nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corenetwork policy size optimization from Dan Walsh.

Browse Source
This commit is contained in:
Chris PeBenito 2011-08-26 09:03:25 -04:00
parent 697d0bbf4d
commit ec70a331ff
4 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Changelog
View File

@ -1,3 +1,4 @@
- Corenetwork policy size optimization from Dan Walsh.
- Silence spurious udp_socket listen denials. - Silence spurious udp_socket listen denials.
- Fix unexpanded MLS/MCS fields in monolithic seusers file. - Fix unexpanded MLS/MCS fields in monolithic seusers file.
- Type transition fix in Postgresql database objects from KaiGai Kohei. - Type transition fix in Postgresql database objects from KaiGai Kohei.

20
policy/modules/kernel/corenetwork.if.in
View File

@ -1255,11 +1255,11 @@ interface(`corenet_udp_sendrecv_generic_port',`
interface(`corenet_tcp_bind_generic_port',` interface(`corenet_tcp_bind_generic_port',`
gen_require(` gen_require(`
type port_t; type port_t;
attribute port_type; attribute defined_port_type;
') ')
allow $1 port_t:tcp_socket name_bind; allow $1 port_t:tcp_socket name_bind;
dontaudit $1 { port_type -port_t }:tcp_socket name_bind; dontaudit $1 defined_port_type:tcp_socket name_bind;
') ')
######################################## ########################################
@ -1293,11 +1293,11 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
interface(`corenet_udp_bind_generic_port',` interface(`corenet_udp_bind_generic_port',`
gen_require(` gen_require(`
type port_t; type port_t;
attribute port_type; attribute defined_port_type;
') ')
allow $1 port_t:udp_socket name_bind; allow $1 port_t:udp_socket name_bind;
dontaudit $1 { port_type -port_t }:udp_socket name_bind; dontaudit $1 defined_port_type:udp_socket name_bind;
') ')
######################################## ########################################
@ -1856,10 +1856,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
# #
interface(`corenet_tcp_bind_all_unreserved_ports',` interface(`corenet_tcp_bind_all_unreserved_ports',`
gen_require(` gen_require(`
attribute port_type, reserved_port_type; attribute unreserved_port_type;
') ')
allow $1 { port_type -reserved_port_type }:tcp_socket name_bind; allow $1 unreserved_port_type:tcp_socket name_bind;
') ')
######################################## ########################################
@ -1874,10 +1874,10 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
# #
interface(`corenet_udp_bind_all_unreserved_ports',` interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(` gen_require(`
attribute port_type, reserved_port_type; attribute unreserved_port_type;
') ')
allow $1 { port_type -reserved_port_type }:udp_socket name_bind; allow $1 unreserved_port_type:udp_socket name_bind;
') ')
######################################## ########################################
@ -1910,10 +1910,10 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
# #
interface(`corenet_tcp_connect_all_unreserved_ports',` interface(`corenet_tcp_connect_all_unreserved_ports',`
gen_require(` gen_require(`
attribute port_type, reserved_port_type; attribute unreserved_port_type;
') ')
allow $1 { port_type -reserved_port_type }:tcp_socket name_connect; allow $1 unreserved_port_type:tcp_socket name_connect;
') ')
######################################## ########################################

13
policy/modules/kernel/corenetwork.te.in
View File

@ -1,4 +1,4 @@
policy_module(corenetwork, 1.16.0) policy_module(corenetwork, 1.16.1)
######################################## ########################################
# #
@ -6,6 +6,8 @@ policy_module(corenetwork, 1.16.0)
# #
attribute client_packet_type; attribute client_packet_type;
# This is an optimization for { port_type -port_t }
attribute defined_port_type;
attribute ipsec_spd_type; attribute ipsec_spd_type;
attribute netif_type; attribute netif_type;
attribute node_type; attribute node_type;
@ -14,6 +16,8 @@ attribute port_type;
attribute reserved_port_type; attribute reserved_port_type;
attribute rpc_port_type; attribute rpc_port_type;
attribute server_packet_type; attribute server_packet_type;
# This is an optimization for { port_type -reserved_port_type }
attribute unreserved_port_type;
attribute corenet_unconfined_type; attribute corenet_unconfined_type;
@ -49,6 +53,11 @@ sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
type port_t, port_type; type port_t, port_type;
sid port gen_context(system_u:object_r:port_t,s0) sid port gen_context(system_u:object_r:port_t,s0)
#
# unreserved_port_t is the default type of INET port numbers above 1023
#
type unreserved_port_t, port_type, unreserved_port_type;
# #
# reserved_port_t is the type of INET port numbers below 1024. # reserved_port_t is the type of INET port numbers below 1024.
# #
@ -234,6 +243,8 @@ network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence; # Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared. # these entries just cover any remaining reserved ports not otherwise declared.
portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)

4
policy/modules/kernel/corenetwork.te.m4
View File

@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*))
define(`declare_ports',`dnl define(`declare_ports',`dnl
ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
',`dnl') ',`typeattribute $1 unreserved_port_type;')
portcon $2 $3 gen_context(system_u:object_r:$1,$4) portcon $2 $3 gen_context(system_u:object_r:$1,$4)
ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
') ')
@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
# #
define(`network_port',` define(`network_port',`
type $1_port_t, port_type; type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type; type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type; type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl declare_ports($1_port_t,shift($*))dnl