trunk: rearrange the bottom of domain.if and fix domain_ipsec_labels().
This commit is contained in:
Chris PeBenito
parent
847937da7d
commit
a56055e362
|
|
@ -1229,6 +1229,54 @@ interface(`domain_entry_file_spec_domtrans',`
|
|||
domain_transition_pattern($1,entry_type,$2)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Ability to mmap a low area of the address space,
|
||||
## as configured by /proc/sys/kernel/mmap_min_addr.
|
||||
## Preventing such mappings helps protect against
|
||||
## exploiting null deref bugs in the kernel.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to mmap low memory.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_mmap_low',`
|
||||
gen_require(`
|
||||
attribute mmap_low_domain_type;
|
||||
')
|
||||
|
||||
allow $1 self:memprotect mmap_zero;
|
||||
|
||||
typeattribute $1 mmap_low_domain_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified type to receive labeled
|
||||
## networking packets from all domains, over
|
||||
## all protocols (TCP, UDP, etc)
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_all_recvfrom_all_domains',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
# IPSEC-based labeled networking
|
||||
allow $1 domain:association recvfrom;
|
||||
|
||||
# Netlabel (CIPSO)-based labeled networking
|
||||
# currently only supports MLS portion of label
|
||||
corenet_all_recvfrom_netlabel($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to domains.
|
||||
|
|
@ -1255,43 +1303,3 @@ interface(`domain_unconfined',`
|
|||
typeattribute $1 process_uncond_exempt;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Ability to mmap a low area of the address space,
|
||||
## as configured by /proc/sys/kernel/mmap_min_addr.
|
||||
## Preventing such mappings helps protect against
|
||||
## exploiting null deref bugs in the kernel.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to mmap low memory.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_mmap_low',`
|
||||
gen_require(`
|
||||
attribute mmap_low_domain_type;
|
||||
')
|
||||
|
||||
allow $1 self:memprotect mmap_zero;
|
||||
|
||||
typeattribute $1 mmap_low_domain_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow specified type to associate ipsec packets from any domain
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type of subject to be allowed this.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_ipsec_labels',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
allow $1 domain:association { sendto recvfrom };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(domain,1.4.2)
|
||||
policy_module(domain,1.4.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue