From f2e4ab3a9931cf67e9e01319feeb181f6f9c0250 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 8 Jun 2005 21:46:39 +0000 Subject: [PATCH] make corenetwork generation explicit, rather then on-the-fly --- refpolicy/Makefile | 16 +- .../{corenetwork.if => corenetwork.if.in} | 569 ------------------ .../policy/modules/kernel/corenetwork.if.m4 | 541 +++++++++++++++++ .../{corenetwork.te => corenetwork.te.in} | 0 .../policy/modules/kernel/corenetwork.te.m4 | 43 ++ 5 files changed, 597 insertions(+), 572 deletions(-) rename refpolicy/policy/modules/kernel/{corenetwork.if => corenetwork.if.in} (55%) create mode 100644 refpolicy/policy/modules/kernel/corenetwork.if.m4 rename refpolicy/policy/modules/kernel/{corenetwork.te => corenetwork.te.in} (100%) create mode 100644 refpolicy/policy/modules/kernel/corenetwork.te.m4 diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 645175373..b4cb6817a 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -129,6 +129,8 @@ DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$ DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d) ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS)) DETECTED_MODS := $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te)) +GENERATED_MOD := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te.in))) +DETECTED_MODS += $(GENERATED_MOD) ALL_MODULES := $(filter-out $(DISABLEMOD),$(DETECTED_MODS)) PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls @@ -226,9 +228,6 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor $(QUIET) for i in $(notdir $(ALL_MODULES)); do \ echo "define(\`$$i')" >> $@ ;\ done - $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \ - | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \ - | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ $(QUIET) $(SETTUN) $(TUNABLES) >> $@ tmp/all_interfaces.conf: $(ALL_INTERFACES) @@ -257,6 +256,17 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi -e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \ < tmp/all_te_files.conf > tmp/only_te_rules.conf +$(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/kernel/corenetwork.if.in + $(QUIET) cat $(MODDIR)/kernel/corenetwork.if.in > $@ + $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ + | m4 $(M4PARAM) -D monolithic_policy $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \ + | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + $(QUIET) echo "## " >> $@ + +$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in + $(QUIET) m4 $(M4PARAM) -D monolithic_policy $(M4SUPPORT) $^ \ + | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + ######################################## # # Remove the dontaudit rules from the policy.conf diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if.in similarity index 55% rename from refpolicy/policy/modules/kernel/corenetwork.if rename to refpolicy/policy/modules/kernel/corenetwork.if.in index 885d0a360..7b00bd38b 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -1,7 +1,6 @@ ## ## Policy controlling access to network objects -ifdef(`interface_pass',`',` ######################################## ## ## @@ -868,571 +867,3 @@ define(`corenet_dontaudit_udp_bind_all_reserved_ports_depend',` class udp_socket name_bind; ') - -') dnl end if not interface_pass -######################################## -# -# This section is processed through m4 to create real interfaces -# -######################################## - -######################################## -# -# Network Interface generated macros -# -######################################## - -define(`create_netif_interfaces',`` -######################################## -## -## -## Send and receive TCP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_tcp_sendrecv_$1',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; -') - -define(`corenet_tcp_sendrecv_$1_depend',` - type $1_netif_t; - - class netif { tcp_send tcp_recv }; -') - -######################################## -## -## -## Send UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_send_$1',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_netif_t:netif udp_send; -') - -define(`corenet_udp_send_$1_depend',` - type $1_netif_t; - - class netif udp_send; -') - -######################################## -## -## -## Receive UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_receive_$1',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_netif_t:netif udp_recv; -') - -define(`corenet_udp_receive_$1_depend',` - type $1_netif_t; - - class netif udp_recv; -') - -######################################## -## -## -## Send and receive UDP network traffic on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_sendrecv_$1',` - corenet_udp_send_$1(dollarsone) - corenet_udp_receive_$1(dollarsone) -') - -######################################## -## -## -## Send raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_send_$1',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_netif_t:netif rawip_send; - allow dollarsone self:capability net_raw; -') - -define(`corenet_raw_send_$1_depend',` - type $1_netif_t; - - class netif rawip_send; - class capability net_raw; -') - -######################################## -## -## -## Receive raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_receive_$1',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_netif_t:netif rawip_recv; -') - -define(`corenet_raw_receive_$1_depend',` - type $1_netif_t; - - class netif rawip_recv; -') - -######################################## -## -## -## Send and receive raw IP packets on the $1 interface. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_sendrecv_$1',` - corenet_raw_send_$1(dollarsone) - corenet_raw_receive_$1(dollarsone) -') -'') dnl end create_netif_interfaces - -######################################## -# -# Network node generated macros -# -######################################## - -define(`create_node_interfaces',`` -######################################## -## -## -## Send and receive TCP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_tcp_sendrecv_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:node { tcp_send tcp_recv }; -') - -define(`corenet_tcp_sendrecv_$1_node_depend',` - type $1_node_t; - - class node { tcp_send tcp_recv }; -') - -######################################## -## -## -## Send UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_send_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:node udp_send; -') - -define(`corenet_udp_send_$1_node_depend',` - type $1_node_t; - - class node udp_send; -') - -######################################## -## -## -## Receive UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_receive_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:node udp_recv; -') - -define(`corenet_udp_receive_$1_node_depend',` - type $1_node_t; - - class node udp_recv; -') - -######################################## -## -## -## Send and receive UDP traffic on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_sendrecv_$1_node',` - corenet_udp_send_$1_node(dollarsone) - corenet_udp_receive_$1_node(dollarsone) -') - -######################################## -## -## -## Send raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_send_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:node rawip_send; - allow dollarsone self:capability net_raw; -') - -define(`corenet_raw_send_$1_node_depend',` - type $1_node_t; - - class node rawip_send; - class capability net_raw; -') - -######################################## -## -## -## Receive raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_receive_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:node rawip_recv; -') - -define(`corenet_raw_receive_$1_node_depend',` - type $1_node_t; - - class node rawip_recv; -') - -######################################## -## -## -## Send and receive raw IP packets on the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_raw_sendrecv_$1_node',` - corenet_raw_send_$1_node(dollarsone) - corenet_raw_receive_$1_node(dollarsone) -') - -######################################## -## -## -## Bind TCP sockets to node $1. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_tcp_bind_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:tcp_socket node_bind; -') - -define(`corenet_tcp_bind_$1_node_depend',` - type $1_node_t; - - class tcp_socket node_bind; -') - -######################################## -## -## -## Bind UDP sockets to the $1 node. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_bind_$1_node',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_node_t:udp_socket node_bind; -') - -define(`corenet_udp_bind_$1_node_depend',` - type $1_node_t; - - class udp_socket node_bind; -') -'') dnl end create_node_interfaces - -######################################## -# -# Network port generated macros -# -######################################## - -define(`create_port_interfaces',`` -######################################## -## -## -## Send and receive TCP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_tcp_sendrecv_$1_port',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; -') - -define(`corenet_tcp_sendrecv_$1_port_depend',` - type $1_port_t; - - class tcp_socket { send_msg recv_msg }; -') - -######################################## -## -## -## Send UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_send_$1_port',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_port_t:udp_socket send_msg; -') - -define(`corenet_udp_send_$1_port_depend',` - type $1_port_t; - - class udp_socket send_msg; -') - -######################################## -## -## -## Receive UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_receive_$1_port',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_port_t:udp_socket recv_msg; -') - -define(`corenet_udp_receive_$1_port_depend',` - type $1_port_t; - - class udp_socket recv_msg; -') - -######################################## -## -## -## Send and receive UDP traffic on the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_sendrecv_$1_port',` - corenet_udp_send_$1_port(dollarsone) - corenet_udp_receive_$1_port(dollarsone) -') - -######################################## -## -## -## Bind TCP sockets to the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_tcp_bind_$1_port',` - requires_block_template(`dollarszero'_depend) - allow dollarsone $1_port_t:tcp_socket name_bind; - $2 -') - -define(`corenet_tcp_bind_$1_port_depend',` - type $1_port_t; - - class tcp_socket name_bind; - $3 -') - -######################################## -## -## -## Bind UDP sockets to the $1 port. -## -## -## The type of the process performing this action. -## -## -## -# -define(`corenet_udp_bind_$1_port',` - requires_block_template(`dollarszero'_depend) - - allow dollarsone $1_port_t:udp_socket name_bind; - $2 -') - -define(`corenet_udp_bind_$1_port_depend',` - type $1_port_t; - - class udp_socket name_bind; - $3 -') -'') dnl end create_port_interfaces - -# -# network_interface(linux_interfacename,mls_sensitivity) -# -define(`network_interface',` -ifdef(`interface_pass',` -create_netif_interfaces($1) -',` -type $1_netif_t alias netif_$1_t, netif_type; -requires_block_template(`type unlabeled_t') -netifcon $1 context_template(system_u:object_r:$1_netif_t,$2) context_template(system_u:object_r:unlabeled_t,$2) -') -') - -# -# network_node(node_name,mls_sensitivity,address,netmask) -# -define(`network_node',` -ifdef(`interface_pass',` -create_node_interfaces($1) -',` -type $1_node_t alias node_$1_t, node_type; -nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2) -') -') - -define(`determine_reserved_capability',`dnl -ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl -ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse -')dnl end outer ifelse -') dnl end determine reserved capability - -define(`determine_reserved_capability_depend',`dnl -ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl -ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse -')dnl end outer ifelse -') dnl end determine reserved capability depend - -define(`declare_ports',`dnl -ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') -portcon $2 $3 context_template(system_u:object_r:$1,$4) -ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl -') - -# -# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) -# -define(`network_port',` -ifdef(`interface_pass',` -create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*))) -',` -type $1_port_t, port_type; -declare_ports($1_port_t,shift($*)) -') -') - -ifdef(`interface_pass',`',` -## -') diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 new file mode 100644 index 000000000..192e6a9a5 --- /dev/null +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -0,0 +1,541 @@ +######################################## +# +# Network Interface generated macros +# +######################################## + +define(`create_netif_interfaces',`` +######################################## +## +## +## Send and receive TCP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_tcp_sendrecv_$1',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; +') + +define(`corenet_tcp_sendrecv_$1_depend',` + type $1_netif_t; + + class netif { tcp_send tcp_recv }; +') + +######################################## +## +## +## Send UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_send_$1',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_netif_t:netif udp_send; +') + +define(`corenet_udp_send_$1_depend',` + type $1_netif_t; + + class netif udp_send; +') + +######################################## +## +## +## Receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_receive_$1',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_netif_t:netif udp_recv; +') + +define(`corenet_udp_receive_$1_depend',` + type $1_netif_t; + + class netif udp_recv; +') + +######################################## +## +## +## Send and receive UDP network traffic on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_sendrecv_$1',` + corenet_udp_send_$1(dollarsone) + corenet_udp_receive_$1(dollarsone) +') + +######################################## +## +## +## Send raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_send_$1',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_netif_t:netif rawip_send; + allow dollarsone self:capability net_raw; +') + +define(`corenet_raw_send_$1_depend',` + type $1_netif_t; + + class netif rawip_send; + class capability net_raw; +') + +######################################## +## +## +## Receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_receive_$1',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_netif_t:netif rawip_recv; +') + +define(`corenet_raw_receive_$1_depend',` + type $1_netif_t; + + class netif rawip_recv; +') + +######################################## +## +## +## Send and receive raw IP packets on the $1 interface. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_sendrecv_$1',` + corenet_raw_send_$1(dollarsone) + corenet_raw_receive_$1(dollarsone) +') +'') dnl end create_netif_interfaces + +######################################## +# +# Network node generated macros +# +######################################## + +define(`create_node_interfaces',`` +######################################## +## +## +## Send and receive TCP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_tcp_sendrecv_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:node { tcp_send tcp_recv }; +') + +define(`corenet_tcp_sendrecv_$1_node_depend',` + type $1_node_t; + + class node { tcp_send tcp_recv }; +') + +######################################## +## +## +## Send UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_send_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:node udp_send; +') + +define(`corenet_udp_send_$1_node_depend',` + type $1_node_t; + + class node udp_send; +') + +######################################## +## +## +## Receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_receive_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:node udp_recv; +') + +define(`corenet_udp_receive_$1_node_depend',` + type $1_node_t; + + class node udp_recv; +') + +######################################## +## +## +## Send and receive UDP traffic on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_sendrecv_$1_node',` + corenet_udp_send_$1_node(dollarsone) + corenet_udp_receive_$1_node(dollarsone) +') + +######################################## +## +## +## Send raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_send_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:node rawip_send; + allow dollarsone self:capability net_raw; +') + +define(`corenet_raw_send_$1_node_depend',` + type $1_node_t; + + class node rawip_send; + class capability net_raw; +') + +######################################## +## +## +## Receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_receive_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:node rawip_recv; +') + +define(`corenet_raw_receive_$1_node_depend',` + type $1_node_t; + + class node rawip_recv; +') + +######################################## +## +## +## Send and receive raw IP packets on the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_raw_sendrecv_$1_node',` + corenet_raw_send_$1_node(dollarsone) + corenet_raw_receive_$1_node(dollarsone) +') + +######################################## +## +## +## Bind TCP sockets to node $1. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_tcp_bind_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:tcp_socket node_bind; +') + +define(`corenet_tcp_bind_$1_node_depend',` + type $1_node_t; + + class tcp_socket node_bind; +') + +######################################## +## +## +## Bind UDP sockets to the $1 node. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_bind_$1_node',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_node_t:udp_socket node_bind; +') + +define(`corenet_udp_bind_$1_node_depend',` + type $1_node_t; + + class udp_socket node_bind; +') +'') dnl end create_node_interfaces + +######################################## +# +# Network port generated macros +# +######################################## + +define(`create_port_interfaces',`` +######################################## +## +## +## Send and receive TCP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_tcp_sendrecv_$1_port',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; +') + +define(`corenet_tcp_sendrecv_$1_port_depend',` + type $1_port_t; + + class tcp_socket { send_msg recv_msg }; +') + +######################################## +## +## +## Send UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_send_$1_port',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_port_t:udp_socket send_msg; +') + +define(`corenet_udp_send_$1_port_depend',` + type $1_port_t; + + class udp_socket send_msg; +') + +######################################## +## +## +## Receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_receive_$1_port',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_port_t:udp_socket recv_msg; +') + +define(`corenet_udp_receive_$1_port_depend',` + type $1_port_t; + + class udp_socket recv_msg; +') + +######################################## +## +## +## Send and receive UDP traffic on the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_sendrecv_$1_port',` + corenet_udp_send_$1_port(dollarsone) + corenet_udp_receive_$1_port(dollarsone) +') + +######################################## +## +## +## Bind TCP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_tcp_bind_$1_port',` + requires_block_template(`dollarszero'_depend) + allow dollarsone $1_port_t:tcp_socket name_bind; + $2 +') + +define(`corenet_tcp_bind_$1_port_depend',` + type $1_port_t; + + class tcp_socket name_bind; + $3 +') + +######################################## +## +## +## Bind UDP sockets to the $1 port. +## +## +## The type of the process performing this action. +## +## +## +# +define(`corenet_udp_bind_$1_port',` + requires_block_template(`dollarszero'_depend) + + allow dollarsone $1_port_t:udp_socket name_bind; + $2 +') + +define(`corenet_udp_bind_$1_port_depend',` + type $1_port_t; + + class udp_socket name_bind; + $3 +') +'') dnl end create_port_interfaces + +# +# network_interface(linux_interfacename,mls_sensitivity) +# +define(`network_interface',` +create_netif_interfaces($1) +') + +# +# network_node(node_name,mls_sensitivity,address,netmask) +# +define(`network_node',` +create_node_interfaces($1) +') + +# These next three macros have formatting, and should not me indented +define(`determine_reserved_capability',`dnl +ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl +ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse +')dnl end outer ifelse +') dnl end determine reserved capability + +define(`determine_reserved_capability_depend',`dnl +ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl +ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse +')dnl end outer ifelse +') dnl end determine reserved capability depend + +define(`declare_ports',`dnl +ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') +portcon $2 $3 context_template(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl +') + +# +# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) +# +define(`network_port',` +create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*))) +') diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te.in similarity index 100% rename from refpolicy/policy/modules/kernel/corenetwork.te rename to refpolicy/policy/modules/kernel/corenetwork.te.in diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4 new file mode 100644 index 000000000..f591654ee --- /dev/null +++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4 @@ -0,0 +1,43 @@ +# +# network_interface(linux_interfacename,mls_sensitivity) +# +define(`network_interface',` +requires_block_template(`type unlabeled_t') +type $1_netif_t alias netif_$1_t, netif_type; +netifcon $1 context_template(system_u:object_r:$1_netif_t,$2) context_template(system_u:object_r:unlabeled_t,$2) +') + +# +# network_node(node_name,mls_sensitivity,address,netmask) +# +define(`network_node',` +type $1_node_t alias node_$1_t, node_type; +nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2) +') + +# These next three macros have formatting, and should not me indented +define(`determine_reserved_capability',`dnl +ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl +ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse +')dnl end outer ifelse +') dnl end determine reserved capability + +define(`determine_reserved_capability_depend',`dnl +ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl +ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse +')dnl end outer ifelse +') dnl end determine reserved capability depend + +define(`declare_ports',`dnl +ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl') +portcon $2 $3 context_template(system_u:object_r:$1,$4) +ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl +') + +# +# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) +# +define(`network_port',` +type $1_port_t, port_type; +declare_ports($1_port_t,shift($*)) +')