diff options
author | Jason Zaman <jason@perfinion.com> | 2019-03-25 18:03:18 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-03-25 18:05:25 +0800 |
commit | 0d797afccb4ad5dd993c25bf217303343127901d (patch) | |
tree | e4c00769ae0ead9e33ebbb4eb0fe14ba4a922c96 /policy | |
parent | Merge upstream (diff) | |
download | hardened-refpolicy-0d797afccb4ad5dd993c25bf217303343127901d.tar.gz hardened-refpolicy-0d797afccb4ad5dd993c25bf217303343127901d.tar.bz2 hardened-refpolicy-0d797afccb4ad5dd993c25bf217303343127901d.zip |
corenetwork: regenerate for query scripts
Signed-off-by: Jason Zaman <jason@perfinion.com>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/corenetwork.if | 646 | ||||
-rw-r--r-- | policy/modules/kernel/corenetwork.te | 26 |
2 files changed, 556 insertions, 116 deletions
diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index d7473484..e6fbf90f 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -217,6 +217,60 @@ interface(`corenet_spd_type',` ######################################## ## <summary> +## Define type to be an infiniband pkey type +## </summary> +## <desc> +## <p> +## Define type to be an infiniband pkey type +## </p> +## <p> +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Type to be used for infiniband pkeys. +## </summary> +## </param> +# +interface(`corenet_ib_pkey',` + gen_require(` + attribute ibpkey_type; + ') + + typeattribute $1 ibpkey_type; +') + +######################################## +## <summary> +## Define type to be an infiniband endport +## </summary> +## <desc> +## <p> +## Define type to be an infiniband endport +## </p> +## <p> +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Type to be used for infiniband endports. +## </summary> +## </param> +# +interface(`corenet_ib_endport',` + gen_require(` + attribute ibendport_type; + ') + + typeattribute $1 ibendport_type; +') + +######################################## +## <summary> ## Send and receive TCP network traffic on generic interfaces. ## </summary> ## <desc> @@ -586,6 +640,24 @@ interface(`corenet_raw_send_all_if',` ######################################## ## <summary> +## Send and receive SCTP network traffic on generic nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_sendrecv_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:node { sendto recvfrom }; +') + +######################################## +## <summary> ## Receive raw IP packets on all interfaces. ## </summary> ## <param name="domain"> @@ -793,6 +865,24 @@ interface(`corenet_raw_sendrecv_generic_node',` ######################################## ## <summary> +## Bind SCTP sockets to generic nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_bind_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:sctp_socket node_bind; +') + +######################################## +## <summary> ## Bind TCP sockets to generic nodes. ## </summary> ## <desc> @@ -987,6 +1077,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` ######################################## ## <summary> +## Send and receive SCTP network traffic on all nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_sendrecv_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:node { sendto recvfrom }; +') + +######################################## +## <summary> ## Receive UDP network traffic on all nodes. ## </summary> ## <param name="domain"> @@ -1179,6 +1287,25 @@ interface(`corenet_tcp_sendrecv_generic_port',` ######################################## ## <summary> +## Bind SCTP sockets to all nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_bind_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:sctp_socket node_bind; +') + + +######################################## +## <summary> ## Do not audit send and receive TCP network traffic on generic ports. ## </summary> ## <param name="domain"> @@ -1386,6 +1513,26 @@ interface(`corenet_udp_send_all_ports',` ######################################## ## <summary> +## Bind SCTP sockets to generic ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 defined_port_type:sctp_socket name_bind; +') + +######################################## +## <summary> ## Receive UDP network traffic on all ports. ## </summary> ## <param name="domain"> @@ -1443,6 +1590,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## ## <summary> +## Do not audit attempts to bind SCTP +## sockets to generic ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`corenet_dontaudit_sctp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + ') + + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; +') + +######################################## +## <summary> ## Bind TCP sockets to all ports. ## </summary> ## <param name="domain"> @@ -1499,6 +1665,24 @@ interface(`corenet_udp_bind_all_ports',` ######################################## ## <summary> +## Connect SCTP sockets to generic ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_connect_generic_port',` + gen_require(` + type port_t, unreserved_port_t,ephemeral_port_t; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; +') + +######################################## +## <summary> ## Do not audit attepts to bind UDP sockets to any ports. ## </summary> ## <param name="domain"> @@ -1670,6 +1854,25 @@ interface(`corenet_tcp_bind_reserved_port',` ######################################## ## <summary> +## Bind SCTP sockets to all ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:sctp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## <summary> ## Bind UDP sockets to generic reserved ports. ## </summary> ## <param name="domain"> @@ -1707,6 +1910,24 @@ interface(`corenet_tcp_connect_reserved_port',` ######################################## ## <summary> +## Do not audit attempts to bind SCTP sockets to any ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`corenet_dontaudit_sctp_bind_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:sctp_socket name_bind; +') + +######################################## +## <summary> ## Send and receive TCP network traffic on all reserved ports. ## </summary> ## <param name="domain"> @@ -1776,6 +1997,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ######################################## ## <summary> +## Connect SCTP sockets to all ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + allow $1 port_type:sctp_socket name_connect; +') + +######################################## +## <summary> ## Bind TCP sockets to all reserved ports. ## </summary> ## <param name="domain"> @@ -1850,6 +2089,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` ######################################## ## <summary> +## Do not audit attempts to connect SCTP sockets +## to all ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`corenet_dontaudit_sctp_connect_all_ports',` + gen_require(` + attribute port_type; + ') + + dontaudit $1 port_type:sctp_socket name_connect; +') + +######################################## +## <summary> ## Bind TCP sockets to all ports > 1024. ## </summary> ## <param name="domain"> @@ -1904,6 +2162,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',` ######################################## ## <summary> +## Connect SCTP sockets to all ports > 1024. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_connect_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:sctp_socket name_connect; +') + +######################################## +## <summary> ## Do not audit connect attempts to TCP sockets on ## ports greater than 1024. ## </summary> @@ -1997,6 +2273,63 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ######################################## ## <summary> +## Bind SCTP sockets to generic reserved ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_bind_reserved_port',` + gen_require(` + type reserved_port_t; + ') + + allow $1 reserved_port_t:sctp_socket name_bind; + allow $1 self:capability net_bind_service; +') + +######################################## +## <summary> +## Read the TUN/TAP virtual network device. +## </summary> +## <param name="domain"> +## <summary> +## The domain read allowed access. +## </summary> +## </param> +# +interface(`corenet_read_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file read_chr_file_perms; +') + +######################################## +## <summary> +## Write the TUN/TAP virtual network device. +## </summary> +## <param name="domain"> +## <summary> +## The domain allowed write access. +## </summary> +## </param> +# +interface(`corenet_write_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file write_chr_file_perms; +') + +######################################## +## <summary> ## Read and write the TUN/TAP virtual network device. ## </summary> ## <param name="domain"> @@ -2016,6 +2349,24 @@ interface(`corenet_rw_tun_tap_dev',` ######################################## ## <summary> +## Connect SCTP sockets to generic reserved ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_connect_reserved_port',` + gen_require(` + type reserved_port_t; + ') + + allow $1 reserved_port_t:sctp_socket name_connect; +') + +######################################## +## <summary> ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## </summary> @@ -2146,73 +2497,21 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',` ######################################## ## <summary> -## Send and receive messages on a -## non-encrypted (no IPSEC) network -## session. +## Bind SCTP sockets to all reserved ports. ## </summary> -## <desc> -## <p> -## Send and receive messages on a -## non-encrypted (no IPSEC) network -## session. (Deprecated) -## </p> -## <p> -## The corenet_all_recvfrom_unlabeled() interface should be used instead -## of this one. -## </p> -## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # -interface(`corenet_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.') - corenet_all_recvfrom_unlabeled($1) -') - -######################################## -## <summary> -## Do not audit attempts to send and receive -## messages on a non-encrypted (no IPSEC) network -## session. -## </summary> -## <desc> -## <p> -## Do not audit attempts to send and receive -## messages on a non-encrypted (no IPSEC) network -## session. -## </p> -## <p> -## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be -## used instead of this one. -## </p> -## </desc> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_non_ipsec_sendrecv',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.') - corenet_dontaudit_all_recvfrom_unlabeled($1) -') +interface(`corenet_sctp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') -######################################## -## <summary> -## Receive TCP packets from a NetLabel connection. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.') - corenet_tcp_recvfrom_netlabel($1) + allow $1 reserved_port_type:sctp_socket name_bind; + allow $1 self:capability net_bind_service; ') ######################################## @@ -2256,8 +2555,7 @@ interface(`corenet_tcp_recvfrom_unlabeled',` ######################################## ## <summary> -## Do not audit attempts to receive TCP packets from a NetLabel -## connection. +## Do not audit attempts to bind SCTP sockets to all reserved ports. ## </summary> ## <param name="domain"> ## <summary> @@ -2265,9 +2563,12 @@ interface(`corenet_tcp_recvfrom_unlabeled',` ## </summary> ## </param> # -interface(`corenet_dontaudit_tcp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.') - corenet_dontaudit_tcp_recvfrom_netlabel($1) +interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:sctp_socket name_bind; ') ######################################## @@ -2321,21 +2622,6 @@ interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',` ## </summary> ## </param> # -interface(`corenet_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.') - corenet_udp_recvfrom_netlabel($1) -') - -######################################## -## <summary> -## Receive UDP packets from a NetLabel connection. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# interface(`corenet_udp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; @@ -2367,18 +2653,20 @@ interface(`corenet_udp_recvfrom_unlabeled',` ######################################## ## <summary> -## Do not audit attempts to receive UDP packets from a NetLabel -## connection. +## Bind SCTP sockets to all ports > 1024. ## </summary> ## <param name="domain"> ## <summary> -## Domain to not audit. +## Domain allowed access. ## </summary> ## </param> # -interface(`corenet_dontaudit_udp_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.') - corenet_dontaudit_udp_recvfrom_netlabel($1) +interface(`corenet_sctp_bind_all_unreserved_ports',` + gen_require(` + attribute unreserved_port_type; + ') + + allow $1 unreserved_port_type:sctp_socket name_bind; ') ######################################## @@ -2432,21 +2720,6 @@ interface(`corenet_dontaudit_udp_recvfrom_unlabeled',` ## </summary> ## </param> # -interface(`corenet_raw_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.') - corenet_raw_recvfrom_netlabel($1) -') - -######################################## -## <summary> -## Receive Raw IP packets from a NetLabel connection. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# interface(`corenet_raw_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; @@ -2487,29 +2760,31 @@ interface(`corenet_raw_recvfrom_unlabeled',` ## </summary> ## </param> # -interface(`corenet_dontaudit_raw_recv_netlabel',` - refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.') - corenet_dontaudit_raw_recvfrom_netlabel($1) +interface(`corenet_dontaudit_raw_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + dontaudit $1 netlabel_peer_t:peer recv; + dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; ') ######################################## ## <summary> -## Do not audit attempts to receive Raw IP packets from a NetLabel -## connection. +## Connect SCTP sockets to reserved ports. ## </summary> ## <param name="domain"> ## <summary> -## Domain to not audit. +## Domain allowed access. ## </summary> ## </param> # -interface(`corenet_dontaudit_raw_recvfrom_netlabel',` +interface(`corenet_sctp_connect_all_reserved_ports',` gen_require(` - type netlabel_peer_t; + attribute reserved_port_type; ') - dontaudit $1 netlabel_peer_t:peer recv; - dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; + allow $1 reserved_port_type:sctp_socket name_connect; ') ######################################## @@ -2621,6 +2896,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',` ######################################## ## <summary> +## Do not audit attempts to connect SCTP sockets +## all reserved ports. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + + dontaudit $1 reserved_port_type:sctp_socket name_connect; +') + +######################################## +## <summary> ## Do not audit attempts to receive packets from a NetLabel ## connection. ## </summary> @@ -2750,6 +3044,7 @@ interface(`corenet_raw_recvfrom_labeled',` ## </param> # interface(`corenet_all_recvfrom_labeled',` + corenet_sctp_recvfrom_labeled($1, $2) corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) @@ -3022,6 +3317,24 @@ interface(`corenet_send_all_server_packets',` ######################################## ## <summary> +## Receive SCTP packets from a NetLabel connection. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_recvfrom_netlabel',` + gen_require(` + type netlabel_peer_t; + ') + + allow $1 netlabel_peer_t:peer recv; +') + +######################################## +## <summary> ## Receive all server packets. ## </summary> ## <param name="domain"> @@ -3073,6 +3386,27 @@ interface(`corenet_relabelto_all_server_packets',` ######################################## ## <summary> +## Receive SCTP packets from an unlabled connection. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_sctp_recvfrom_unlabeled',` + gen_require(` + attribute corenet_unlabeled_type; + ') + + kernel_recvfrom_unlabeled_peer($1) + + typeattribute $1 corenet_unlabeled_type; + kernel_sendrecv_unlabeled_association($1) +') + +######################################## +## <summary> ## Send all packets. ## </summary> ## <param name="domain"> @@ -3142,6 +3476,98 @@ interface(`corenet_relabelto_all_packets',` ######################################## ## <summary> +## Access unlabeled infiniband pkeys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_access_unlabeled_pkeys',` + kernel_ib_access_unlabeled_pkeys($1) +') + +######################################## +## <summary> +## Access all labeled infiniband pkeys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_access_all_pkeys',` + gen_require(` + attribute ibpkey_type; + ') + + allow $1 ibpkey_type:infiniband_pkey access; +') + +######################################## +## <summary> +## Manage subnets on all labeled Infiniband endports +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_manage_subnet_all_endports',` + gen_require(` + attribute ibendport_type; + ') + + allow $1 ibendport_type:infiniband_endport manage_subnet; +') + +######################################## +## <summary> +## Manage subnet on all unlabeled Infiniband endports +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`corenet_ib_manage_subnet_unlabeled_endports',` + kernel_ib_manage_subnet_unlabeled_endports($1) +') + +######################################## +## <summary> +## Rules for receiving labeled SCTP packets. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="peer_domain"> +## <summary> +## Peer domain. +## </summary> +## </param> +# +interface(`corenet_sctp_recvfrom_labeled',` + allow { $1 $2 } self:association sendto; + allow $1 $2:association recvfrom; + allow $2 $1:association recvfrom; + + allow $1 $2:peer recv; + allow $2 $1:peer recv; + + # allow receiving packets from MLS-only peers using NetLabel + corenet_sctp_recvfrom_netlabel($1) + corenet_sctp_recvfrom_netlabel($2) +') + +######################################## +## <summary> ## Unconfined access to network objects. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te index a7eb9045..707933c9 100644 --- a/policy/modules/kernel/corenetwork.te +++ b/policy/modules/kernel/corenetwork.te @@ -2,7 +2,7 @@ # This is a generated file! Instead of modifying this file, the # corenetwork.te.in or corenetwork.te.m4 file should be modified. # -policy_module(corenetwork, 1.23.3) +policy_module(corenetwork, 1.25.1) ######################################## # @@ -20,6 +20,8 @@ attribute port_type; attribute reserved_port_type; attribute rpc_port_type; attribute server_packet_type; +attribute ibpkey_type; +attribute ibendport_type; # This is an optimization for { port_type -reserved_port_type } attribute unreserved_port_type; @@ -471,8 +473,10 @@ type dns_port_t, port_type, defined_port_type; type dns_client_packet_t, packet_type, client_packet_type; type dns_server_packet_t, packet_type, server_packet_type; typeattribute dns_port_t reserved_port_type; +typeattribute dns_port_t rpc_port_type; portcon tcp 53 gen_context(system_u:object_r:dns_port_t,s0) portcon udp 53 gen_context(system_u:object_r:dns_port_t,s0) +portcon tcp 853 gen_context(system_u:object_r:dns_port_t,s0) type dropbox_port_t, port_type, defined_port_type; @@ -1969,9 +1973,12 @@ portcon tcp 8021 gen_context(system_u:object_r:zope_port_t,s0) portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) +portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) ######################################## # @@ -2023,12 +2030,19 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; # Unconfined access to this module # -allow corenet_unconfined_type node_type:node *; -allow corenet_unconfined_type netif_type:netif *; -allow corenet_unconfined_type packet_type:packet *; +allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto }; +allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress }; +allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out }; allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; +allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect }; allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; + +# Infiniband +corenet_ib_access_all_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_all_endports(corenet_unconfined_type) +corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type) +corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type) |