selinux-refpolicy/policy/modules/kernel/corenetwork.te.m4

#
# shiftn(num,list...)
#
# shift the list num times
#
define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')

#
# range_start(num)
#
# return the low port in a range.
#
# range_start(600) returns "600"
# range_start(1200-1600) returns "1200"
#
define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')

#
# build_option(option_name,true,[false])
#
# makes an ifdef.  hacky quoting changes because with
# regular quoting, the macros in $2 and $3 will not be expanded
#
define(`build_option',`dnl
changequote([,])dnl
[ifdef(`$1',`]
changequote(`,')dnl
$2
changequote([,])dnl
[',`]
changequote(`,')dnl
$3
changequote([,])dnl
[')]
changequote(`,')dnl
')

define(`declare_netifs',`dnl
netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)
ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
')

#
# network_interface(if_name,linux_interface,mls_sensitivity)
#
define(`network_interface',`
gen_require(``type unlabeled_t;'')  #selint-disable:S-001
type $1_netif_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')

define(`network_interface_controlled',`
ifdef(`__network_enabled_declared__',`',`
## <desc>
## <p>
## Enable network traffic on all controlled interfaces.
## </p>
## </desc>
gen_bool(network_enabled, true)
define(`__network_enabled_declared__')
')
gen_require(``type unlabeled_t;'')  #selint-disable:S-001
type $1_netif_t, netif_type;
declare_netifs($1_netif_t,shift($*))
')

define(`declare_nodes',`dnl
nodecon $3 $4 gen_context(system_u:object_r:$1,$2)
ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
')

#
# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])
#
define(`network_node',`
type $1_node_t, node_type;
declare_nodes($1_node_t,shift($*))
')

define(`declare_portcons',`dnl
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl
')

define(`add_port_attribute',`dnl
ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
')

# bindresvport in glibc starts searching for reserved ports at 512
define(`add_rpc_attribute',`dnl
ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl
')

#
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
#
define(`network_port',`
type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
')

#
# network_packet(packet_name)
#
define(`network_packet',`
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
')

#
# network_packet_simple(packet_name)
#
define(`network_packet_simple',`
type $1_packet_t, packet_type;
')

define(`declare_ibpkeycons',`dnl
ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
')

#
# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
#
define(`ib_pkey',`
type $1_ibpkey_t, ibpkey_type;
ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
')

define(`declare_ibendportcons',`dnl
ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
')

#
# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])
#
define(`ib_endport',`
type $1_ibendport_t, ibendport_type;
ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
')
fix corenetwork generation and add distcc 2005-10-21 13:11:17 +00:00			`#`
			`# shiftn(num,list...)`
			`#`
			`# shift the list num times`
			`#`
			define(`shiftn',`ifelse($1,0,`shift($)',`shiftn(decr($1),shift(shift($)))')')

Fix network_port() in corenetwork to correctly handle port ranges. 2010-04-13 15:06:02 +00:00			`#`
			`# range_start(num)`
			`#`
			`# return the low port in a range.`
			`#`
			`# range_start(600) returns "600"`
			`# range_start(1200-1600) returns "1200"`
			`#`
			define(`range_start',`ifelse(-1,index(`$1', `-'),$1,substr($1,0,index(`$1', `-')))')

fix corenetwork so the ifdef enable_mls survives to regular processing. 2006-09-29 17:37:57 +00:00			`#`
			`# build_option(option_name,true,[false])`
			`#`
			`# makes an ifdef. hacky quoting changes because with`
			`# regular quoting, the macros in $2 and $3 will not be expanded`
			`#`
			define(`build_option',`dnl
			`changequote([,])dnl`
			[ifdef(`$1',`]
			changequote(`,')dnl
			`$2`
			`changequote([,])dnl`
			[',`]
			changequote(`,')dnl
			`$3`
			`changequote([,])dnl`
			`[')]`
			changequote(`,')dnl
			`')`

make network_interface able to support multiple interfaces having the same type 2005-07-22 14:00:38 +00:00			define(`declare_netifs',`dnl
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`netifcon $2 gen_context(system_u:object_r:$1,$3) gen_context(system_u:object_r:unlabeled_t,$3)`
make network_interface able to support multiple interfaces having the same type 2005-07-22 14:00:38 +00:00			ifelse(`$4',`',`',`declare_netifs($1,shiftn(3,$*))')dnl
			`')`

make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`#`
make network_interface able to support multiple interfaces having the same type 2005-07-22 14:00:38 +00:00			`# network_interface(if_name,linux_interface,mls_sensitivity)`
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`#`
			define(`network_interface',`
work on SELint issues - selinuxutil.te: ignore gen_require usage for bool secure_mode - corenetwork.te: ignore gen_require usage for type unlabeled_t - files.if: drop unneeded required types in interface - rpm.if: drop unneeded required type in interface - xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template - domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2020-08-11 13:48:27 +00:00			gen_require(``type unlabeled_t;'') #selint-disable:S-001
Remove old aliases. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-11 00:52:54 +00:00			`type $1_netif_t, netif_type;`
make network_interface able to support multiple interfaces having the same type 2005-07-22 14:00:38 +00:00			`declare_netifs($1_netif_t,shift($*))`
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`')`

trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project. 2009-01-15 20:31:06 +00:00			define(`network_interface_controlled',`
			ifdef(`__network_enabled_declared__',`',`
			`## <desc>`
			`## <p>`
			`## Enable network traffic on all controlled interfaces.`
			`## </p>`
			`## </desc>`
			`gen_bool(network_enabled, true)`
			define(`__network_enabled_declared__')
			`')`
work on SELint issues - selinuxutil.te: ignore gen_require usage for bool secure_mode - corenetwork.te: ignore gen_require usage for type unlabeled_t - files.if: drop unneeded required types in interface - rpm.if: drop unneeded required type in interface - xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template - domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2020-08-11 13:48:27 +00:00			gen_require(``type unlabeled_t;'') #selint-disable:S-001
Remove old aliases. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-11 00:52:54 +00:00			`type $1_netif_t, netif_type;`
trunk: Add support for network interfaces with access controlled by a Boolean from the CLIP project. 2009-01-15 20:31:06 +00:00			`declare_netifs($1_netif_t,shift($*))`
			`')`

add corenet patch from spencer 2006-01-16 18:48:57 +00:00			define(`declare_nodes',`dnl
			`nodecon $3 $4 gen_context(system_u:object_r:$1,$2)`
			ifelse(`$5',`',`',`declare_nodes($1,shiftn(4,$*))')dnl
			`')`

make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`#`
add corenet patch from spencer 2006-01-16 18:48:57 +00:00			`# network_node(node_name,mls_sensitivity,address,netmask[, mls_sensitivity,address,netmask, [...]])`
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`#`
			define(`network_node',`
Remove old aliases. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2019-09-11 00:52:54 +00:00			`type $1_node_t, node_type;`
add corenet patch from spencer 2006-01-16 18:48:57 +00:00			`declare_nodes($1_node_t,shift($*))`
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`')`

Fix corenetwork port declaration to choose either reserved or unreserved. This changes the port declarations for cases where a type is used for ports above and below 1024. The old code would give both the reserved and unreserved port attribute. This new code only gives the reserved port attribute. 2011-10-04 19:31:08 +00:00			define(`declare_portcons',`dnl
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`portcon $2 $3 gen_context(system_u:object_r:$1,$4)`
Fix corenetwork port declaration to choose either reserved or unreserved. This changes the port declarations for cases where a type is used for ports above and below 1024. The old code would give both the reserved and unreserved port attribute. This new code only gives the reserved port attribute. 2011-10-04 19:31:08 +00:00			ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl
			`')`

			define(`add_port_attribute',`dnl
			ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
			`')`

			`# bindresvport in glibc starts searching for reserved ports at 512`
			define(`add_rpc_attribute',`dnl
			ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
			',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`')`

			`#`
			`# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])`
			`#`
			define(`network_port',`
Corenetwork policy size optimization from Dan Walsh. 2011-08-26 13:03:25 +00:00			`type $1_port_t, port_type, defined_port_type;`
add client and server packet attributes 2006-05-26 13:49:13 +00:00			`type $1_client_packet_t, packet_type, client_packet_type;`
			`type $1_server_packet_t, packet_type, server_packet_type;`
Fix corenetwork port declaration to choose either reserved or unreserved. This changes the port declarations for cases where a type is used for ports above and below 1024. The old code would give both the reserved and unreserved port attribute. This new code only gives the reserved port attribute. 2011-10-04 19:31:08 +00:00			ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
			ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
			ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
make corenetwork generation explicit, rather then on-the-fly 2005-06-08 21:46:39 +00:00			`')`
initial support for packets 2006-05-23 18:31:02 +00:00
			`#`
			`# network_packet(packet_name)`
			`#`
			define(`network_packet',`
add client and server packet attributes 2006-05-26 13:49:13 +00:00			`type $1_client_packet_t, packet_type, client_packet_type;`
			`type $1_server_packet_t, packet_type, server_packet_type;`
initial support for packets 2006-05-23 18:31:02 +00:00			`')`
refpolicy: Infiniband pkeys and endports Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> 2017-05-24 14:14:59 +00:00
Allow systemd-networkd to handle ICMP and DHCP packets Allow systemd-networkd to send and receive ICMPv6 Router Solicitation and Router Advertisement packets (in reality all ICMP/ICMPv6 packets) and DHCP client packets. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> 2020-04-19 12:22:26 +00:00			`#`
			`# network_packet_simple(packet_name)`
			`#`
			define(`network_packet_simple',`
			`type $1_packet_t, packet_type;`
			`')`

refpolicy: Infiniband pkeys and endports Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens <danielj@mellanox.com> 2017-05-24 14:14:59 +00:00			define(`declare_ibpkeycons',`dnl
			`ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)`
			ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
			`')`

			`#`
			`# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])`
			`#`
			define(`ib_pkey',`
			`type $1_ibpkey_t, ibpkey_type;`
			ifelse(`$2',`',`',`declare_ibpkeycons($1_ibpkey_t,shift($*))')dnl
			`')`

			define(`declare_ibendportcons',`dnl
			`ibendportcon $2 $3 gen_context(system_u:object_r:$1,$4)`
			ifelse(`$5',`',`',`declare_ibendportcons($1,shiftn(4,$*))')dnl
			`')`

			`#`
			`# ib_endport (name, dev_name, port_num, mls_sensitivity [, dev_name, port_num mls_sensitivity[,...]])`
			`#`
			define(`ib_endport',`
			`type $1_ibendport_t, ibendport_type;`
			ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl
			`')`