From ec70a331ffae24549d69a674ac89536795023e35 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 26 Aug 2011 09:03:25 -0400 Subject: [PATCH] Corenetwork policy size optimization from Dan Walsh. --- Changelog | 1 + policy/modules/kernel/corenetwork.if.in | 20 ++++++++++---------- policy/modules/kernel/corenetwork.te.in | 13 ++++++++++++- policy/modules/kernel/corenetwork.te.m4 | 4 ++-- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/Changelog b/Changelog index 50c6f3f3b..53b1fbbae 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Corenetwork policy size optimization from Dan Walsh. - Silence spurious udp_socket listen denials. - Fix unexpanded MLS/MCS fields in monolithic seusers file. - Type transition fix in Postgresql database objects from KaiGai Kohei. diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4f3b542c0..07126bdcc 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -1255,11 +1255,11 @@ interface(`corenet_udp_sendrecv_generic_port',` interface(`corenet_tcp_bind_generic_port',` gen_require(` type port_t; - attribute port_type; + attribute defined_port_type; ') allow $1 port_t:tcp_socket name_bind; - dontaudit $1 { port_type -port_t }:tcp_socket name_bind; + dontaudit $1 defined_port_type:tcp_socket name_bind; ') ######################################## @@ -1293,11 +1293,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` interface(`corenet_udp_bind_generic_port',` gen_require(` type port_t; - attribute port_type; + attribute defined_port_type; ') allow $1 port_t:udp_socket name_bind; - dontaudit $1 { port_type -port_t }:udp_socket name_bind; + dontaudit $1 defined_port_type:udp_socket name_bind; ') ######################################## @@ -1856,10 +1856,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` # interface(`corenet_tcp_bind_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; ') - allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; + allow $1 unreserved_port_type:tcp_socket name_bind; ') ######################################## @@ -1874,10 +1874,10 @@ interface(`corenet_tcp_bind_all_unreserved_ports',` # interface(`corenet_udp_bind_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; ') - allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 unreserved_port_type:udp_socket name_bind; ') ######################################## @@ -1910,10 +1910,10 @@ interface(`corenet_tcp_connect_all_reserved_ports',` # interface(`corenet_tcp_connect_all_unreserved_ports',` gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; ') - allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; + allow $1 unreserved_port_type:tcp_socket name_connect; ') ######################################## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 624b26384..d36527dad 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.16.0) +policy_module(corenetwork, 1.16.1) ######################################## # @@ -6,6 +6,8 @@ policy_module(corenetwork, 1.16.0) # attribute client_packet_type; +# This is an optimization for { port_type -port_t } +attribute defined_port_type; attribute ipsec_spd_type; attribute netif_type; attribute node_type; @@ -14,6 +16,8 @@ attribute port_type; attribute reserved_port_type; attribute rpc_port_type; attribute server_packet_type; +# This is an optimization for { port_type -reserved_port_type } +attribute unreserved_port_type; attribute corenet_unconfined_type; @@ -49,6 +53,11 @@ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) type port_t, port_type; sid port gen_context(system_u:object_r:port_t,s0) +# +# unreserved_port_t is the default type of INET port numbers above 1023 +# +type unreserved_port_t, port_type, unreserved_port_type; + # # reserved_port_t is the type of INET port numbers below 1024. # @@ -234,6 +243,8 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. +portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) +portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 index 35fed4f80..49f27caf5 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 @@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*)) define(`declare_ports',`dnl ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') -',`dnl') +',`typeattribute $1 unreserved_port_type;') portcon $2 $3 gen_context(system_u:object_r:$1,$4) ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ') @@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) # define(`network_port',` -type $1_port_t, port_type; +type $1_port_t, port_type, defined_port_type; type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; declare_ports($1_port_t,shift($*))dnl