Merge pull request #234 from topimiettinen/systemd-networkd-allow-icmp-dhcpc

policy/modules/kernel/corenetwork.if.m4

@@ -872,6 +872,13 @@ create_packet_interfaces($1_client)
 create_packet_interfaces($1_server)
 ')
 
+#
+# network_packet_simple(packet_name)
+#
+define(`network_packet_simple',`
+create_packet_interfaces($1)
+')
+
 # create_ibpkey_*_interfaces(name, subnet_prefix, pkeynum,mls_sensitivity)
 # (these wrap create_port_interfaces to handle attributes and types)
 define(`create_ibpkey_type_interfaces',`create_ibpkey_interfaces($1,ibpkey_t,type,determine_reserved_capability(shift($*)))')

policy/modules/kernel/corenetwork.te.in

@@ -42,6 +42,11 @@ dev_node(tun_tap_device_t)
 #
 type client_packet_t, packet_type, client_packet_type;
 
+#
+# ICMP and ICMPv6
+#
+network_packet_simple(icmp)
+
 #
 # The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
 # connections using NetLabel which do not carry full SELinux contexts.

policy/modules/kernel/corenetwork.te.m4

@@ -112,6 +112,13 @@ type $1_client_packet_t, packet_type, client_packet_type;
 type $1_server_packet_t, packet_type, server_packet_type;
 ')
 
+#
+# network_packet_simple(packet_name)
+#
+define(`network_packet_simple',`
+type $1_packet_t, packet_type;
+')
+
 define(`declare_ibpkeycons',`dnl
 ibpkeycon $2 $3 gen_context(system_u:object_r:$1,$4)
 ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl

policy/modules/system/systemd.te

@@ -797,6 +797,8 @@ kernel_rw_net_sysctls(systemd_networkd_t)
 corecmd_bin_entry_type(systemd_networkd_t)
 corecmd_exec_bin(systemd_networkd_t)
 
+corenet_sendrecv_icmp_packets(systemd_networkd_t)
+corenet_sendrecv_dhcpd_client_packets(systemd_networkd_t)
 corenet_rw_tun_tap_dev(systemd_networkd_t)
 corenet_udp_bind_dhcpc_port(systemd_networkd_t)
 corenet_udp_bind_generic_node(systemd_networkd_t)