On Tuesday 12 February 2008 9:39:59 am Christopher J. PeBenito wrote: > On Fri, 2008-02-08 at 16:25 -0500, paul.moore@xxxxxx wrote: > > plain text document attachment (refpol-peer_perms) > > The 2.6.25 kernel will introduce a new set of labeled networking controls > > to SELinux and this patch makes the necessary changes to the Reference > > Policy to support unlabeled network traffic with the new controls. > > The corenetwork part is missing changes in the cornetwork.if.m4 file. > Thats where the interfaces generated by a network_(node|interface)() are > generated. Okay, I'll look into fixing that part up. > I'm not so sure about the kernel interface changes. The docs probably > should be revised, its more about using sockets whose types have been > invalidated. It doesn't have anything to do with unlabeled networking. Hmmm, okay. Do you have a suggestion for how to add these new allow rules? A new interface? I would need to go check again, but these seemed to be the most logical of the existing interfaces when I made the change (and I suspect not much has changed in this area). > > A description of the new/improved labeled networking controls was posted > > to the SELinux list back in early January 2008. > > > > * http://marc.info/?l=selinux&m=119991234501200&w=2 > > > > --- > > policy/modules/kernel/corenetwork.if.in | 24 ++++++++++++------------ > > policy/modules/kernel/kernel.if | 6 ++++++ > > policy/modules/kernel/kernel.te | 3 +++ > > 3 files changed, 21 insertions(+), 12 deletions(-) > > > > Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in > > +++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in > > @@ -154,7 +154,7 @@ interface(`corenet_tcp_sendrecv_generic_ > > type netif_t; > > ') > > > > - allow $1 netif_t:netif { tcp_send tcp_recv }; > > + allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; > > ') > > > > ######################################## > > @@ -172,7 +172,7 @@ interface(`corenet_udp_send_generic_if', > > type netif_t; > > ') > > > > - allow $1 netif_t:netif udp_send; > > + allow $1 netif_t:netif { udp_send egress }; > > ') > > > > ######################################## > > @@ -191,7 +191,7 @@ interface(`corenet_dontaudit_udp_send_ge > > type netif_t; > > ') > > > > - dontaudit $1 netif_t:netif udp_send; > > + dontaudit $1 netif_t:netif { udp_send egress }; > > ') > > > > ######################################## > > @@ -209,7 +209,7 @@ interface(`corenet_udp_receive_generic_i > > type netif_t; > > ') > > > > - allow $1 netif_t:netif udp_recv; > > + allow $1 netif_t:netif { udp_recv ingress }; > > ') > > > > ######################################## > > @@ -228,7 +228,7 @@ interface(`corenet_dontaudit_udp_receive > > type netif_t; > > ') > > > > - dontaudit $1 netif_t:netif udp_recv; > > + dontaudit $1 netif_t:netif { udp_recv ingress }; > > ') > > > > ######################################## > > @@ -277,7 +277,7 @@ interface(`corenet_raw_send_generic_if', > > type netif_t; > > ') > > > > - allow $1 netif_t:netif rawip_send; > > + allow $1 netif_t:netif { rawip_send egress }; > > ') > > > > ######################################## > > @@ -295,7 +295,7 @@ interface(`corenet_raw_receive_generic_i > > type netif_t; > > ') > > > > - allow $1 netif_t:netif rawip_recv; > > + allow $1 netif_t:netif { rawip_recv ingress }; > > ') > > > > ######################################## > > @@ -448,7 +448,7 @@ interface(`corenet_tcp_sendrecv_generic_ > > type node_t; > > ') > > > > - allow $1 node_t:node { tcp_send tcp_recv }; > > + allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; > > ') > > > > ######################################## > > @@ -466,7 +466,7 @@ interface(`corenet_udp_send_generic_node > > type node_t; > > ') > > > > - allow $1 node_t:node udp_send; > > + allow $1 node_t:node { udp_send sendto }; > > ') > > > > ######################################## > > @@ -484,7 +484,7 @@ interface(`corenet_udp_receive_generic_n > > type node_t; > > ') > > > > - allow $1 node_t:node udp_recv; > > + allow $1 node_t:node { udp_recv recvfrom }; > > ') > > > > ######################################## > > @@ -517,7 +517,7 @@ interface(`corenet_raw_send_generic_node > > type node_t; > > ') > > > > - allow $1 node_t:node rawip_send; > > + allow $1 node_t:node { rawip_send sendto }; > > ') > > > > ######################################## > > @@ -535,7 +535,7 @@ interface(`corenet_raw_receive_generic_n > > type node_t; > > ') > > > > - allow $1 node_t:node rawip_recv; > > + allow $1 node_t:node { rawip_recv recvfrom }; > > ') > > > > ######################################## > > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if > > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.if > > @@ -2314,6 +2314,7 @@ interface(`kernel_tcp_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:tcp_socket recvfrom; > > ') > > > > @@ -2343,6 +2344,7 @@ interface(`kernel_dontaudit_tcp_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:tcp_socket recvfrom; > > ') > > > > @@ -2370,6 +2372,7 @@ interface(`kernel_udp_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:udp_socket recvfrom; > > ') > > > > @@ -2399,6 +2402,7 @@ interface(`kernel_dontaudit_udp_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:udp_socket recvfrom; > > ') > > > > @@ -2426,6 +2430,7 @@ interface(`kernel_raw_recvfrom_unlabeled > > type unlabeled_t; > > ') > > > > + allow $1 unlabeled_t:peer recv; > > allow $1 unlabeled_t:rawip_socket recvfrom; > > ') > > > > @@ -2455,6 +2460,7 @@ interface(`kernel_dontaudit_raw_recvfrom > > type unlabeled_t; > > ') > > > > + dontaudit $1 unlabeled_t:peer recv; > > dontaudit $1 unlabeled_t:rawip_socket recvfrom; > > ') > > > > Index: refpolicy_svn_repo/policy/modules/kernel/kernel.te > > =================================================================== > > --- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.te > > +++ refpolicy_svn_repo/policy/modules/kernel/kernel.te > > @@ -212,6 +212,9 @@ allow kernel_t unlabeled_t:dir mounton; > > # connections with invalidated labels: > > allow kernel_t unlabeled_t:packet send; > > > > +# Forwarded traffic > > +allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; > > + > > corenet_all_recvfrom_unlabeled(kernel_t) > > corenet_all_recvfrom_netlabel(kernel_t) > > # Kernel-generated traffic e.g., ICMP replies: -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
