refpolicy: Update for kernel sctp support

Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

policy/constraints

@@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd)
 
 exempted_ubac_constraint(socket, ubacsock)
 exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(sctp_socket, ubacsock)
 exempted_ubac_constraint(udp_socket, ubacsock)
 exempted_ubac_constraint(rawip_socket, ubacsock)
 exempted_ubac_constraint(netlink_socket, ubacsock)

policy/flask/access_vectors

@@ -985,6 +985,8 @@ class sctp_socket
 inherits socket
 {
 	node_bind
+	name_connect
+	association
 }
 
 class icmp_socket

policy/mcs

@@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
 mlsconstrain process { signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain key { create link read search setattr view write }

policy/mls

@@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 #
 
 # new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
 	( h1 dom h2 );
 
 # the socket "read+write" ops
 # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
 # require equal levels for unprivileged subjects, or read *and* write overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect }
 	(( l1 eq l2 ) or
 	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	   ( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 
 
 # the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
 	 ( t1 == mlsnetread ));
 
 # the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
 # used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));
@@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto
 	 ( t2 == mlstrustedsocket ));
 
 # these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind }
 #
-# { tcp_socket udp_socket rawip_socket } node_bind
+# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 #
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom }
 #
-# tcp_socket name_connect
+# { tcp_socket sctp_socket } name_connect
 #
 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
 #

policy/modules/kernel/corenetwork.if.in

@@ -634,6 +634,24 @@ interface(`corenet_raw_send_all_if',`
 	allow $1 netif_type:netif { rawip_send egress };
 ')
 
+########################################
+## <summary>
+##	Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { sendto recvfrom };
+')
+
 ########################################
 ## <summary>
 ##	Receive raw IP packets on all interfaces.
@@ -841,6 +859,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
 	corenet_raw_receive_generic_node($1)
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:sctp_socket node_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to generic nodes.
@@ -1035,6 +1071,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
 	dontaudit $1 node_type:node { udp_send sendto };
 ')
 
+########################################
+## <summary>
+##	Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { sendto recvfrom };
+')
+
 ########################################
 ## <summary>
 ##	Receive UDP network traffic on all nodes.
@@ -1227,6 +1281,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
 	allow $1 port_t:tcp_socket { send_msg recv_msg };
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:sctp_socket node_bind;
+')
+
+
 ########################################
 ## <summary>
 ##	Do not audit send and receive TCP network traffic on generic ports.
@@ -1434,6 +1507,26 @@ interface(`corenet_udp_send_all_ports',`
 	allow $1 port_type:udp_socket send_msg;
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+	dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Receive UDP network traffic on all ports.
@@ -1491,6 +1584,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
 	corenet_udp_receive_all_ports($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to bind SCTP
+##	sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all ports.
@@ -1547,6 +1659,24 @@ interface(`corenet_udp_bind_all_ports',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t,ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attepts to bind UDP sockets to any ports.
@@ -1718,6 +1848,25 @@ interface(`corenet_tcp_bind_reserved_port',`
 	allow $1 self:capability net_bind_service;
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Bind UDP sockets to generic reserved ports.
@@ -1755,6 +1904,24 @@ interface(`corenet_tcp_connect_reserved_port',`
 	allow $1 reserved_port_t:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Do not audit attepts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
@@ -1824,6 +1991,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
 	corenet_udp_receive_all_reserved_ports($1)
 ')
 
+########################################
+## <summary>
+##	Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all reserved ports.
@@ -1898,6 +2083,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 	dontaudit $1 reserved_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all ports > 1024.
@@ -1952,6 +2156,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
 	allow $1 reserved_port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Connect TCP sockets to all ports > 1024.
@@ -2026,6 +2248,25 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Read the TUN/TAP virtual network device.
@@ -2083,6 +2324,24 @@ interface(`corenet_rw_tun_tap_dev',`
 	allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
 ')
 
+########################################
+## <summary>
+##	Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read or write the TUN/TAP
@@ -2213,6 +2472,25 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
 ########################################
 ## <summary>
 ##	Receive TCP packets from a NetLabel connection.
@@ -2252,6 +2530,24 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
 	kernel_sendrecv_unlabeled_association($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive TCP packets from a NetLabel
@@ -2332,6 +2628,24 @@ interface(`corenet_udp_recvfrom_unlabeled',`
 	kernel_sendrecv_unlabeled_association($1)
 ')
 
+########################################
+## <summary>
+##	Bind SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_bind;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive UDP packets from a NetLabel
@@ -2432,6 +2746,24 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
 	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
 ')
 
+########################################
+## <summary>
+##	Connect SCTP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	allow $1 reserved_port_type:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive Raw IP packets from an unlabeled
@@ -2539,6 +2871,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
 	kernel_dontaudit_sendrecv_unlabeled_association($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to receive packets from a NetLabel
@@ -2670,6 +3021,7 @@ interface(`corenet_raw_recvfrom_labeled',`
 ## </param>
 #
 interface(`corenet_all_recvfrom_labeled',`
+	corenet_sctp_recvfrom_labeled($1, $2)
 	corenet_tcp_recvfrom_labeled($1, $2)
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
@@ -2940,6 +3292,24 @@ interface(`corenet_send_all_server_packets',`
 	allow $1 server_packet_type:packet send;
 ')
 
+########################################
+## <summary>
+##	Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Receive all server packets.
@@ -2991,6 +3361,27 @@ interface(`corenet_relabelto_all_server_packets',`
 	allow $1 server_packet_type:packet relabelto;
 ')
 
+########################################
+## <summary>
+##	Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+	gen_require(`
+		attribute corenet_unlabeled_type;
+	')
+
+	kernel_recvfrom_unlabeled_peer($1)
+
+	typeattribute $1 corenet_unlabeled_type;
+	kernel_sendrecv_unlabeled_association($1)
+')
+
 ########################################
 ## <summary>
 ##	Send all packets.
@@ -3124,6 +3515,34 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',`
 	kernel_ib_manage_subnet_unlabeled_endports($1)
 ')
 
+########################################
+## <summary>
+##	Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:association recvfrom;
+	allow $2 $1:association recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_sctp_recvfrom_netlabel($1)
+	corenet_sctp_recvfrom_netlabel($2)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.

policy/modules/kernel/corenetwork.te.in

@@ -307,9 +307,12 @@ network_port(zope, tcp,8021,s0)
 portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 
 ########################################
 #
@@ -355,11 +358,12 @@ allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_se
 allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
 allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
 # Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
 
 # Infiniband
 corenet_ib_access_all_pkeys(corenet_unconfined_type)

policy/support/obj_perm_sets.spt

@@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 #
 # Stream socket classes.
 #
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
 
 #
 # Unprivileged socket classes (exclude rawip, netlink, packet).
 #
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
 
 
 ########################################