Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 258341 Details for
Bug 382721
Add labeled networking controls at the interface level
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
SELinux Policy Patch for Kernel Patch
tcs-se-net.patch (text/plain), 12.09 KB, created by
Chad Hanson
on 2007-11-14 16:30:14 UTC
(
hide
)
Description:
SELinux Policy Patch for Kernel Patch
Filename:
MIME Type:
Creator:
Chad Hanson
Created:
2007-11-14 16:30:14 UTC
Size:
12.09 KB
patch
obsolete
>diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/flask/access_vectors serefpolicy-2.4.6/policy/flask/access_vectors >--- serefpolicy-2.4.6.orig/policy/flask/access_vectors 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/flask/access_vectors 2007-07-02 15:07:31.000000000 -0500 >@@ -195,6 +195,8 @@ class netif > udp_send > rawip_recv > rawip_send >+ flow_in >+ flow_out > } > > class netlink_socket >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/mls serefpolicy-2.4.6/policy/mls >--- serefpolicy-2.4.6.orig/policy/mls 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/mls 2007-07-02 15:10:08.000000000 -0500 >@@ -198,7 +198,8 @@ mlsconstrain { socket tcp_socket udp_soc > ( t1 == mlsnetwrite )); > > # used by netlabel to restrict normal domains to same level connections >-mlsconstrain { tcp_socket udp_socket } recvfrom >+# Also used by TCS SE_NET in regard to the new packet label. >+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom > (( l1 eq l2 ) or > (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ( t1 == mlsnetread )); >@@ -292,6 +293,10 @@ mlsconstrain { netif node } { tcp_send u > (( l1 eq l2 ) or > (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 ))); > >+mlsconstrain netif { flow_in flow_out } >+ ((( l1 dom l2 ) and ( l1 domby h2 )) or >+ ( t1 == mlsnetflow )); >+ > # these access vectors have no MLS restrictions > # node enforce_dest > >@@ -591,7 +596,7 @@ mlsconstrain xinput { setattr relabelinp > # > > mlsconstrain association { recvfrom } >- ((( l1 dom l2 ) and ( l1 domby h2 )) or >+ ((l1 eq l2 ) or > (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ( t1 == mlsnetread ) or > ( t2 == unlabeled_t )); >@@ -606,6 +611,19 @@ mlsconstrain association { polmatch } > > > >+ >+# >+# MLS policy for the packet class (TCS) >+# >+ >+mlsconstrain packet { flow_in flow_out } >+ ((( l1 dom l2 ) and ( l1 domby h2 )) or >+ ( t1 == mlsnetflow )); >+ >+# these access vectors have no MLS restrictions >+# packet { recv send relabelto } >+ >+ > # > # MLS policy for the context class > # >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in >--- serefpolicy-2.4.6.orig/policy/modules/kernel/corenetwork.if.in 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2007-07-02 15:07:31.000000000 -0500 >@@ -20,6 +20,7 @@ interface(`corenet_tcp_sendrecv_generic_ > ') > > allow $1 netif_t:netif { tcp_send tcp_recv }; >+ allow $1 netif_t:netif { flow_in flow_out }; > ') > > ######################################## >@@ -38,6 +39,7 @@ interface(`corenet_udp_send_generic_if', > ') > > allow $1 netif_t:netif udp_send; >+ allow $1 netif_t:netif flow_out; > ') > > ######################################## >@@ -75,6 +77,7 @@ interface(`corenet_udp_receive_generic_i > ') > > allow $1 netif_t:netif udp_recv; >+ allow $1 netif_t:netif flow_in; > ') > > ######################################## >@@ -143,6 +146,7 @@ interface(`corenet_raw_send_generic_if', > ') > > allow $1 netif_t:netif rawip_send; >+ allow $1 netif_t:netif flow_out; > ') > > ######################################## >@@ -161,6 +165,7 @@ interface(`corenet_raw_receive_generic_i > ') > > allow $1 netif_t:netif rawip_recv; >+ allow $1 netif_t:netif flow_in; > ') > > ######################################## >@@ -194,6 +199,7 @@ interface(`corenet_tcp_sendrecv_all_if', > ') > > allow $1 netif_type:netif { tcp_send tcp_recv }; >+ allow $1 netif_type:netif { flow_in flow_out }; > ') > > ######################################## >@@ -212,6 +218,7 @@ interface(`corenet_udp_send_all_if',` > ') > > allow $1 netif_type:netif udp_send; >+ allow $1 netif_type:netif flow_out; > ') > > ######################################## >@@ -230,6 +237,7 @@ interface(`corenet_udp_receive_all_if',` > ') > > allow $1 netif_type:netif udp_recv; >+ allow $1 netif_type:netif flow_in; > ') > > ######################################## >@@ -263,6 +271,7 @@ interface(`corenet_raw_send_all_if',` > ') > > allow $1 netif_type:netif rawip_send; >+ allow $1 netif_type:netif flow_out; > ') > > ######################################## >@@ -281,6 +290,7 @@ interface(`corenet_raw_receive_all_if',` > ') > > allow $1 netif_type:netif rawip_recv; >+ allow $1 netif_type:netif flow_in; > ') > > ######################################## >@@ -1556,6 +1566,7 @@ interface(`corenet_send_generic_client_p > ') > > allow $1 client_packet_t:packet send; >+ allow $1 client_packet_t:packet flow_out; > ') > > ######################################## >@@ -1574,6 +1585,7 @@ interface(`corenet_receive_generic_clien > ') > > allow $1 client_packet_t:packet recv; >+ allow $1 client_packet_t:packet flow_in; > ') > > ######################################## >@@ -1625,6 +1637,7 @@ interface(`corenet_send_generic_server_p > ') > > allow $1 server_packet_t:packet send; >+ allow $1 server_packet_t:packet flow_out; > ') > > ######################################## >@@ -1643,6 +1656,7 @@ interface(`corenet_receive_generic_serve > ') > > allow $1 server_packet_t:packet recv; >+ allow $1 server_packet_t:packet flow_in; > ') > > ######################################## >@@ -1715,6 +1729,7 @@ interface(`corenet_send_all_client_packe > ') > > allow $1 client_packet_type:packet send; >+ allow $1 client_packet_type:packet flow_out; > ') > > ######################################## >@@ -1733,6 +1748,7 @@ interface(`corenet_receive_all_client_pa > ') > > allow $1 client_packet_type:packet recv; >+ allow $1 client_packet_type:packet flow_in; > ') > > ######################################## >@@ -1784,6 +1800,7 @@ interface(`corenet_send_all_server_packe > ') > > allow $1 server_packet_type:packet send; >+ allow $1 server_packet_type:packet flow_out; > ') > > ######################################## >@@ -1802,6 +1819,7 @@ interface(`corenet_receive_all_server_pa > ') > > allow $1 server_packet_type:packet recv; >+ allow $1 server_packet_type:packet flow_in; > ') > > ######################################## >@@ -1853,6 +1871,7 @@ interface(`corenet_send_all_packets',` > ') > > allow $1 packet_type:packet send; >+ allow $1 packet_type:packet flow_out; > ') > > ######################################## >@@ -1871,6 +1890,7 @@ interface(`corenet_receive_all_packets', > ') > > allow $1 packet_type:packet recv; >+ allow $1 packet_type:packet flow_in; > ') > > ######################################## >@@ -1908,6 +1928,24 @@ interface(`corenet_relabelto_all_packets > > ######################################## > ## <summary> >+## Relabel packets to the unlabeled type. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`corenet_relabelto_unlabeled_packets',` >+ gen_require(` >+ type unlabeled_t; >+ ') >+ >+ allow $1 unlabeled_t:packet relabelto; >+') >+ >+######################################## >+## <summary> > ## Unconfined access to network objects. > ## </summary> > ## <param name="domain"> >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te serefpolicy-2.4.6/policy/modules/kernel/domain.te >--- serefpolicy-2.4.6.orig/policy/modules/kernel/domain.te 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/domain.te 2007-07-02 15:07:31.000000000 -0500 >@@ -165,4 +165,5 @@ ifdef(`enable_mls',` > tunable_policy(`allow_ipsec_label',` > ipsec_labeled(domain) > ') >+ kernel_recvfrom_labeled_packets(domain) > ') >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/kernel.if serefpolicy-2.4.6/policy/modules/kernel/kernel.if >--- serefpolicy-2.4.6.orig/policy/modules/kernel/kernel.if 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.if 2007-07-02 15:07:31.000000000 -0500 >@@ -2428,9 +2428,40 @@ interface(`kernel_dontaudit_raw_recvfrom > interface(`kernel_sendrecv_unlabeled_packets',` > gen_require(` > type unlabeled_t; >+ attribute netif_type; > ') > > allow $1 unlabeled_t:packet { send recv }; >+ allow $1 unlabeled_t:packet { flow_in flow_out }; >+ allow unlabeled_t netif_type:netif { flow_in flow_out }; >+') >+ >+######################################## >+## <summary> >+## Receive all labeled packets. >+## </summary> >+## <desc> >+## <p> >+## Receive all labeled packets. >+## These packets maybe local (loopback) or >+## IPSEC. This is needed to allow receipt >+## of labeled packets to the process. >+## </p> >+## </desc> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`kernel_recvfrom_labeled_packets',` >+ gen_require(` >+ attribute domain; >+ ') >+ >+ allow $1 domain:tcp_socket recvfrom; >+ allow $1 domain:udp_socket recvfrom; >+ allow $1 domain:rawip_socket recvfrom; > ') > > ######################################## >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/kernel.te serefpolicy-2.4.6/policy/modules/kernel/kernel.te >--- serefpolicy-2.4.6.orig/policy/modules/kernel/kernel.te 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2007-07-02 15:07:31.000000000 -0500 >@@ -151,11 +151,13 @@ sid unlabeled gen_context(system_u:objec > > corenet_non_ipsec_sendrecv(unlabeled_t) > >+type igmp_t; >+sid igmp_packet gen_context(system_u:object_r:igmp_t,mls_systemhigh) >+ > # These initial sids are no longer used, and can be removed: > sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) > sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) >-sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > sid init gen_context(system_u:object_r:unlabeled_t,s0) > sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) > sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) >@@ -210,6 +212,8 @@ allow kernel_t unlabeled_t:dir mounton; > # Kernel-generated traffic e.g., TCP resets on > # connections with invalidated labels: > allow kernel_t unlabeled_t:packet send; >+# TCS >+allow kernel_t unlabeled_t:packet flow_out; > > corenet_non_ipsec_sendrecv(kernel_t) > # Kernel-generated traffic e.g., ICMP replies: >@@ -259,6 +263,7 @@ ifdef(`targeted_policy',` > > tunable_policy(`allow_unlabeled_packets',` > allow use_unlabeled_packets unlabeled_t:packet { send recv }; >+ allow use_unlabeled_packets unlabeled_t:packet { flow_in flow_out }; > ') > > tunable_policy(`read_default_t',` >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/mls.if serefpolicy-2.4.6/policy/modules/kernel/mls.if >--- serefpolicy-2.4.6.orig/policy/modules/kernel/mls.if 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2007-07-02 15:07:31.000000000 -0500 >@@ -236,6 +236,26 @@ interface(`mls_net_receive_all_levels',` > ######################################## > ## <summary> > ## Make specified domain MLS trusted >+## for receiving or sending network data >+## at any level. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`mls_net_flow_all_levels',` >+ gen_require(` >+ attribute mlsnetflow; >+ ') >+ >+ typeattribute $1 mlsnetflow; >+') >+ >+######################################## >+## <summary> >+## Make specified domain MLS trusted > ## for reading from System V IPC objects > ## at any level. > ## </summary> >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/kernel/mls.te serefpolicy-2.4.6/policy/modules/kernel/mls.te >--- serefpolicy-2.4.6.orig/policy/modules/kernel/mls.te 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/kernel/mls.te 2007-07-02 15:07:31.000000000 -0500 >@@ -23,6 +23,7 @@ attribute mlsnetwriteranged; > attribute mlsnetupgrade; > attribute mlsnetdowngrade; > attribute mlsnetrecvall; >+attribute mlsnetflow; > > attribute mlsipcread; > attribute mlsipcreadtoclr; >diff -Nurp --exclude='*.orig' serefpolicy-2.4.6.orig/policy/modules/system/iptables.te serefpolicy-2.4.6/policy/modules/system/iptables.te >--- serefpolicy-2.4.6.orig/policy/modules/system/iptables.te 2007-07-02 15:06:38.000000000 -0500 >+++ serefpolicy-2.4.6/policy/modules/system/iptables.te 2007-07-02 15:07:31.000000000 -0500 >@@ -44,6 +44,7 @@ kernel_read_modprobe_sysctls(iptables_t) > kernel_use_fds(iptables_t) > > corenet_relabelto_all_packets(iptables_t) >+corenet_relabelto_unlabeled_packets(iptables_t) > > dev_read_sysfs(iptables_t) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=258341">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 382721
:
258251
|
258331
| 258341 |
258351