This patch adds the corenet_recvfrom_unlabeled_peer() interface call to all of the system modules which need to receive data over the network. Signed-off-by: Paul Moore <paul.moore@xxxxxx> --- policy/modules/system/hotplug.te | 1 + policy/modules/system/init.te | 1 + policy/modules/system/ipsec.te | 2 ++ policy/modules/system/iscsi.te | 1 + policy/modules/system/logging.te | 1 + policy/modules/system/lvm.te | 1 + policy/modules/system/mount.te | 1 + policy/modules/system/sysnetwork.if | 3 +++ policy/modules/system/sysnetwork.te | 1 + policy/modules/system/userdomain.if | 1 + policy/modules/system/xen.te | 1 + 11 files changed, 14 insertions(+) Index: refpolicy_svn_repo/policy/modules/system/hotplug.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/hotplug.te +++ refpolicy_svn_repo/policy/modules/system/hotplug.te @@ -52,6 +52,7 @@ kernel_read_net_sysctls(hotplug_t) files_read_kernel_modules(hotplug_t) corenet_all_recvfrom_unlabeled(hotplug_t) +corenet_recvfrom_unlabeled_peer(hotplug_t) corenet_all_recvfrom_netlabel(hotplug_t) corenet_tcp_sendrecv_all_if(hotplug_t) corenet_udp_sendrecv_all_if(hotplug_t) Index: refpolicy_svn_repo/policy/modules/system/init.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/init.te +++ refpolicy_svn_repo/policy/modules/system/init.te @@ -236,6 +236,7 @@ kernel_dontaudit_getattr_message_if(init files_read_kernel_symbol_table(initrc_t) corenet_all_recvfrom_unlabeled(initrc_t) +corenet_recvfrom_unlabeled_peer(initrc_t) corenet_all_recvfrom_netlabel(initrc_t) corenet_tcp_sendrecv_all_if(initrc_t) corenet_udp_sendrecv_all_if(initrc_t) Index: refpolicy_svn_repo/policy/modules/system/ipsec.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/ipsec.te +++ refpolicy_svn_repo/policy/modules/system/ipsec.te @@ -96,6 +96,7 @@ kernel_getattr_message_if(ipsec_t) # Pluto needs network access corenet_all_recvfrom_unlabeled(ipsec_t) +corenet_recvfrom_unlabeled_peer(ipsec_t) corenet_tcp_sendrecv_all_if(ipsec_t) corenet_raw_sendrecv_all_if(ipsec_t) corenet_tcp_sendrecv_all_nodes(ipsec_t) @@ -301,6 +302,7 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) +corenet_recvfrom_unlabeled_peer(racoon_t) corenet_tcp_bind_all_nodes(racoon_t) corenet_udp_bind_all_nodes(racoon_t) corenet_udp_bind_isakmp_port(racoon_t) Index: refpolicy_svn_repo/policy/modules/system/iscsi.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/iscsi.te +++ refpolicy_svn_repo/policy/modules/system/iscsi.te @@ -57,6 +57,7 @@ files_pid_filetrans(iscsid_t,iscsi_var_r kernel_read_system_state(iscsid_t) corenet_all_recvfrom_unlabeled(iscsid_t) +corenet_recvfrom_unlabeled_peer(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_all_if(iscsid_t) corenet_tcp_sendrecv_all_nodes(iscsid_t) Index: refpolicy_svn_repo/policy/modules/system/logging.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/logging.te +++ refpolicy_svn_repo/policy/modules/system/logging.te @@ -311,6 +311,7 @@ init_dontaudit_write_utmp(syslogd_t) term_write_all_user_ttys(syslogd_t) corenet_all_recvfrom_unlabeled(syslogd_t) +corenet_recvfrom_unlabeled_peer(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_all_if(syslogd_t) corenet_udp_sendrecv_all_nodes(syslogd_t) Index: refpolicy_svn_repo/policy/modules/system/lvm.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/lvm.te +++ refpolicy_svn_repo/policy/modules/system/lvm.te @@ -70,6 +70,7 @@ corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) corenet_all_recvfrom_unlabeled(clvmd_t) +corenet_recvfrom_unlabeled_peer(clvmd_t) corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_all_if(clvmd_t) corenet_udp_sendrecv_all_if(clvmd_t) Index: refpolicy_svn_repo/policy/modules/system/mount.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/mount.te +++ refpolicy_svn_repo/policy/modules/system/mount.te @@ -143,6 +143,7 @@ tunable_policy(`allow_mount_anyfile',` optional_policy(` # for nfs corenet_all_recvfrom_unlabeled(mount_t) + corenet_recvfrom_unlabeled_peer(mount_t) corenet_all_recvfrom_netlabel(mount_t) corenet_tcp_sendrecv_all_if(mount_t) corenet_raw_sendrecv_all_if(mount_t) Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.if =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.if +++ refpolicy_svn_repo/policy/modules/system/sysnetwork.if @@ -481,6 +481,7 @@ interface(`sysnet_dns_name_resolve',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) + corenet_recvfrom_unlabeled_peer($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) @@ -513,6 +514,7 @@ interface(`sysnet_use_ldap',` allow $1 self:tcp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) + corenet_recvfrom_unlabeled_peer($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_all_if($1) corenet_tcp_sendrecv_all_nodes($1) @@ -543,6 +545,7 @@ interface(`sysnet_use_portmap',` allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) + corenet_recvfrom_unlabeled_peer($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_all_if($1) corenet_udp_sendrecv_all_if($1) Index: refpolicy_svn_repo/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/sysnetwork.te +++ refpolicy_svn_repo/policy/modules/system/sysnetwork.te @@ -85,6 +85,7 @@ kernel_read_kernel_sysctls(dhcpc_t) kernel_use_fds(dhcpc_t) corenet_all_recvfrom_unlabeled(dhcpc_t) +corenet_recvfrom_unlabeled_peer(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) corenet_tcp_sendrecv_all_if(dhcpc_t) corenet_raw_sendrecv_all_if(dhcpc_t) Index: refpolicy_svn_repo/policy/modules/system/userdomain.if =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/userdomain.if +++ refpolicy_svn_repo/policy/modules/system/userdomain.if @@ -539,6 +539,7 @@ template(`userdom_basic_networking_templ allow $1_t self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1_t) + corenet_recvfrom_unlabeled_peer($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_all_if($1_t) corenet_udp_sendrecv_all_if($1_t) Index: refpolicy_svn_repo/policy/modules/system/xen.te =================================================================== --- refpolicy_svn_repo.orig/policy/modules/system/xen.te +++ refpolicy_svn_repo/policy/modules/system/xen.te @@ -143,6 +143,7 @@ corecmd_exec_bin(xend_t) corecmd_exec_shell(xend_t) corenet_all_recvfrom_unlabeled(xend_t) +corenet_recvfrom_unlabeled_peer(xend_t) corenet_all_recvfrom_netlabel(xend_t) corenet_tcp_sendrecv_all_if(xend_t) corenet_tcp_sendrecv_all_nodes(xend_t) -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
