl_t)
+ corenet_udp_recv_netlabel(howl_t)
+')
dev_read_sysfs(howl_t)
Index: refpolicy/policy/modules/services/i18n_input.te
===================================================================
--- refpolicy.orig/policy/modules/services/i18n_input.te
+++ refpolicy/policy/modules/services/i18n_input.te
@@ -49,6 +49,10 @@ corenet_tcp_bind_i18n_input_port(i18n_in
corenet_tcp_connect_all_ports(i18n_input_t)
corenet_sendrecv_i18n_input_server_packets(i18n_input_t)
corenet_sendrecv_all_client_packets(i18n_input_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(i18n_input_t)
+ corenet_udp_recv_netlabel(i18n_input_t)
+')
dev_read_sysfs(i18n_input_t)
Index: refpolicy/policy/modules/services/imaze.te
===================================================================
--- refpolicy.orig/policy/modules/services/imaze.te
+++ refpolicy/policy/modules/services/imaze.te
@@ -67,6 +67,10 @@ corenet_udp_bind_all_nodes(imazesrv_t)
corenet_tcp_bind_imaze_port(imazesrv_t)
corenet_udp_bind_imaze_port(imazesrv_t)
corenet_sendrecv_imaze_server_packets(imazesrv_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(imazesrv_t)
+ corenet_udp_recv_netlabel(imazesrv_t)
+')
dev_read_sysfs(imazesrv_t)
Index: refpolicy/policy/modules/services/inetd.te
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.te
+++ refpolicy/policy/modules/services/inetd.te
@@ -68,6 +68,10 @@ corenet_tcp_bind_all_nodes(inetd_t)
corenet_udp_bind_all_nodes(inetd_t)
corenet_tcp_connect_all_ports(inetd_t)
corenet_sendrecv_all_client_packets(inetd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(inetd_t)
+ corenet_udp_recv_netlabel(inetd_t)
+')
# listen on service ports:
corenet_tcp_bind_amanda_port(inetd_t)
Index: refpolicy/policy/modules/services/inn.te
===================================================================
--- refpolicy.orig/policy/modules/services/inn.te
+++ refpolicy/policy/modules/services/inn.te
@@ -75,6 +75,10 @@ corenet_tcp_bind_innd_port(innd_t)
corenet_tcp_connect_all_ports(innd_t)
corenet_sendrecv_innd_server_packets(innd_t)
corenet_sendrecv_all_client_packets(innd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(innd_t)
+ corenet_udp_recv_netlabel(innd_t)
+')
dev_read_sysfs(innd_t)
dev_read_urand(innd_t)
Index: refpolicy/policy/modules/services/ircd.te
===================================================================
--- refpolicy.orig/policy/modules/services/ircd.te
+++ refpolicy/policy/modules/services/ircd.te
@@ -60,6 +60,10 @@ corenet_udp_sendrecv_all_ports(ircd_t)
corenet_tcp_bind_all_nodes(ircd_t)
corenet_tcp_bind_ircd_port(ircd_t)
corenet_sendrecv_ircd_server_packets(ircd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ircd_t)
+ corenet_udp_recv_netlabel(ircd_t)
+')
dev_read_sysfs(ircd_t)
Index: refpolicy/policy/modules/services/jabber.te
===================================================================
--- refpolicy.orig/policy/modules/services/jabber.te
+++ refpolicy/policy/modules/services/jabber.te
@@ -56,6 +56,10 @@ corenet_tcp_bind_jabber_client_port(jabb
corenet_tcp_bind_jabber_interserver_port(jabberd_t)
corenet_sendrecv_jabber_client_server_packets(jabberd_t)
corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(jabberd_t)
+ corenet_udp_recv_netlabel(jabberd_t)
+')
dev_read_sysfs(jabberd_t)
# For SSL
Index: refpolicy/policy/modules/services/kerberos.if
===================================================================
--- refpolicy.orig/policy/modules/services/kerberos.if
+++ refpolicy/policy/modules/services/kerberos.if
@@ -59,6 +59,10 @@ interface(`kerberos_use',`
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
Index: refpolicy/policy/modules/services/kerberos.te
===================================================================
--- refpolicy.orig/policy/modules/services/kerberos.te
+++ refpolicy/policy/modules/services/kerberos.te
@@ -99,6 +99,10 @@ corenet_udp_bind_kerberos_admin_port(kad
corenet_tcp_bind_reserved_port(kadmind_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(kadmind_t)
+ corenet_udp_recv_netlabel(kadmind_t)
+')
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
@@ -203,6 +207,10 @@ corenet_udp_bind_kerberos_port(krb5kdc_t
corenet_tcp_connect_ocsp_port(krb5kdc_t)
corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(krb5kdc_t)
+ corenet_udp_recv_netlabel(krb5kdc_t)
+')
dev_read_sysfs(krb5kdc_t)
dev_read_urand(krb5kdc_t)
Index: refpolicy/policy/modules/services/ktalk.te
===================================================================
--- refpolicy.orig/policy/modules/services/ktalk.te
+++ refpolicy/policy/modules/services/ktalk.te
@@ -60,6 +60,10 @@ corenet_tcp_sendrecv_all_nodes(ktalkd_t)
corenet_udp_sendrecv_all_nodes(ktalkd_t)
corenet_tcp_sendrecv_all_ports(ktalkd_t)
corenet_udp_sendrecv_all_ports(ktalkd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ktalkd_t)
+ corenet_udp_recv_netlabel(ktalkd_t)
+')
dev_read_urand(ktalkd_t)
Index: refpolicy/policy/modules/services/ldap.te
===================================================================
--- refpolicy.orig/policy/modules/services/ldap.te
+++ refpolicy/policy/modules/services/ldap.te
@@ -89,6 +89,10 @@ corenet_tcp_bind_ldap_port(slapd_t)
corenet_tcp_connect_all_ports(slapd_t)
corenet_sendrecv_ldap_server_packets(slapd_t)
corenet_sendrecv_all_client_packets(slapd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(slapd_t)
+ corenet_udp_recv_netlabel(slapd_t)
+')
dev_read_urand(slapd_t)
dev_read_sysfs(slapd_t)
Index: refpolicy/policy/modules/services/lpd.if
===================================================================
--- refpolicy.orig/policy/modules/services/lpd.if
+++ refpolicy/policy/modules/services/lpd.if
@@ -111,6 +111,10 @@ template(`lpd_per_role_template',`
corenet_udp_sendrecv_all_ports($1_lpr_t)
corenet_tcp_connect_all_ports($1_lpr_t)
corenet_sendrecv_all_client_packets($1_lpr_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_lpr_t)
+ corenet_udp_recv_netlabel($1_lpr_t)
+ ')
dev_read_rand($1_lpr_t)
dev_read_urand($1_lpr_t)
Index: refpolicy/policy/modules/services/lpd.te
===================================================================
--- refpolicy.orig/policy/modules/services/lpd.te
+++ refpolicy/policy/modules/services/lpd.te
@@ -74,6 +74,10 @@ corenet_tcp_sendrecv_all_ports(checkpc_t
corenet_udp_sendrecv_all_ports(checkpc_t)
corenet_tcp_connect_all_ports(checkpc_t)
corenet_sendrecv_all_client_packets(checkpc_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(checkpc_t)
+ corenet_udp_recv_netlabel(checkpc_t)
+')
dev_append_printer(checkpc_t)
@@ -161,6 +165,10 @@ corenet_udp_sendrecv_all_ports(lpd_t)
corenet_tcp_bind_all_nodes(lpd_t)
corenet_tcp_bind_printer_port(lpd_t)
corenet_sendrecv_printer_server_packets(lpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(lpd_t)
+ corenet_udp_recv_netlabel(lpd_t)
+')
dev_read_sysfs(lpd_t)
dev_rw_printer(lpd_t)
Index: refpolicy/policy/modules/services/mailman.if
===================================================================
--- refpolicy.orig/policy/modules/services/mailman.if
+++ refpolicy/policy/modules/services/mailman.if
@@ -61,6 +61,10 @@ template(`mailman_domain_template', `
corenet_udp_bind_all_nodes(mailman_$1_t)
corenet_tcp_connect_smtp_port(mailman_$1_t)
corenet_sendrecv_smtp_client_packets(mailman_$1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(mailman_$1_t)
+ corenet_udp_recv_netlabel(mailman_$1_t)
+ ')
fs_getattr_xattr_fs(mailman_$1_t)
Index: refpolicy/policy/modules/services/monop.te
===================================================================
--- refpolicy.orig/policy/modules/services/monop.te
+++ refpolicy/policy/modules/services/monop.te
@@ -53,6 +53,10 @@ corenet_udp_sendrecv_all_ports(monopd_t)
corenet_tcp_bind_all_nodes(monopd_t)
corenet_tcp_bind_monopd_port(monopd_t)
corenet_sendrecv_monopd_server_packets(monopd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(monopd_t)
+ corenet_udp_recv_netlabel(monopd_t)
+')
dev_read_sysfs(monopd_t)
Index: refpolicy/policy/modules/services/mta.if
===================================================================
--- refpolicy.orig/policy/modules/services/mta.if
+++ refpolicy/policy/modules/services/mta.if
@@ -74,6 +74,9 @@ template(`mta_base_mail_template',`
corenet_tcp_connect_all_ports($1_mail_t)
corenet_tcp_connect_smtp_port($1_mail_t)
corenet_sendrecv_smtp_client_packets($1_mail_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_mail_t)
+ ')
corecmd_exec_bin($1_mail_t)
corecmd_search_sbin($1_mail_t)
Index: refpolicy/policy/modules/services/munin.te
===================================================================
--- refpolicy.orig/policy/modules/services/munin.te
+++ refpolicy/policy/modules/services/munin.te
@@ -72,6 +72,10 @@ corenet_tcp_sendrecv_all_nodes(munin_t)
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(munin_t)
+ corenet_udp_recv_netlabel(munin_t)
+')
dev_read_sysfs(munin_t)
dev_read_urand(munin_t)
Index: refpolicy/policy/modules/services/mysql.te
===================================================================
--- refpolicy.orig/policy/modules/services/mysql.te
+++ refpolicy/policy/modules/services/mysql.te
@@ -73,6 +73,10 @@ corenet_tcp_bind_mysqld_port(mysqld_t)
corenet_tcp_connect_mysqld_port(mysqld_t)
corenet_sendrecv_mysqld_client_packets(mysqld_t)
corenet_sendrecv_mysqld_server_packets(mysqld_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(mysqld_t)
+ corenet_udp_recv_netlabel(mysqld_t)
+')
dev_read_sysfs(mysqld_t)
Index: refpolicy/policy/modules/services/nagios.te
===================================================================
--- refpolicy.orig/policy/modules/services/nagios.te
+++ refpolicy/policy/modules/services/nagios.te
@@ -73,6 +73,10 @@ corenet_tcp_sendrecv_all_nodes(nagios_t)
corenet_udp_sendrecv_all_nodes(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nagios_t)
+ corenet_udp_recv_netlabel(nagios_t)
+')
dev_read_sysfs(nagios_t)
Index: refpolicy/policy/modules/services/nessus.te
===================================================================
--- refpolicy.orig/policy/modules/services/nessus.te
+++ refpolicy/policy/modules/services/nessus.te
@@ -71,6 +71,10 @@ corenet_tcp_bind_nessus_port(nessusd_t)
corenet_tcp_connect_all_ports(nessusd_t)
corenet_sendrecv_all_client_packets(nessusd_t)
corenet_sendrecv_nessus_server_packets(nessusd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nessusd_t)
+ corenet_udp_recv_netlabel(nessusd_t)
+')
dev_read_sysfs(nessusd_t)
dev_read_urand(nessusd_t)
Index: refpolicy/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy.orig/policy/modules/services/networkmanager.te
+++ refpolicy/policy/modules/services/networkmanager.te
@@ -57,6 +57,10 @@ corenet_tcp_connect_all_ports(NetworkMan
corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
corenet_sendrecv_all_client_packets(NetworkManager_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(NetworkManager_t)
+ corenet_udp_recv_netlabel(NetworkManager_t)
+')
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
Index: refpolicy/policy/modules/services/nis.if
===================================================================
--- refpolicy.orig/policy/modules/services/nis.if
+++ refpolicy/policy/modules/services/nis.if
@@ -59,6 +59,10 @@ interface(`nis_use_ypbind_uncond',`
corenet_sendrecv_portmap_client_packets($1)
corenet_sendrecv_generic_client_packets($1)
corenet_sendrecv_generic_server_packets($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
sysnet_read_config($1)
')
Index: refpolicy/policy/modules/services/nis.te
===================================================================
--- refpolicy.orig/policy/modules/services/nis.te
+++ refpolicy/policy/modules/services/nis.te
@@ -89,6 +89,10 @@ corenet_dontaudit_tcp_bind_all_reserved_
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
corenet_sendrecv_all_client_packets(ypbind_t)
corenet_sendrecv_generic_server_packets(ypbind_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ypbind_t)
+ corenet_udp_recv_netlabel(ypbind_t)
+')
dev_read_sysfs(ypbind_t)
@@ -171,6 +175,10 @@ corenet_udp_bind_reserved_port(yppasswdd
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
corenet_sendrecv_generic_server_packets(yppasswdd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(yppasswdd_t)
+ corenet_udp_recv_netlabel(yppasswdd_t)
+')
dev_read_sysfs(yppasswdd_t)
@@ -272,6 +280,10 @@ corenet_udp_bind_reserved_port(ypserv_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
corenet_sendrecv_generic_server_packets(ypserv_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ypserv_t)
+ corenet_udp_recv_netlabel(ypserv_t)
+')
dev_read_sysfs(ypserv_t)
@@ -346,6 +358,10 @@ corenet_dontaudit_udp_bind_all_reserved_
corenet_tcp_connect_all_ports(ypxfr_t)
corenet_sendrecv_generic_server_packets(ypxfr_t)
corenet_sendrecv_all_client_packets(ypxfr_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ypxfr_t)
+ corenet_udp_recv_netlabel(ypxfr_t)
+')
files_read_etc_files(ypxfr_t)
files_search_usr(ypxfr_t)
Index: refpolicy/policy/modules/services/nscd.te
===================================================================
--- refpolicy.orig/policy/modules/services/nscd.te
+++ refpolicy/policy/modules/services/nscd.te
@@ -77,6 +77,10 @@ corenet_udp_sendrecv_all_ports(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nscd_t)
+ corenet_udp_recv_netlabel(nscd_t)
+')
selinux_get_fs_mount(nscd_t)
selinux_validate_context(nscd_t)
Index: refpolicy/policy/modules/services/nsd.te
===================================================================
--- refpolicy.orig/policy/modules/services/nsd.te
+++ refpolicy/policy/modules/services/nsd.te
@@ -74,6 +74,10 @@ corenet_udp_bind_all_nodes(nsd_t)
corenet_tcp_bind_dns_port(nsd_t)
corenet_udp_bind_dns_port(nsd_t)
corenet_sendrecv_dns_server_packets(nsd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nsd_t)
+ corenet_udp_recv_netlabel(nsd_t)
+')
dev_read_sysfs(nsd_t)
@@ -163,6 +167,10 @@ corenet_tcp_sendrecv_all_ports(nsd_crond
corenet_udp_sendrecv_all_ports(nsd_crond_t)
corenet_tcp_connect_all_ports(nsd_crond_t)
corenet_sendrecv_all_client_packets(nsd_crond_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nsd_crond_t)
+ corenet_udp_recv_netlabel(nsd_crond_t)
+')
# for SSP
dev_read_urand(nsd_crond_t)
Index: refpolicy/policy/modules/services/ntop.te
===================================================================
--- refpolicy.orig/policy/modules/services/ntop.te
+++ refpolicy/policy/modules/services/ntop.te
@@ -70,6 +70,10 @@ corenet_udp_sendrecv_all_nodes(ntop_t)
corenet_raw_sendrecv_all_nodes(ntop_t)
corenet_tcp_sendrecv_all_ports(ntop_t)
corenet_udp_sendrecv_all_ports(ntop_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ntop_t)
+ corenet_udp_recv_netlabel(ntop_t)
+')
dev_read_sysfs(ntop_t)
Index: refpolicy/policy/modules/services/ntp.te
===================================================================
--- refpolicy.orig/policy/modules/services/ntp.te
+++ refpolicy/policy/modules/services/ntp.te
@@ -74,6 +74,10 @@ corenet_udp_bind_ntp_port(ntpd_t)
corenet_tcp_connect_ntp_port(ntpd_t)
corenet_sendrecv_ntp_server_packets(ntpd_t)
corenet_sendrecv_ntp_client_packets(ntpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ntpd_t)
+ corenet_udp_recv_netlabel(ntpd_t)
+')
dev_read_sysfs(ntpd_t)
# for SSP
Index: refpolicy/policy/modules/services/nx.te
===================================================================
--- refpolicy.orig/policy/modules/services/nx.te
+++ refpolicy/policy/modules/services/nx.te
@@ -60,6 +60,10 @@ corenet_tcp_sendrecv_all_ports(nx_server
corenet_udp_sendrecv_all_ports(nx_server_t)
corenet_tcp_connect_all_ports(nx_server_t)
corenet_sendrecv_all_client_packets(nx_server_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nx_server_t)
+ corenet_udp_recv_netlabel(nx_server_t)
+')
dev_read_urand(nx_server_t)
Index: refpolicy/policy/modules/services/oav.te
===================================================================
--- refpolicy.orig/policy/modules/services/oav.te
+++ refpolicy/policy/modules/services/oav.te
@@ -57,6 +57,10 @@ corenet_tcp_sendrecv_all_nodes(oav_updat
corenet_udp_sendrecv_all_nodes(oav_update_t)
corenet_tcp_sendrecv_all_ports(oav_update_t)
corenet_udp_sendrecv_all_ports(oav_update_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(oav_update_t)
+ corenet_udp_recv_netlabel(oav_update_t)
+')
files_exec_etc_files(oav_update_t)
@@ -111,6 +115,10 @@ corenet_tcp_sendrecv_all_nodes(scannerda
corenet_udp_sendrecv_all_nodes(scannerdaemon_t)
corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
corenet_udp_sendrecv_all_ports(scannerdaemon_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(scannerdaemon_t)
+ corenet_udp_recv_netlabel(scannerdaemon_t)
+')
dev_read_sysfs(scannerdaemon_t)
Index: refpolicy/policy/modules/services/pegasus.te
===================================================================
--- refpolicy.orig/policy/modules/services/pegasus.te
+++ refpolicy/policy/modules/services/pegasus.te
@@ -83,6 +83,9 @@ corenet_sendrecv_pegasus_http_client_pac
corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(pegasus_t)
+')
corecmd_exec_sbin(pegasus_t)
corecmd_exec_bin(pegasus_t)
Index: refpolicy/policy/modules/services/perdition.te
===================================================================
--- refpolicy.orig/policy/modules/services/perdition.te
+++ refpolicy/policy/modules/services/perdition.te
@@ -47,6 +47,10 @@ corenet_udp_sendrecv_all_ports(perdition
corenet_tcp_bind_all_nodes(perdition_t)
corenet_tcp_bind_pop_port(perdition_t)
corenet_sendrecv_pop_server_packets(perdition_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(perdition_t)
+ corenet_udp_recv_netlabel(perdition_t)
+')
dev_read_sysfs(perdition_t)
Index: refpolicy/policy/modules/services/portmap.te
===================================================================
--- refpolicy.orig/policy/modules/services/portmap.te
+++ refpolicy/policy/modules/services/portmap.te
@@ -59,6 +59,10 @@ corenet_udp_bind_portmap_port(portmap_t)
corenet_tcp_connect_all_ports(portmap_t)
corenet_sendrecv_portmap_client_packets(portmap_t)
corenet_sendrecv_portmap_server_packets(portmap_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(portmap_t)
+ corenet_udp_recv_netlabel(portmap_t)
+')
# portmap binds to arbitary ports
corenet_tcp_bind_generic_port(portmap_t)
corenet_udp_bind_generic_port(portmap_t)
@@ -144,6 +148,10 @@ corenet_udp_bind_reserved_port(portmap_h
corenet_dontaudit_tcp_bind_all_reserved_ports(portmap_helper_t)
corenet_dontaudit_udp_bind_all_reserved_ports(portmap_helper_t)
corenet_tcp_connect_all_ports(portmap_helper_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(portmap_helper_t)
+ corenet_udp_recv_netlabel(portmap_helper_t)
+')
domain_dontaudit_use_interactive_fds(portmap_helper_t)
Index: refpolicy/policy/modules/services/portslave.te
===================================================================
--- refpolicy.orig/policy/modules/services/portslave.te
+++ refpolicy/policy/modules/services/portslave.te
@@ -63,6 +63,10 @@ corenet_udp_sendrecv_all_nodes(portslave
corenet_tcp_sendrecv_all_ports(portslave_t)
corenet_udp_sendrecv_all_ports(portslave_t)
corenet_rw_ppp_dev(portslave_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(portslave_t)
+ corenet_udp_recv_netlabel(portslave_t)
+')
dev_read_sysfs(portslave_t)
# for ssh
Index: refpolicy/policy/modules/services/postfix.if
===================================================================
--- refpolicy.orig/policy/modules/services/postfix.if
+++ refpolicy/policy/modules/services/postfix.if
@@ -140,6 +140,10 @@ template(`postfix_server_domain_template
corenet_udp_bind_all_nodes(postfix_$1_t)
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(postfix_$1_t)
+ corenet_udp_recv_netlabel(postfix_$1_t)
+ ')
sysnet_read_config(postfix_$1_t)
Index: refpolicy/policy/modules/services/postfix.te
===================================================================
--- refpolicy.orig/policy/modules/services/postfix.te
+++ refpolicy/policy/modules/services/postfix.te
@@ -147,6 +147,10 @@ corenet_tcp_connect_all_ports(postfix_ma
corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
corenet_sendrecv_smtp_server_packets(postfix_master_t)
corenet_sendrecv_all_client_packets(postfix_master_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(postfix_master_t)
+ corenet_udp_recv_netlabel(postfix_master_t)
+')
# for a find command
selinux_dontaudit_search_fs(postfix_master_t)
@@ -322,6 +326,10 @@ corenet_tcp_sendrecv_all_ports(postfix_m
corenet_udp_sendrecv_all_ports(postfix_map_t)
corenet_tcp_connect_all_ports(postfix_map_t)
corenet_sendrecv_all_client_packets(postfix_map_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(postfix_map_t)
+ corenet_udp_recv_netlabel(postfix_map_t)
+')
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
@@ -431,6 +439,9 @@ manage_files_pattern(postfix_postdrop_t,
corenet_udp_sendrecv_all_if(postfix_postdrop_t)
corenet_udp_sendrecv_all_nodes(postfix_postdrop_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(postfix_postdrop_t)
+')
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy.orig/policy/modules/services/postgresql.te
+++ refpolicy/policy/modules/services/postgresql.te
@@ -94,6 +94,10 @@ corenet_tcp_bind_postgresql_port(postgre
corenet_tcp_connect_auth_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(postgresql_t)
+ corenet_udp_recv_netlabel(postgresql_t)
+')
dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)
Index: refpolicy/policy/modules/services/postgrey.te
===================================================================
--- refpolicy.orig/policy/modules/services/postgrey.te
+++ refpolicy/policy/modules/services/postgrey.te
@@ -54,6 +54,9 @@ corenet_tcp_sendrecv_all_ports(postgrey_
corenet_tcp_bind_all_nodes(postgrey_t)
corenet_tcp_bind_postgrey_port(postgrey_t)
corenet_sendrecv_postgrey_server_packets(postgrey_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(postgrey_t)
+')
dev_read_urand(postgrey_t)
dev_read_sysfs(postgrey_t)
Index: refpolicy/policy/modules/services/ppp.te
===================================================================
--- refpolicy.orig/policy/modules/services/ppp.te
+++ refpolicy/policy/modules/services/ppp.te
@@ -119,6 +119,10 @@ corenet_raw_sendrecv_all_nodes(pppd_t)
corenet_udp_sendrecv_all_nodes(pppd_t)
corenet_tcp_sendrecv_all_ports(pppd_t)
corenet_udp_sendrecv_all_ports(pppd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(pppd_t)
+ corenet_udp_recv_netlabel(pppd_t)
+')
# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
@@ -270,6 +274,9 @@ corenet_tcp_bind_all_nodes(pptp_t)
corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(pptp_t)
+')
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
Index: refpolicy/policy/modules/services/privoxy.te
===================================================================
--- refpolicy.orig/policy/modules/services/privoxy.te
+++ refpolicy/policy/modules/services/privoxy.te
@@ -55,6 +55,9 @@ corenet_sendrecv_http_cache_server_packe
corenet_sendrecv_http_client_packets(privoxy_t)
corenet_sendrecv_ftp_client_packets(privoxy_t)
corenet_sendrecv_tor_client_packets(privoxy_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(privoxy_t)
+')
dev_read_sysfs(privoxy_t)
Index: refpolicy/policy/modules/services/procmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/procmail.te
+++ refpolicy/policy/modules/services/procmail.te
@@ -39,6 +39,10 @@ corenet_udp_bind_all_nodes(procmail_t)
corenet_tcp_connect_spamd_port(procmail_t)
corenet_sendrecv_spamd_client_packets(procmail_t)
corenet_sendrecv_comsat_client_packets(procmail_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(procmail_t)
+ corenet_udp_recv_netlabel(procmail_t)
+')
dev_read_urand(procmail_t)
Index: refpolicy/policy/modules/services/pyzor.te
===================================================================
--- refpolicy.orig/policy/modules/services/pyzor.te
+++ refpolicy/policy/modules/services/pyzor.te
@@ -46,6 +46,9 @@ corecmd_getattr_bin_files(pyzor_t)
corenet_udp_sendrecv_all_if(pyzor_t)
corenet_udp_sendrecv_all_nodes(pyzor_t)
corenet_udp_sendrecv_all_ports(pyzor_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(pyzor_t)
+')
dev_read_urand(pyzor_t)
@@ -103,6 +106,9 @@ corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_all_nodes(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
corenet_sendrecv_pyzor_server_packets(pyzord_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(pyzord_t)
+')
files_read_etc_files(pyzord_t)
Index: refpolicy/policy/modules/services/qmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/qmail.te
+++ refpolicy/policy/modules/services/qmail.te
@@ -182,6 +182,10 @@ corenet_tcp_sendrecv_smtp_port(qmail_rem
corenet_udp_sendrecv_dns_port(qmail_remote_t)
corenet_tcp_connect_smtp_port(qmail_remote_t)
corenet_sendrecv_smtp_client_packets(qmail_remote_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(qmail_remote_t)
+ corenet_udp_recv_netlabel(qmail_remote_t)
+')
dev_read_rand(qmail_remote_t)
dev_read_urand(qmail_remote_t)
Index: refpolicy/policy/modules/services/radius.te
===================================================================
--- refpolicy.orig/policy/modules/services/radius.te
+++ refpolicy/policy/modules/services/radius.te
@@ -69,6 +69,10 @@ corenet_udp_bind_radacct_port(radiusd_t)
corenet_udp_bind_radius_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
corenet_sendrecv_radacct_server_packets(radiusd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(radiusd_t)
+ corenet_udp_recv_netlabel(radiusd_t)
+')
# for RADIUS proxy port
corenet_udp_bind_generic_port(radiusd_t)
corenet_sendrecv_generic_server_packets(radiusd_t)
Index: refpolicy/policy/modules/services/radvd.te
===================================================================
--- refpolicy.orig/policy/modules/services/radvd.te
+++ refpolicy/policy/modules/services/radvd.te
@@ -47,6 +47,10 @@ corenet_udp_sendrecv_all_nodes(radvd_t)
corenet_raw_sendrecv_all_nodes(radvd_t)
corenet_tcp_sendrecv_all_ports(radvd_t)
corenet_udp_sendrecv_all_ports(radvd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(radvd_t)
+ corenet_udp_recv_netlabel(radvd_t)
+')
dev_read_sysfs(radvd_t)
Index: refpolicy/policy/modules/services/razor.if
===================================================================
--- refpolicy.orig/policy/modules/services/razor.if
+++ refpolicy/policy/modules/services/razor.if
@@ -70,6 +70,9 @@ template(`razor_common_domain_template',
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_t)
+ ')
# mktemp and other randoms
dev_read_rand($1_t)
Index: refpolicy/policy/modules/services/razor.te
===================================================================
--- refpolicy.orig/policy/modules/services/razor.te
+++ refpolicy/policy/modules/services/razor.te
@@ -48,6 +48,9 @@ corenet_raw_sendrecv_all_nodes(razor_t)
corenet_tcp_sendrecv_razor_port(razor_t)
corenet_tcp_connect_razor_port(razor_t)
corenet_sendrecv_razor_client_packets(razor_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(razor_t)
+')
sysnet_read_config(razor_t)
Index: refpolicy/policy/modules/services/rdisc.te
===================================================================
--- refpolicy.orig/policy/modules/services/rdisc.te
+++ refpolicy/policy/modules/services/rdisc.te
@@ -32,6 +32,9 @@ corenet_raw_sendrecv_generic_if(rdisc_t)
corenet_udp_sendrecv_all_nodes(rdisc_t)
corenet_raw_sendrecv_all_nodes(rdisc_t)
corenet_udp_sendrecv_all_ports(rdisc_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(rdisc_t)
+')
dev_read_sysfs(rdisc_t)
Index: refpolicy/policy/modules/services/rhgb.te
===================================================================
--- refpolicy.orig/policy/modules/services/rhgb.te
+++ refpolicy/policy/modules/services/rhgb.te
@@ -54,6 +54,10 @@ corenet_tcp_sendrecv_all_ports(rhgb_t)
corenet_udp_sendrecv_all_ports(rhgb_t)
corenet_tcp_connect_all_ports(rhgb_t)
corenet_sendrecv_all_client_packets(rhgb_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rhgb_t)
+ corenet_udp_recv_netlabel(rhgb_t)
+')
dev_read_sysfs(rhgb_t)
Index: refpolicy/policy/modules/services/ricci.te
===================================================================
--- refpolicy.orig/policy/modules/services/ricci.te
+++ refpolicy/policy/modules/services/ricci.te
@@ -127,6 +127,10 @@ corenet_udp_bind_all_nodes(ricci_t)
corenet_tcp_bind_ricci_port(ricci_t)
corenet_udp_bind_ricci_port(ricci_t)
corenet_tcp_connect_http_port(ricci_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ricci_t)
+ corenet_udp_recv_netlabel(ricci_t)
+')
dev_read_urand(ricci_t)
@@ -296,6 +300,9 @@ corenet_tcp_sendrecv_all_ports(ricci_mod
corenet_tcp_bind_all_nodes(ricci_modclusterd_t)
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ricci_modclusterd_t)
+')
domain_dontaudit_read_all_domains_state(ricci_modclusterd_t)
Index: refpolicy/policy/modules/services/rlogin.te
===================================================================
--- refpolicy.orig/policy/modules/services/rlogin.te
+++ refpolicy/policy/modules/services/rlogin.te
@@ -57,6 +57,10 @@ corenet_tcp_sendrecv_all_nodes(rlogind_t
corenet_udp_sendrecv_all_nodes(rlogind_t)
corenet_tcp_sendrecv_all_ports(rlogind_t)
corenet_udp_sendrecv_all_ports(rlogind_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rlogind_t)
+ corenet_udp_recv_netlabel(rlogind_t)
+')
dev_read_urand(rlogind_t)
Index: refpolicy/policy/modules/services/roundup.te
===================================================================
--- refpolicy.orig/policy/modules/services/roundup.te
+++ refpolicy/policy/modules/services/roundup.te
@@ -57,6 +57,10 @@ corenet_tcp_bind_http_cache_port(roundup
corenet_tcp_connect_smtp_port(roundup_t)
corenet_sendrecv_http_cache_server_packets(roundup_t)
corenet_sendrecv_smtp_client_packets(roundup_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(roundup_t)
+ corenet_udp_recv_netlabel(roundup_t)
+')
# /usr/share/mysql/charsets/Index.xml
dev_read_urand(roundup_t)
Index: refpolicy/policy/modules/services/rpc.if
===================================================================
--- refpolicy.orig/policy/modules/services/rpc.if
+++ refpolicy/policy/modules/services/rpc.if
@@ -83,6 +83,10 @@ template(`rpc_domain_template', `
corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
+ ')
# do not log when it tries to bind to a port belonging to another domain
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
corenet_dontaudit_udp_bind_all_reserved_ports($1_t)
Index: refpolicy/policy/modules/services/rshd.te
===================================================================
--- refpolicy.orig/policy/modules/services/rshd.te
+++ refpolicy/policy/modules/services/rshd.te
@@ -33,6 +33,10 @@ corenet_udp_sendrecv_all_ports(rshd_t)
corenet_tcp_bind_all_nodes(rshd_t)
corenet_tcp_bind_rsh_port(rshd_t)
corenet_sendrecv_rsh_server_packets(rshd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rshd_t)
+ corenet_udp_recv_netlabel(rshd_t)
+')
dev_read_urand(rshd_t)
Index: refpolicy/policy/modules/services/rsync.te
===================================================================
--- refpolicy.orig/policy/modules/services/rsync.te
+++ refpolicy/policy/modules/services/rsync.te
@@ -63,6 +63,10 @@ corenet_udp_sendrecv_all_ports(rsync_t)
corenet_tcp_bind_all_nodes(rsync_t)
corenet_tcp_bind_rsync_port(rsync_t)
corenet_sendrecv_rsync_server_packets(rsync_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rsync_t)
+ corenet_udp_recv_netlabel(rsync_t)
+')
dev_read_urand(rsync_t)
Index: refpolicy/policy/modules/services/samba.te
===================================================================
--- refpolicy.orig/policy/modules/services/samba.te
+++ refpolicy/policy/modules/services/samba.te
@@ -123,6 +123,10 @@ corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(samba_net_t)
+ corenet_udp_recv_netlabel(samba_net_t)
+')
dev_read_urand(samba_net_t)
@@ -233,6 +237,10 @@ corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
corenet_tcp_connect_ipp_port(smbd_t)
corenet_tcp_connect_smbd_port(smbd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(smbd_t)
+ corenet_udp_recv_netlabel(smbd_t)
+')
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -373,6 +381,10 @@ corenet_udp_bind_all_nodes(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(nmbd_t)
+ corenet_udp_recv_netlabel(nmbd_t)
+')
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
@@ -462,6 +474,10 @@ corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(smbmount_t)
+ corenet_udp_recv_netlabel(smbmount_t)
+')
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
@@ -566,6 +582,10 @@ corenet_tcp_connect_smbd_port(swat_t)
corenet_tcp_connect_ipp_port(swat_t)
corenet_sendrecv_smbd_client_packets(swat_t)
corenet_sendrecv_ipp_client_packets(swat_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(swat_t)
+ corenet_udp_recv_netlabel(swat_t)
+')
dev_read_urand(swat_t)
@@ -662,6 +682,10 @@ corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(winbind_t)
+ corenet_udp_recv_netlabel(winbind_t)
+')
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
Index: refpolicy/policy/modules/services/sasl.te
===================================================================
--- refpolicy.orig/policy/modules/services/sasl.te
+++ refpolicy/policy/modules/services/sasl.te
@@ -39,6 +39,9 @@ corenet_tcp_sendrecv_all_nodes(saslauthd
corenet_tcp_sendrecv_all_ports(saslauthd_t)
corenet_tcp_connect_pop_port(saslauthd_t)
corenet_sendrecv_pop_client_packets(saslauthd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(saslauthd_t)
+')
dev_read_sysfs(saslauthd_t)
dev_read_urand(saslauthd_t)
Index: refpolicy/policy/modules/services/sendmail.te
===================================================================
--- refpolicy.orig/policy/modules/services/sendmail.te
+++ refpolicy/policy/modules/services/sendmail.te
@@ -58,6 +58,9 @@ corenet_tcp_bind_smtp_port(sendmail_t)
corenet_tcp_connect_all_ports(sendmail_t)
corenet_sendrecv_smtp_server_packets(sendmail_t)
corenet_sendrecv_smtp_client_packets(sendmail_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(sendmail_t)
+')
dev_read_urand(sendmail_t)
dev_read_sysfs(sendmail_t)
Index: refpolicy/policy/modules/services/setroubleshoot.te
===================================================================
--- refpolicy.orig/policy/modules/services/setroubleshoot.te
+++ refpolicy/policy/modules/services/setroubleshoot.te
@@ -65,6 +65,9 @@ corenet_tcp_sendrecv_all_ports(setrouble
corenet_tcp_bind_all_nodes(setroubleshootd_t)
corenet_tcp_connect_smtp_port(setroubleshootd_t)
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(setroubleshootd_t)
+')
dev_read_urand(setroubleshootd_t)
Index: refpolicy/policy/modules/services/smartmon.te
===================================================================
--- refpolicy.orig/policy/modules/services/smartmon.te
+++ refpolicy/policy/modules/services/smartmon.te
@@ -46,6 +46,9 @@ corenet_non_ipsec_sendrecv(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
+ifdef(`enable_mls',`
+ corenet_udp_recv_netlabel(fsdaemon_t)
+')
dev_read_sysfs(fsdaemon_t)
Index: refpolicy/policy/modules/services/snmp.te
===================================================================
--- refpolicy.orig/policy/modules/services/snmp.te
+++ refpolicy/policy/modules/services/snmp.te
@@ -71,6 +71,10 @@ corenet_udp_bind_all_nodes(snmpd_t)
corenet_tcp_bind_snmp_port(snmpd_t)
corenet_udp_bind_snmp_port(snmpd_t)
corenet_sendrecv_snmp_server_packets(snmpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(snmpd_t)
+ corenet_udp_recv_netlabel(snmpd_t)
+')
dev_list_sysfs(snmpd_t)
dev_read_sysfs(snmpd_t)
Index: refpolicy/policy/modules/services/snort.te
===================================================================
--- refpolicy.orig/policy/modules/services/snort.te
+++ refpolicy/policy/modules/services/snort.te
@@ -64,6 +64,10 @@ corenet_udp_sendrecv_all_nodes(snort_t)
corenet_raw_sendrecv_all_nodes(snort_t)
corenet_tcp_sendrecv_all_ports(snort_t)
corenet_udp_sendrecv_all_ports(snort_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(snort_t)
+ corenet_udp_recv_netlabel(snort_t)
+')
dev_read_sysfs(snort_t)
Index: refpolicy/policy/modules/services/soundserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/soundserver.te
+++ refpolicy/policy/modules/services/soundserver.te
@@ -72,6 +72,10 @@ corenet_udp_sendrecv_all_ports(soundd_t)
corenet_tcp_bind_all_nodes(soundd_t)
corenet_tcp_bind_soundd_port(soundd_t)
corenet_sendrecv_soundd_server_packets(soundd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(soundd_t)
+ corenet_udp_recv_netlabel(soundd_t)
+')
dev_read_sysfs(soundd_t)
dev_read_sound(soundd_t)
Index: refpolicy/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy.orig/policy/modules/services/spamassassin.if
+++ refpolicy/policy/modules/services/spamassassin.if
@@ -101,6 +101,10 @@ template(`spamassassin_per_role_template
corenet_udp_sendrecv_all_ports($1_spamc_t)
corenet_tcp_connect_all_ports($1_spamc_t)
corenet_sendrecv_all_client_packets($1_spamc_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_spamc_t)
+ corenet_udp_recv_netlabel($1_spamc_t)
+ ')
fs_search_auto_mountpoints($1_spamc_t)
Index: refpolicy/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy.orig/policy/modules/services/spamassassin.te
+++ refpolicy/policy/modules/services/spamassassin.te
@@ -79,6 +79,10 @@ corenet_tcp_bind_spamd_port(spamd_t)
corenet_tcp_connect_razor_port(spamd_t)
corenet_sendrecv_razor_client_packets(spamd_t)
corenet_sendrecv_spamd_server_packets(spamd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(spamd_t)
+ corenet_udp_recv_netlabel(spamd_t)
+')
# spamassassin 3.1 needs this for its
# DnsResolver.pm module which binds to
# random ports >= 1024.
Index: refpolicy/policy/modules/services/squid.te
===================================================================
--- refpolicy.orig/policy/modules/services/squid.te
+++ refpolicy/policy/modules/services/squid.te
@@ -90,6 +90,10 @@ corenet_sendrecv_ftp_client_packets(squi
corenet_sendrecv_gopher_client_packets(squid_t)
corenet_sendrecv_http_cache_server_packets(squid_t)
corenet_sendrecv_http_cache_client_packets(squid_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(squid_t)
+ corenet_udp_recv_netlabel(squid_t)
+')
dev_read_sysfs(squid_t)
dev_read_urand(squid_t)
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.if
+++ refpolicy/policy/modules/services/ssh.if
@@ -114,6 +114,9 @@ template(`ssh_basic_client_template',`
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_ssh_t)
+ ')
dev_read_urand($1_ssh_t)
@@ -483,6 +486,10 @@ template(`ssh_server_template', `
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
+ ')
fs_dontaudit_getattr_all_fs($1_t)
Index: refpolicy/policy/modules/services/stunnel.te
===================================================================
--- refpolicy.orig/policy/modules/services/stunnel.te
+++ refpolicy/policy/modules/services/stunnel.te
@@ -64,6 +64,10 @@ corenet_tcp_sendrecv_all_ports(stunnel_t
corenet_udp_sendrecv_all_ports(stunnel_t)
corenet_tcp_bind_all_nodes(stunnel_t)
corenet_tcp_connect_all_ports(stunnel_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(stunnel_t)
+ corenet_udp_recv_netlabel(stunnel_t)
+')
fs_getattr_all_fs(stunnel_t)
Index: refpolicy/policy/modules/services/tcpd.te
===================================================================
--- refpolicy.orig/policy/modules/services/tcpd.te
+++ refpolicy/policy/modules/services/tcpd.te
@@ -27,6 +27,9 @@ corenet_non_ipsec_sendrecv(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
corenet_tcp_sendrecv_all_ports(tcpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(tcpd_t)
+')
fs_getattr_xattr_fs(tcpd_t)
Index: refpolicy/policy/modules/services/telnet.te
===================================================================
--- refpolicy.orig/policy/modules/services/telnet.te
+++ refpolicy/policy/modules/services/telnet.te
@@ -56,6 +56,10 @@ corenet_tcp_sendrecv_all_nodes(telnetd_t
corenet_udp_sendrecv_all_nodes(telnetd_t)
corenet_tcp_sendrecv_all_ports(telnetd_t)
corenet_udp_sendrecv_all_ports(telnetd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(telnetd_t)
+ corenet_udp_recv_netlabel(telnetd_t)
+')
dev_read_urand(telnetd_t)
Index: refpolicy/policy/modules/services/tftp.te
===================================================================
--- refpolicy.orig/policy/modules/services/tftp.te
+++ refpolicy/policy/modules/services/tftp.te
@@ -50,6 +50,10 @@ corenet_tcp_bind_all_nodes(tftpd_t)
corenet_udp_bind_all_nodes(tftpd_t)
corenet_udp_bind_tftp_port(tftpd_t)
corenet_sendrecv_tftp_server_packets(tftpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(tftpd_t)
+ corenet_udp_recv_netlabel(tftpd_t)
+')
dev_read_sysfs(tftpd_t)
Index: refpolicy/policy/modules/services/timidity.te
===================================================================
--- refpolicy.orig/policy/modules/services/timidity.te
+++ refpolicy/policy/modules/services/timidity.te
@@ -46,6 +46,10 @@ corenet_tcp_sendrecv_all_nodes(timidity_
corenet_udp_sendrecv_all_nodes(timidity_t)
corenet_tcp_sendrecv_all_ports(timidity_t)
corenet_udp_sendrecv_all_ports(timidity_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(timidity_t)
+ corenet_udp_recv_netlabel(timidity_t)
+')
dev_read_sysfs(timidity_t)
dev_read_sound(timidity_t)
Index: refpolicy/policy/modules/services/tor.te
===================================================================
--- refpolicy.orig/policy/modules/services/tor.te
+++ refpolicy/policy/modules/services/tor.te
@@ -71,6 +71,9 @@ corenet_tcp_sendrecv_all_reserved_ports(
corenet_tcp_bind_all_nodes(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(tor_t)
+')
# TOR will need to connect to various ports
corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
Index: refpolicy/policy/modules/services/transproxy.te
===================================================================
--- refpolicy.orig/policy/modules/services/transproxy.te
+++ refpolicy/policy/modules/services/transproxy.te
@@ -37,6 +37,9 @@ corenet_tcp_sendrecv_all_ports(transprox
corenet_tcp_bind_all_nodes(transproxy_t)
corenet_tcp_bind_transproxy_port(transproxy_t)
corenet_sendrecv_transproxy_server_packets(transproxy_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(transproxy_t)
+')
dev_read_sysfs(transproxy_t)
Index: refpolicy/policy/modules/services/ucspitcp.te
===================================================================
--- refpolicy.orig/policy/modules/services/ucspitcp.te
+++ refpolicy/policy/modules/services/ucspitcp.te
@@ -34,6 +34,10 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_
corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(rblsmtpd_t)
+ corenet_udp_recv_netlabel(rblsmtpd_t)
+')
files_read_etc_files(rblsmtpd_t)
files_search_var(rblsmtpd_t)
@@ -68,6 +72,10 @@ corenet_tcp_sendrecv_all_ports(ucspitcp_
corenet_udp_sendrecv_all_ports(ucspitcp_t)
corenet_tcp_bind_all_nodes(ucspitcp_t)
corenet_udp_bind_all_nodes(ucspitcp_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(ucspitcp_t)
+ corenet_udp_recv_netlabel(ucspitcp_t)
+')
# server ports:
corenet_tcp_bind_ftp_port(ucspitcp_t)
Index: refpolicy/policy/modules/services/uucp.te
===================================================================
--- refpolicy.orig/policy/modules/services/uucp.te
+++ refpolicy/policy/modules/services/uucp.te
@@ -77,6 +77,10 @@ corenet_tcp_sendrecv_all_nodes(uucpd_t)
corenet_udp_sendrecv_all_nodes(uucpd_t)
corenet_tcp_sendrecv_all_ports(uucpd_t)
corenet_udp_sendrecv_all_ports(uucpd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(uucpd_t)
+ corenet_udp_recv_netlabel(uucpd_t)
+')
dev_read_urand(uucpd_t)
Index: refpolicy/policy/modules/services/uwimap.te
===================================================================
--- refpolicy.orig/policy/modules/services/uwimap.te
+++ refpolicy/policy/modules/services/uwimap.te
@@ -48,6 +48,9 @@ corenet_tcp_bind_pop_port(imapd_t)
corenet_tcp_connect_all_ports(imapd_t)
corenet_sendrecv_pop_server_packets(imapd_t)
corenet_sendrecv_all_client_packets(imapd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(imapd_t)
+')
dev_read_sysfs(imapd_t)
#urandom, for ssl
Index: refpolicy/policy/modules/services/watchdog.te
===================================================================
--- refpolicy.orig/policy/modules/services/watchdog.te
+++ refpolicy/policy/modules/services/watchdog.te
@@ -53,6 +53,10 @@ corenet_tcp_sendrecv_all_ports(watchdog_
corenet_udp_sendrecv_all_ports(watchdog_t)
corenet_tcp_connect_all_ports(watchdog_t)
corenet_sendrecv_all_client_packets(watchdog_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(watchdog_t)
+ corenet_udp_recv_netlabel(watchdog_t)
+')
dev_read_sysfs(watchdog_t)
dev_write_watchdog(watchdog_t)
Index: refpolicy/policy/modules/services/xprint.te
===================================================================
--- refpolicy.orig/policy/modules/services/xprint.te
+++ refpolicy/policy/modules/services/xprint.te
@@ -42,6 +42,10 @@ corenet_tcp_sendrecv_all_nodes(xprint_t)
corenet_udp_sendrecv_all_nodes(xprint_t)
corenet_tcp_sendrecv_all_ports(xprint_t)
corenet_udp_sendrecv_all_ports(xprint_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(xprint_t)
+ corenet_udp_recv_netlabel(xprint_t)
+')
dev_read_sysfs(xprint_t)
dev_read_urand(xprint_t)
Index: refpolicy/policy/modules/services/xserver.if
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.if
+++ refpolicy/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ template(`xserver_common_domain_template
corenet_tcp_connect_all_ports($1_xserver_t)
corenet_sendrecv_xserver_server_packets($1_xserver_t)
corenet_sendrecv_all_client_packets($1_xserver_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1_xserver_t)
+ corenet_udp_recv_netlabel($1_xserver_t)
+ ')
dev_rw_sysfs($1_xserver_t)
dev_rw_mouse($1_xserver_t)
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te
+++ refpolicy/policy/modules/services/xserver.te
@@ -132,6 +132,10 @@ corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(xdm_t)
+ corenet_udp_recv_netlabel(xdm_t)
+')
# xdm tries to bind to biff_port_t
corenet_dontaudit_tcp_bind_all_ports(xdm_t)
Index: refpolicy/policy/modules/services/zebra.te
===================================================================
--- refpolicy.orig/policy/modules/services/zebra.te
+++ refpolicy/policy/modules/services/zebra.te
@@ -76,6 +76,10 @@ corenet_udp_bind_router_port(zebra_t)
corenet_tcp_connect_bgp_port(zebra_t)
corenet_sendrecv_zebra_server_packets(zebra_t)
corenet_sendrecv_router_server_packets(zebra_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(zebra_t)
+ corenet_udp_recv_netlabel(zebra_t)
+')
dev_associate_usbfs(zebra_var_run_t)
dev_list_all_dev_nodes(zebra_t)
Index: refpolicy/policy/modules/system/hotplug.te
===================================================================
--- refpolicy.orig/policy/modules/system/hotplug.te
+++ refpolicy/policy/modules/system/hotplug.te
@@ -58,6 +58,10 @@ corenet_tcp_sendrecv_all_nodes(hotplug_t
corenet_udp_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_udp_sendrecv_all_ports(hotplug_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(hotplug_t)
+ corenet_udp_recv_netlabel(hotplug_t)
+')
dev_rw_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
Index: refpolicy/policy/modules/system/iscsi.te
===================================================================
--- refpolicy.orig/policy/modules/system/iscsi.te
+++ refpolicy/policy/modules/system/iscsi.te
@@ -60,6 +60,9 @@ corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(iscsid_t)
+')
dev_rw_sysfs(iscsid_t)
Index: refpolicy/policy/modules/system/lvm.te
===================================================================
--- refpolicy.orig/policy/modules/system/lvm.te
+++ refpolicy/policy/modules/system/lvm.te
@@ -80,6 +80,11 @@ corenet_tcp_bind_all_nodes(clvmd_t)
corenet_tcp_bind_reserved_port(clvmd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
corenet_sendrecv_generic_server_packets(clvmd_t)
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(clvmd_t)
+ corenet_udp_recv_netlabel(clvmd_t)
+')
+
dev_read_sysfs(clvmd_t)
dev_manage_generic_chr_files(clvmd_t)
Index: refpolicy/policy/modules/system/mount.te
===================================================================
--- refpolicy.orig/policy/modules/system/mount.te
+++ refpolicy/policy/modules/system/mount.te
@@ -151,6 +151,10 @@ optional_policy(`
corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
corenet_tcp_connect_all_ports(mount_t)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(mount_t)
+ corenet_udp_recv_netlabel(mount_t)
+ ')
fs_search_rpc(mount_t)
Index: refpolicy/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.if
+++ refpolicy/policy/modules/system/sysnetwork.if
@@ -489,6 +489,10 @@ interface(`sysnet_dns_name_resolve',`
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -517,6 +521,10 @@ interface(`sysnet_use_ldap',`
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
corenet_sendrecv_ldap_client_packets($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -549,6 +557,10 @@ interface(`sysnet_use_portmap',`
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
corenet_sendrecv_portmap_client_packets($1)
+ ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
+ ')
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/4] Policy patches to add NetLabel support for Raw IP sockets
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
2006-12-14 19:24 ` [PATCH 1/4] Policy patches to add NetLabel to support to various domains paul.moore
@ 2006-12-14 19:24 ` paul.moore
2006-12-14 19:24 ` [PATCH 3/4] Policy patches to add a MLS socket write-to-clearance interface paul.moore
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-12-14 19:24 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
From: Paul Moore <paul.moore@hp.com>
Add interfaces for NetLabel Raw IP support and give access to domains that
require Raw IP support.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/admin/amanda.te | 1
policy/modules/admin/backup.te | 1
policy/modules/admin/dpkg.te | 2
policy/modules/admin/netutils.te | 1
policy/modules/admin/portage.if | 1
policy/modules/admin/rpm.te | 1
policy/modules/apps/evolution.if | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/mozilla.if | 1
policy/modules/apps/vmware.te | 1
policy/modules/kernel/corenetwork.if.in | 29 ++++++++++++++
policy/modules/kernel/kernel.if | 61 ++++++++++++++++++++++++++++++
policy/modules/services/arpwatch.te | 1
policy/modules/services/bluetooth.te | 1
policy/modules/services/cups.te | 2
policy/modules/services/dictd.te | 1
policy/modules/services/dnsmasq.te | 1
policy/modules/services/mailman.if | 1
policy/modules/services/nessus.te | 1
policy/modules/services/networkmanager.te | 1
policy/modules/services/ntop.te | 1
policy/modules/services/portmap.te | 1
policy/modules/services/ppp.te | 2
policy/modules/services/radvd.te | 1
policy/modules/services/razor.if | 1
policy/modules/services/razor.te | 1
policy/modules/services/rdisc.te | 1
policy/modules/services/roundup.te | 1
policy/modules/services/samba.te | 5 ++
policy/modules/services/snort.te | 1
policy/modules/services/ssh.if | 1
policy/modules/services/zebra.te | 1
policy/modules/system/lvm.te | 1
policy/modules/system/mount.te | 1
34 files changed, 130 insertions(+)
Index: refpolicy/policy/modules/admin/amanda.te
===================================================================
--- refpolicy.orig/policy/modules/admin/amanda.te
+++ refpolicy/policy/modules/admin/amanda.te
@@ -128,6 +128,7 @@ corenet_tcp_bind_all_rpc_ports(amanda_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(amanda_t)
corenet_udp_recv_netlabel(amanda_t)
+ corenet_raw_recv_netlabel(amanda_t)
')
dev_getattr_all_blk_files(amanda_t)
Index: refpolicy/policy/modules/admin/backup.te
===================================================================
--- refpolicy.orig/policy/modules/admin/backup.te
+++ refpolicy/policy/modules/admin/backup.te
@@ -50,6 +50,7 @@ corenet_sendrecv_all_client_packets(back
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(backup_t)
corenet_udp_recv_netlabel(backup_t)
+ corenet_raw_recv_netlabel(backup_t)
')
dev_getattr_all_blk_files(backup_t)
Index: refpolicy/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy.orig/policy/modules/admin/dpkg.te
+++ refpolicy/policy/modules/admin/dpkg.te
@@ -104,6 +104,8 @@ corenet_sendrecv_all_client_packets(dpkg
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(dpkg_t)
corenet_udp_recv_netlabel(dpkg_t)
+ corenet_raw_recv_netlabel(dpkg_t)
+ corenet_raw_recv_netlabel(dpkg_t)
')
dev_list_sysfs(dpkg_t)
Index: refpolicy/policy/modules/admin/netutils.te
===================================================================
--- refpolicy.orig/policy/modules/admin/netutils.te
+++ refpolicy/policy/modules/admin/netutils.te
@@ -58,6 +58,7 @@ corenet_udp_bind_generic_node(netutils_t
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(netutils_t)
corenet_udp_recv_netlabel(netutils_t)
+ corenet_raw_recv_netlabel(netutils_t)
')
fs_getattr_xattr_fs(netutils_t)
Index: refpolicy/policy/modules/admin/portage.if
===================================================================
--- refpolicy.orig/policy/modules/admin/portage.if
+++ refpolicy/policy/modules/admin/portage.if
@@ -166,6 +166,7 @@ interface(`portage_compile_domain',`
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1)
corenet_udp_recv_netlabel($1)
+ corenet_raw_recv_netlabel($1)
')
dev_read_sysfs($1)
Index: refpolicy/policy/modules/admin/rpm.te
===================================================================
--- refpolicy.orig/policy/modules/admin/rpm.te
+++ refpolicy/policy/modules/admin/rpm.te
@@ -105,6 +105,7 @@ corenet_sendrecv_all_client_packets(rpm_
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(rpm_t)
corenet_udp_recv_netlabel(rpm_t)
+ corenet_raw_recv_netlabel(rpm_t)
')
dev_list_sysfs(rpm_t)
Index: refpolicy/policy/modules/apps/evolution.if
===================================================================
--- refpolicy.orig/policy/modules/apps/evolution.if
+++ refpolicy/policy/modules/apps/evolution.if
@@ -212,6 +212,7 @@ template(`evolution_per_role_template',`
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_evolution_t)
corenet_udp_recv_netlabel($1_evolution_t)
+ corenet_raw_recv_netlabel($1_evolution_t)
')
# not sure about this bind
corenet_udp_bind_all_nodes($1_evolution_t)
@@ -728,6 +729,7 @@ template(`evolution_per_role_template',`
corenet_sendrecv_http_cache_client_packets($1_evolution_webcal_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_evolution_webcal_t)
+ corenet_raw_recv_netlabel($1_evolution_webcal_t)
')
# Networking capability - connect to website and handle ics link
Index: refpolicy/policy/modules/apps/gpg.if
===================================================================
--- refpolicy.orig/policy/modules/apps/gpg.if
+++ refpolicy/policy/modules/apps/gpg.if
@@ -178,6 +178,7 @@ template(`gpg_per_role_template',`
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_gpg_helper_t)
corenet_udp_recv_netlabel($1_gpg_helper_t)
+ corenet_raw_recv_netlabel($1_gpg_helper_t)
')
dev_read_urand($1_gpg_helper_t)
Index: refpolicy/policy/modules/apps/mozilla.if
===================================================================
--- refpolicy.orig/policy/modules/apps/mozilla.if
+++ refpolicy/policy/modules/apps/mozilla.if
@@ -144,6 +144,7 @@ template(`mozilla_per_role_template',`
corenet_sendrecv_generic_client_packets($1_mozilla_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_mozilla_t)
+ corenet_raw_recv_netlabel($1_mozilla_t)
')
# Should not need other ports
corenet_dontaudit_tcp_sendrecv_generic_port($1_mozilla_t)
Index: refpolicy/policy/modules/apps/vmware.te
===================================================================
--- refpolicy.orig/policy/modules/apps/vmware.te
+++ refpolicy/policy/modules/apps/vmware.te
@@ -61,6 +61,7 @@ corenet_sendrecv_all_server_packets(vmwa
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(vmware_host_t)
corenet_udp_recv_netlabel(vmware_host_t)
+ corenet_raw_recv_netlabel(vmware_host_t)
')
dev_read_sysfs(vmware_host_t)
Index: refpolicy/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1512,6 +1512,35 @@ interface(`corenet_dontaudit_udp_recv_ne
########################################
## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recv_netlabel',`
+ kernel_raw_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recv_netlabel',`
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+')
+
+########################################
+## <summary>
## Send generic client packets.
## </summary>
## <param name="domain">
Index: refpolicy/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/kernel.if
+++ refpolicy/policy/modules/kernel/kernel.if
@@ -2302,6 +2302,67 @@ interface(`kernel_dontaudit_udp_recvfrom
########################################
## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <desc>
+## <p>
+## Receive Raw IP packets from a NetLabel connection, NetLabel is an
+## explicit packet labeling framework which implements CIPSO and
+## similar protocols.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_raw_recv_netlabel() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_raw_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection. NetLabel is an explicit packet labeling framework
+## which implements CIPSO and similar protocols.
+## </p>
+## <p>
+## The corenetwork interface
+## corenet_dontaudit_raw_recv_netlabel() should
+## be used instead of this one.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
## Send and receive unlabeled packets.
## </summary>
## <desc>
Index: refpolicy/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy.orig/policy/modules/services/arpwatch.te
+++ refpolicy/policy/modules/services/arpwatch.te
@@ -60,6 +60,7 @@ corenet_udp_sendrecv_all_ports(arpwatch_
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(arpwatch_t)
corenet_udp_recv_netlabel(arpwatch_t)
+ corenet_raw_recv_netlabel(arpwatch_t)
')
dev_read_sysfs(arpwatch_t)
Index: refpolicy/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy.orig/policy/modules/services/bluetooth.te
+++ refpolicy/policy/modules/services/bluetooth.te
@@ -93,6 +93,7 @@ corenet_udp_sendrecv_all_ports(bluetooth
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(bluetooth_t)
corenet_udp_recv_netlabel(bluetooth_t)
+ corenet_raw_recv_netlabel(bluetooth_t)
')
dev_read_sysfs(bluetooth_t)
Index: refpolicy/policy/modules/services/cups.te
===================================================================
--- refpolicy.orig/policy/modules/services/cups.te
+++ refpolicy/policy/modules/services/cups.te
@@ -159,6 +159,7 @@ corenet_sendrecv_ipp_server_packets(cups
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(cupsd_t)
corenet_udp_recv_netlabel(cupsd_t)
+ corenet_raw_recv_netlabel(cupsd_t)
')
dev_rw_printer(cupsd_t)
@@ -603,6 +604,7 @@ corenet_receive_hplip_server_packets(hpl
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(hplip_t)
corenet_udp_recv_netlabel(hplip_t)
+ corenet_raw_recv_netlabel(hplip_t)
')
dev_read_sysfs(hplip_t)
Index: refpolicy/policy/modules/services/dictd.te
===================================================================
--- refpolicy.orig/policy/modules/services/dictd.te
+++ refpolicy/policy/modules/services/dictd.te
@@ -52,6 +52,7 @@ corenet_sendrecv_dict_server_packets(dic
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(dictd_t)
corenet_udp_recv_netlabel(dictd_t)
+ corenet_raw_recv_netlabel(dictd_t)
')
dev_read_sysfs(dictd_t)
Index: refpolicy/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy.orig/policy/modules/services/dnsmasq.te
+++ refpolicy/policy/modules/services/dnsmasq.te
@@ -61,6 +61,7 @@ corenet_sendrecv_dhcpd_server_packets(dn
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(dnsmasq_t)
corenet_udp_recv_netlabel(dnsmasq_t)
+ corenet_raw_recv_netlabel(dnsmasq_t)
')
dev_read_sysfs(dnsmasq_t)
Index: refpolicy/policy/modules/services/mailman.if
===================================================================
--- refpolicy.orig/policy/modules/services/mailman.if
+++ refpolicy/policy/modules/services/mailman.if
@@ -64,6 +64,7 @@ template(`mailman_domain_template', `
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(mailman_$1_t)
corenet_udp_recv_netlabel(mailman_$1_t)
+ corenet_raw_recv_netlabel(mailman_$1_t)
')
fs_getattr_xattr_fs(mailman_$1_t)
Index: refpolicy/policy/modules/services/nessus.te
===================================================================
--- refpolicy.orig/policy/modules/services/nessus.te
+++ refpolicy/policy/modules/services/nessus.te
@@ -74,6 +74,7 @@ corenet_sendrecv_nessus_server_packets(n
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(nessusd_t)
corenet_udp_recv_netlabel(nessusd_t)
+ corenet_raw_recv_netlabel(nessusd_t)
')
dev_read_sysfs(nessusd_t)
Index: refpolicy/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy.orig/policy/modules/services/networkmanager.te
+++ refpolicy/policy/modules/services/networkmanager.te
@@ -60,6 +60,7 @@ corenet_sendrecv_all_client_packets(Netw
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(NetworkManager_t)
corenet_udp_recv_netlabel(NetworkManager_t)
+ corenet_raw_recv_netlabel(NetworkManager_t)
')
dev_read_sysfs(NetworkManager_t)
Index: refpolicy/policy/modules/services/ntop.te
===================================================================
--- refpolicy.orig/policy/modules/services/ntop.te
+++ refpolicy/policy/modules/services/ntop.te
@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(ntop_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(ntop_t)
corenet_udp_recv_netlabel(ntop_t)
+ corenet_raw_recv_netlabel(ntop_t)
')
dev_read_sysfs(ntop_t)
Index: refpolicy/policy/modules/services/portmap.te
===================================================================
--- refpolicy.orig/policy/modules/services/portmap.te
+++ refpolicy/policy/modules/services/portmap.te
@@ -151,6 +151,7 @@ corenet_tcp_connect_all_ports(portmap_he
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(portmap_helper_t)
corenet_udp_recv_netlabel(portmap_helper_t)
+ corenet_raw_recv_netlabel(portmap_helper_t)
')
domain_dontaudit_use_interactive_fds(portmap_helper_t)
Index: refpolicy/policy/modules/services/ppp.te
===================================================================
--- refpolicy.orig/policy/modules/services/ppp.te
+++ refpolicy/policy/modules/services/ppp.te
@@ -122,6 +122,7 @@ corenet_udp_sendrecv_all_ports(pppd_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(pppd_t)
corenet_udp_recv_netlabel(pppd_t)
+ corenet_raw_recv_netlabel(pppd_t)
')
# Access /dev/ppp.
corenet_rw_ppp_dev(pppd_t)
@@ -276,6 +277,7 @@ corenet_tcp_connect_all_reserved_ports(p
corenet_sendrecv_generic_client_packets(pptp_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(pptp_t)
+ corenet_raw_recv_netlabel(pptp_t)
')
fs_getattr_all_fs(pptp_t)
Index: refpolicy/policy/modules/services/radvd.te
===================================================================
--- refpolicy.orig/policy/modules/services/radvd.te
+++ refpolicy/policy/modules/services/radvd.te
@@ -50,6 +50,7 @@ corenet_udp_sendrecv_all_ports(radvd_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(radvd_t)
corenet_udp_recv_netlabel(radvd_t)
+ corenet_raw_recv_netlabel(radvd_t)
')
dev_read_sysfs(radvd_t)
Index: refpolicy/policy/modules/services/razor.if
===================================================================
--- refpolicy.orig/policy/modules/services/razor.if
+++ refpolicy/policy/modules/services/razor.if
@@ -72,6 +72,7 @@ template(`razor_common_domain_template',
corenet_tcp_sendrecv_razor_port($1_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_t)
+ corenet_raw_recv_netlabel($1_t)
')
# mktemp and other randoms
Index: refpolicy/policy/modules/services/razor.te
===================================================================
--- refpolicy.orig/policy/modules/services/razor.te
+++ refpolicy/policy/modules/services/razor.te
@@ -50,6 +50,7 @@ corenet_tcp_connect_razor_port(razor_t)
corenet_sendrecv_razor_client_packets(razor_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(razor_t)
+ corenet_raw_recv_netlabel(razor_t)
')
sysnet_read_config(razor_t)
Index: refpolicy/policy/modules/services/rdisc.te
===================================================================
--- refpolicy.orig/policy/modules/services/rdisc.te
+++ refpolicy/policy/modules/services/rdisc.te
@@ -34,6 +34,7 @@ corenet_raw_sendrecv_all_nodes(rdisc_t)
corenet_udp_sendrecv_all_ports(rdisc_t)
ifdef(`enable_mls',`
corenet_udp_recv_netlabel(rdisc_t)
+ corenet_raw_recv_netlabel(rdisc_t)
')
dev_read_sysfs(rdisc_t)
Index: refpolicy/policy/modules/services/roundup.te
===================================================================
--- refpolicy.orig/policy/modules/services/roundup.te
+++ refpolicy/policy/modules/services/roundup.te
@@ -60,6 +60,7 @@ corenet_sendrecv_smtp_client_packets(rou
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(roundup_t)
corenet_udp_recv_netlabel(roundup_t)
+ corenet_raw_recv_netlabel(roundup_t)
')
# /usr/share/mysql/charsets/Index.xml
Index: refpolicy/policy/modules/services/samba.te
===================================================================
--- refpolicy.orig/policy/modules/services/samba.te
+++ refpolicy/policy/modules/services/samba.te
@@ -126,6 +126,7 @@ corenet_tcp_connect_smbd_port(samba_net_
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(samba_net_t)
corenet_udp_recv_netlabel(samba_net_t)
+ corenet_raw_recv_netlabel(samba_net_t)
')
dev_read_urand(samba_net_t)
@@ -240,6 +241,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(smbd_t)
corenet_udp_recv_netlabel(smbd_t)
+ corenet_raw_recv_netlabel(smbd_t)
')
dev_read_sysfs(smbd_t)
@@ -477,6 +479,7 @@ corenet_tcp_connect_all_ports(smbmount_t
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(smbmount_t)
corenet_udp_recv_netlabel(smbmount_t)
+ corenet_raw_recv_netlabel(smbmount_t)
')
fs_getattr_cifs(smbmount_t)
@@ -585,6 +588,7 @@ corenet_sendrecv_ipp_client_packets(swat
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(swat_t)
corenet_udp_recv_netlabel(swat_t)
+ corenet_raw_recv_netlabel(swat_t)
')
dev_read_urand(swat_t)
@@ -685,6 +689,7 @@ corenet_tcp_connect_smbd_port(winbind_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(winbind_t)
corenet_udp_recv_netlabel(winbind_t)
+ corenet_raw_recv_netlabel(winbind_t)
')
dev_read_sysfs(winbind_t)
Index: refpolicy/policy/modules/services/snort.te
===================================================================
--- refpolicy.orig/policy/modules/services/snort.te
+++ refpolicy/policy/modules/services/snort.te
@@ -67,6 +67,7 @@ corenet_udp_sendrecv_all_ports(snort_t)
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(snort_t)
corenet_udp_recv_netlabel(snort_t)
+ corenet_raw_recv_netlabel(snort_t)
')
dev_read_sysfs(snort_t)
Index: refpolicy/policy/modules/services/ssh.if
===================================================================
--- refpolicy.orig/policy/modules/services/ssh.if
+++ refpolicy/policy/modules/services/ssh.if
@@ -489,6 +489,7 @@ template(`ssh_server_template', `
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel($1_t)
corenet_udp_recv_netlabel($1_t)
+ corenet_raw_recv_netlabel($1_t)
')
fs_dontaudit_getattr_all_fs($1_t)
Index: refpolicy/policy/modules/services/zebra.te
===================================================================
--- refpolicy.orig/policy/modules/services/zebra.te
+++ refpolicy/policy/modules/services/zebra.te
@@ -79,6 +79,7 @@ corenet_sendrecv_router_server_packets(z
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(zebra_t)
corenet_udp_recv_netlabel(zebra_t)
+ corenet_raw_recv_netlabel(zebra_t)
')
dev_associate_usbfs(zebra_var_run_t)
Index: refpolicy/policy/modules/system/lvm.te
===================================================================
--- refpolicy.orig/policy/modules/system/lvm.te
+++ refpolicy/policy/modules/system/lvm.te
@@ -83,6 +83,7 @@ corenet_sendrecv_generic_server_packets(
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(clvmd_t)
corenet_udp_recv_netlabel(clvmd_t)
+ corenet_raw_recv_netlabel(clvmd_t)
')
Index: refpolicy/policy/modules/system/mount.te
===================================================================
--- refpolicy.orig/policy/modules/system/mount.te
+++ refpolicy/policy/modules/system/mount.te
@@ -154,6 +154,7 @@ optional_policy(`
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(mount_t)
corenet_udp_recv_netlabel(mount_t)
+ corenet_raw_recv_netlabel(mount_t)
')
fs_search_rpc(mount_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 3/4] Policy patches to add a MLS socket write-to-clearance interface
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
2006-12-14 19:24 ` [PATCH 1/4] Policy patches to add NetLabel to support to various domains paul.moore
2006-12-14 19:24 ` [PATCH 2/4] Policy patches to add NetLabel support for Raw IP sockets paul.moore
@ 2006-12-14 19:24 ` paul.moore
2006-12-14 19:24 ` [PATCH 4/4] Policy patches to add MLS read/write-to-clearance access to inetd_t paul.moore
2006-12-20 16:13 ` [PATCH 0/4] NetLabel and MLS fixes for Reference Policy Paul Moore
4 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-12-14 19:24 UTC (permalink / raw)
To: selinux; +Cc: cpebenito, Paul Moore
From: Paul Moore <paul.moore@hp.com>
This adds a mls_socket_write_to_clearance() interface which is similar in
fashion to the mls_socket_read_to_clearance() interface.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
1 files changed, 20 insertions(+)
Index: refpolicy/policy/modules/kernel/mls.if
===================================================================
--- refpolicy.orig/policy/modules/kernel/mls.if
+++ refpolicy/policy/modules/kernel/mls.if
@@ -154,6 +154,26 @@ interface(`mls_socket_read_to_clearance'
########################################
## <summary>
## Make specified domain MLS trusted
+## for writing to sockets at any level
+## that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_write_to_clearance',`
+ gen_require(`
+ attribute mlsnetwritetoclr;
+ ')
+
+ typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
## for writing to sockets at any level.
## </summary>
## <param name="domain">
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 4/4] Policy patches to add MLS read/write-to-clearance access to inetd_t
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
` (2 preceding siblings ...)
2006-12-14 19:24 ` [PATCH 3/4] Policy patches to add a MLS socket write-to-clearance interface paul.moore
@ 2006-12-14 19:24 ` paul.moore
2006-12-20 16:13 ` [PATCH 0/4] NetLabel and MLS fixes for Reference Policy Paul Moore
4 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-12-14 19:24 UTC (permalink / raw)
To: selinux; +Cc: cpebenito
From: Paul Moore <paul.moore@hp.com>
There is a strong desire in the MLS/LSPP space to use xinetd and labeled
networking to start child daemons with the MLS label of the incoming
connection. This patch give the inetd_t domain the ability to read and write
to sockets with MLS labels up to and including it's clearance MLS label.
Signed-of-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/services/inetd.te | 3 +++
1 files changed, 3 insertions(+)
Index: refpolicy/policy/modules/services/inetd.te
===================================================================
--- refpolicy.orig/policy/modules/services/inetd.te
+++ refpolicy/policy/modules/services/inetd.te
@@ -71,6 +71,9 @@ corenet_sendrecv_all_client_packets(inet
ifdef(`enable_mls',`
corenet_tcp_recv_netlabel(inetd_t)
corenet_udp_recv_netlabel(inetd_t)
+
+ mls_socket_read_to_clearance(inetd_t)
+ mls_socket_write_to_clearance(inetd_t)
')
# listen on service ports:
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 0/4] NetLabel and MLS fixes for Reference Policy
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
` (3 preceding siblings ...)
2006-12-14 19:24 ` [PATCH 4/4] Policy patches to add MLS read/write-to-clearance access to inetd_t paul.moore
@ 2006-12-20 16:13 ` Paul Moore
4 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2006-12-20 16:13 UTC (permalink / raw)
To: cpebenito; +Cc: selinux
paul.moore@hp.com wrote:
> This patchset addresses a few problems with the reference policy in SVN.
Go ahead and ignore this patchset for now. I've been working on some related
issues with policy and I will push out a new patchset when I have those issues
fixed.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-12-20 16:12 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-14 19:24 [PATCH 0/4] NetLabel and MLS fixes for Reference Policy paul.moore
2006-12-14 19:24 ` [PATCH 1/4] Policy patches to add NetLabel to support to various domains paul.moore
2006-12-14 19:24 ` [PATCH 2/4] Policy patches to add NetLabel support for Raw IP sockets paul.moore
2006-12-14 19:24 ` [PATCH 3/4] Policy patches to add a MLS socket write-to-clearance interface paul.moore
2006-12-14 19:24 ` [PATCH 4/4] Policy patches to add MLS read/write-to-clearance access to inetd_t paul.moore
2006-12-20 16:13 ` [PATCH 0/4] NetLabel and MLS fixes for Reference Policy Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.