## Policy controlling access to network objects ## ## Contains the initial SIDs for network objects. ## ######################################## ## ## Define type to be a network port type ## ## ##

## Define type to be a network port type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # interface(`corenet_port',` gen_require(` attribute port_type; ') typeattribute $1 port_type; ') ######################################## ## ## Define network type to be a reserved port (lt 1024) ## ## ##

## Define network type to be a reserved port (lt 1024) ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # interface(`corenet_reserved_port',` gen_require(` attribute reserved_port_type; ') typeattribute $1 reserved_port_type; ') ######################################## ## ## Define network type to be a rpc port ( 512 lt PORT lt 1024) ## ## ##

## Define network type to be a rpc port ( 512 lt PORT lt 1024) ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # interface(`corenet_rpc_port',` gen_require(` attribute rpc_port_type; ') typeattribute $1 rpc_port_type; ') ######################################## ## ## Define type to be a network node type ## ## ##

## Define type to be a network node type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network nodes. ## ## # interface(`corenet_node',` gen_require(` attribute node_type; ') typeattribute $1 node_type; ') ######################################## ## ## Define type to be a network packet type ## ## ##

## Define type to be a network packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network packet. ## ## # interface(`corenet_packet',` gen_require(` attribute packet_type; ') typeattribute $1 packet_type; ') ######################################## ## ## Define type to be a network client packet type ## ## ##

## Define type to be a network client packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network client packet. ## ## # interface(`corenet_client_packet',` gen_require(` attribute packet_type, client_packet_type; ') typeattribute $1 client_packet_type, packet_type; ') ######################################## ## ## Define type to be a network server packet type ## ## ##

## Define type to be a network server packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network server packet. ## ## # interface(`corenet_server_packet',` gen_require(` attribute packet_type, server_packet_type; ') typeattribute $1 server_packet_type, packet_type; ') ######################################## ## ## Make the specified type usable ## for labeled ipsec. ## ## ## ## Type to be used for labeled ipsec. ## ## # interface(`corenet_spd_type',` gen_require(` attribute ipsec_spd_type; ') typeattribute $1 ipsec_spd_type; ') ######################################## ## ## Define type to be an infiniband pkey type ## ## ##

## Define type to be an infiniband pkey type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for infiniband pkeys. ## ## # interface(`corenet_ib_pkey',` gen_require(` attribute ibpkey_type; ') typeattribute $1 ibpkey_type; ') ######################################## ## ## Define type to be an infiniband endport ## ## ##

## Define type to be an infiniband endport ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for infiniband endports. ## ## # interface(`corenet_ib_endport',` gen_require(` attribute ibendport_type; ') typeattribute $1 ibendport_type; ') ######################################## ## ## Send and receive TCP network traffic on generic interfaces. ## ## ##

## Allow the specified domain to send and receive TCP network ## traffic on generic network interfaces. ##

##

## Related interface: ##

## ##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; ') ######################################## ## ## Send UDP network traffic on generic interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif { udp_send egress }; ') ######################################## ## ## Dontaudit attempts to send UDP network traffic ## on generic interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_send_generic_if',` gen_require(` type netif_t; ') dontaudit $1 netif_t:netif { udp_send egress }; ') ######################################## ## ## Receive UDP network traffic on generic interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif { udp_recv ingress }; ') ######################################## ## ## Do not audit attempts to receive UDP network ## traffic on generic interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_receive_generic_if',` gen_require(` type netif_t; ') dontaudit $1 netif_t:netif { udp_recv ingress }; ') ######################################## ## ## Send and receive UDP network traffic on generic interfaces. ## ## ##

## Allow the specified domain to send and receive UDP network ## traffic on generic network interfaces. ##

##

## Related interface: ##

## ##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_udp_sendrecv_generic_if',` corenet_udp_send_generic_if($1) corenet_udp_receive_generic_if($1) ') ######################################## ## ## Do not audit attempts to send and receive UDP network ## traffic on generic interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_sendrecv_generic_if',` corenet_dontaudit_udp_send_generic_if($1) corenet_dontaudit_udp_receive_generic_if($1) ') ######################################## ## ## Send raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_send_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif { rawip_send egress }; ') ######################################## ## ## Receive raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_receive_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif { rawip_recv ingress }; ') ######################################## ## ## Send and receive raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_sendrecv_generic_if',` corenet_raw_send_generic_if($1) corenet_raw_receive_generic_if($1) ') ######################################## ## ## Allow outgoing network traffic on the generic interfaces. ## ## ## ## The peer label of the outgoing network traffic. ## ## ## # interface(`corenet_out_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif egress; ') ######################################## ## ## Allow incoming traffic on the generic interfaces. ## ## ## ## The peer label of the incoming network traffic. ## ## ## # interface(`corenet_in_generic_if',` gen_require(` type netif_t; ') allow $1 netif_t:netif ingress; ') ######################################## ## ## Allow incoming and outgoing network traffic on the generic interfaces. ## ## ## ## The peer label of the network traffic. ## ## ## # interface(`corenet_inout_generic_if',` corenet_in_generic_if($1) corenet_out_generic_if($1) ') ######################################## ## ## Send and receive TCP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_sendrecv_all_if',` gen_require(` attribute netif_type; ') allow $1 netif_type:netif { tcp_send tcp_recv egress ingress }; ') ######################################## ## ## Send UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_all_if',` gen_require(` attribute netif_type; ') allow $1 netif_type:netif { udp_send egress }; ') ######################################## ## ## Receive UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_all_if',` gen_require(` attribute netif_type; ') allow $1 netif_type:netif { udp_recv ingress }; ') ######################################## ## ## Send and receive UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_sendrecv_all_if',` corenet_udp_send_all_if($1) corenet_udp_receive_all_if($1) ') ######################################## ## ## Send raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_send_all_if',` gen_require(` attribute netif_type; ') allow $1 netif_type:netif { rawip_send egress }; ') ######################################## ## ## Send and receive SCTP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_sendrecv_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { sendto recvfrom }; ') ######################################## ## ## Receive raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_receive_all_if',` gen_require(` attribute netif_type; ') allow $1 netif_type:netif { rawip_recv ingress }; ') ######################################## ## ## Send and receive raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_sendrecv_all_if',` corenet_raw_send_all_if($1) corenet_raw_receive_all_if($1) ') ######################################## ## ## Send and receive TCP network traffic on generic nodes. ## ## ##

## Allow the specified domain to send and receive TCP network ## traffic to/from generic network nodes (hostnames/networks). ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_all_ports()
  • ##
  • corenet_tcp_connect_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; ') ######################################## ## ## Send UDP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { udp_send sendto }; ') ######################################## ## ## Receive UDP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { udp_recv recvfrom }; ') ######################################## ## ## Send and receive UDP network traffic on generic nodes. ## ## ##

## Allow the specified domain to send and receive UDP network ## traffic to/from generic network nodes (hostnames/networks). ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_udp_sendrecv_generic_if()
  • ##
  • corenet_udp_sendrecv_all_ports()
  • ##
##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_udp_sendrecv_generic_node',` corenet_udp_send_generic_node($1) corenet_udp_receive_generic_node($1) ') ######################################## ## ## Send raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_send_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { rawip_send sendto }; ') ######################################## ## ## Receive raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_receive_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node { rawip_recv recvfrom }; ') ######################################## ## ## Send and receive raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_sendrecv_generic_node',` corenet_raw_send_generic_node($1) corenet_raw_receive_generic_node($1) ') ######################################## ## ## Bind SCTP sockets to generic nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_generic_node',` gen_require(` type node_t; ') allow $1 node_t:sctp_socket node_bind; ') ######################################## ## ## Bind TCP sockets to generic nodes. ## ## ##

## Bind TCP sockets to generic nodes. This is ## necessary for binding a socket so it ## can be used for servers to listen ## for incoming connections. ##

##

## Related interface: ##

##
    ##
  • corenet_udp_bind_generic_node()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_bind_generic_node',` gen_require(` type node_t; ') allow $1 node_t:tcp_socket node_bind; ') ######################################## ## ## Bind UDP sockets to generic nodes. ## ## ##

## Bind UDP sockets to generic nodes. This is ## necessary for binding a socket so it ## can be used for servers to listen ## for incoming connections. ##

##

## Related interface: ##

##
    ##
  • corenet_tcp_bind_generic_node()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_udp_bind_generic_node',` gen_require(` type node_t; ') allow $1 node_t:udp_socket node_bind; ') ######################################## ## ## Bind raw sockets to generic nodes. ## ## ## ## Domain allowed access. ## ## # rawip_socket node_bind does not make much sense. # cjp: vmware hits this too interface(`corenet_raw_bind_generic_node',` gen_require(` type node_t; ') allow $1 node_t:rawip_socket node_bind; ') ######################################## ## ## Allow outgoing network traffic to generic nodes. ## ## ## ## The peer label of the outgoing network traffic. ## ## ## # interface(`corenet_out_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node sendto; ') ######################################## ## ## Allow incoming network traffic from generic nodes. ## ## ## ## The peer label of the incoming network traffic. ## ## ## # interface(`corenet_in_generic_node',` gen_require(` type node_t; ') allow $1 node_t:node recvfrom; ') ######################################## ## ## Allow incoming and outgoing network traffic with generic nodes. ## ## ## ## The peer label of the network traffic. ## ## ## # interface(`corenet_inout_generic_node',` corenet_in_generic_node($1) corenet_out_generic_node($1) ') ######################################## ## ## Send and receive TCP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_sendrecv_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom }; ') ######################################## ## ## Send UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { udp_send sendto }; ') ######################################## ## ## Do not audit attempts to send UDP network ## traffic on any nodes. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_send_all_nodes',` gen_require(` attribute node_type; ') dontaudit $1 node_type:node { udp_send sendto }; ') ######################################## ## ## Send and receive SCTP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_sendrecv_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { sendto recvfrom }; ') ######################################## ## ## Receive UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { udp_recv recvfrom }; ') ######################################## ## ## Do not audit attempts to receive UDP ## network traffic on all nodes. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_receive_all_nodes',` gen_require(` attribute node_type; ') dontaudit $1 node_type:node { udp_recv recvfrom }; ') ######################################## ## ## Send and receive UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_sendrecv_all_nodes',` corenet_udp_send_all_nodes($1) corenet_udp_receive_all_nodes($1) ') ######################################## ## ## Do not audit attempts to send and receive UDP ## network traffic on any nodes nodes. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_sendrecv_all_nodes',` corenet_dontaudit_udp_send_all_nodes($1) corenet_dontaudit_udp_receive_all_nodes($1) ') ######################################## ## ## Send raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_send_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { rawip_send sendto }; ') ######################################## ## ## Receive raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_receive_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:node { rawip_recv recvfrom }; ') ######################################## ## ## Send and receive raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_sendrecv_all_nodes',` corenet_raw_send_all_nodes($1) corenet_raw_receive_all_nodes($1) ') ######################################## ## ## Bind TCP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:tcp_socket node_bind; ') ######################################## ## ## Bind UDP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:udp_socket node_bind; ') ######################################## ## ## Bind raw sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # rawip_socket node_bind does not make much sense. # cjp: vmware hits this too interface(`corenet_raw_bind_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:rawip_socket node_bind; ') ######################################## ## ## Send and receive TCP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_sendrecv_generic_port',` gen_require(` type port_t; ') allow $1 port_t:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Bind SCTP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_all_nodes',` gen_require(` attribute node_type; ') allow $1 node_type:sctp_socket node_bind; ') ######################################## ## ## Do not audit send and receive TCP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` gen_require(` type port_t; ') dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Send UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_generic_port',` gen_require(` type port_t; ') allow $1 port_t:udp_socket send_msg; ') ######################################## ## ## Receive UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_generic_port',` gen_require(` type port_t; ') allow $1 port_t:udp_socket recv_msg; ') ######################################## ## ## Send and receive UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_sendrecv_generic_port',` corenet_udp_send_generic_port($1) corenet_udp_receive_generic_port($1) ') ######################################## ## ## Bind TCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_generic_port',` gen_require(` type port_t; attribute defined_port_type; ') allow $1 port_t:tcp_socket name_bind; dontaudit $1 defined_port_type:tcp_socket name_bind; ') ######################################## ## ## Do not audit bind TCP sockets to generic ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_bind_generic_port',` gen_require(` type port_t; ') dontaudit $1 port_t:tcp_socket name_bind; ') ######################################## ## ## Bind UDP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_generic_port',` gen_require(` type port_t; attribute defined_port_type; ') allow $1 port_t:udp_socket name_bind; dontaudit $1 defined_port_type:udp_socket name_bind; ') ######################################## ## ## Connect TCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_generic_port',` gen_require(` type port_t; ') allow $1 port_t:tcp_socket name_connect; ') ######################################## ## ## Send and receive TCP network traffic on all ports. ## ## ##

## Send and receive TCP network traffic on all ports. ## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_generic_node()
  • ##
  • corenet_tcp_connect_all_ports()
  • ##
  • corenet_tcp_bind_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_sendrecv_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Send UDP network traffic on all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:udp_socket send_msg; ') ######################################## ## ## Bind SCTP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_generic_port',` gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; dontaudit $1 defined_port_type:sctp_socket name_bind; ') ######################################## ## ## Receive UDP network traffic on all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:udp_socket recv_msg; ') ######################################## ## ## Send and receive UDP network traffic on all ports. ## ## ##

## Send and receive UDP network traffic on all ports. ## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_udp_sendrecv_generic_if()
  • ##
  • corenet_udp_sendrecv_generic_node()
  • ##
  • corenet_udp_bind_all_ports()
  • ##
##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_udp_sendrecv_all_ports',` corenet_udp_send_all_ports($1) corenet_udp_receive_all_ports($1) ') ######################################## ## ## Do not audit attempts to bind SCTP ## sockets to generic ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_sctp_bind_generic_port',` gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; ') ######################################## ## ## Bind TCP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Do not audit attepts to bind TCP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_bind_all_ports',` gen_require(` attribute port_type; ') dontaudit $1 port_type:tcp_socket name_bind; ') ######################################## ## ## Bind UDP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Connect SCTP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_connect_generic_port',` gen_require(` type port_t, unreserved_port_t,ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; ') ######################################## ## ## Do not audit attepts to bind UDP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_bind_all_ports',` gen_require(` attribute port_type; ') dontaudit $1 port_type:udp_socket name_bind; ') ######################################## ## ## Connect TCP sockets to all ports. ## ## ##

## Connect TCP sockets to all ports ##

##

## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_generic_node()
  • ##
  • corenet_tcp_sendrecv_all_ports()
  • ##
  • corenet_tcp_bind_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_tcp_connect_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket name_connect; ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## to all ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_connect_all_ports',` gen_require(` attribute port_type; ') dontaudit $1 port_type:tcp_socket name_connect; ') ######################################## ## ## Send and receive TCP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_sendrecv_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Send UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket send_msg; ') ######################################## ## ## Receive UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket recv_msg; ') ######################################## ## ## Send and receive UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_sendrecv_reserved_port',` corenet_udp_send_reserved_port($1) corenet_udp_receive_reserved_port($1) ') ######################################## ## ## Bind TCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Bind SCTP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:sctp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Bind UDP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Connect TCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket name_connect; ') ######################################## ## ## Do not audit attepts to bind SCTP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_sctp_bind_all_ports',` gen_require(` attribute port_type; ') dontaudit $1 port_type:sctp_socket name_bind; ') ######################################## ## ## Send and receive TCP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_sendrecv_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; ') ######################################## ## ## Send UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_send_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket send_msg; ') ######################################## ## ## Receive UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_receive_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket recv_msg; ') ######################################## ## ## Send and receive UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_sendrecv_all_reserved_ports',` corenet_udp_send_all_reserved_ports($1) corenet_udp_receive_all_reserved_ports($1) ') ######################################## ## ## Connect SCTP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_connect_all_ports',` gen_require(` attribute port_type; ') allow $1 port_type:sctp_socket name_connect; ') ######################################## ## ## Bind TCP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Do not audit attempts to bind TCP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:tcp_socket name_bind; ') ######################################## ## ## Bind UDP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Do not audit attempts to bind UDP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:udp_socket name_bind; ') ######################################## ## ## Do not audit attempts to connect SCTP sockets ## to all ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_sctp_connect_all_ports',` gen_require(` attribute port_type; ') dontaudit $1 port_type:sctp_socket name_connect; ') ######################################## ## ## Bind TCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_all_unreserved_ports',` gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:tcp_socket name_bind; ') ######################################## ## ## Bind UDP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_all_unreserved_ports',` gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:udp_socket name_bind; ') ######################################## ## ## Connect TCP sockets to reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket name_connect; ') ######################################## ## ## Connect SCTP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_connect_all_unreserved_ports',` gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:sctp_socket name_connect; ') ######################################## ## ## Connect TCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_all_unreserved_ports',` gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:tcp_socket name_connect; ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## all reserved ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:tcp_socket name_connect; ') ######################################## ## ## Connect TCP sockets to rpc ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_connect_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:tcp_socket name_connect; ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:tcp_socket name_connect; ') ######################################## ## ## Bind SCTP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:sctp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Read the TUN/TAP virtual network device. ## ## ## ## The domain read allowed access. ## ## # interface(`corenet_read_tun_tap_dev',` gen_require(` type tun_tap_device_t; ') dev_list_all_dev_nodes($1) allow $1 tun_tap_device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Write the TUN/TAP virtual network device. ## ## ## ## The domain allowed write access. ## ## # interface(`corenet_write_tun_tap_dev',` gen_require(` type tun_tap_device_t; ') dev_list_all_dev_nodes($1) allow $1 tun_tap_device_t:chr_file write_chr_file_perms; ') ######################################## ## ## Read and write the TUN/TAP virtual network device. ## ## ## ## The domain allowed access. ## ## # interface(`corenet_rw_tun_tap_dev',` gen_require(` type tun_tap_device_t; ') dev_list_all_dev_nodes($1) allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Connect SCTP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_connect_reserved_port',` gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:sctp_socket name_connect; ') ######################################## ## ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_rw_tun_tap_dev',` gen_require(` type tun_tap_device_t; ') dontaudit $1 tun_tap_device_t:chr_file { read write }; ') ######################################## ## ## Getattr the point-to-point device. ## ## ## ## The domain allowed access. ## ## # interface(`corenet_getattr_ppp_dev',` gen_require(` type ppp_device_t; ') allow $1 ppp_device_t:chr_file getattr; ') ######################################## ## ## Read and write the point-to-point device. ## ## ## ## The domain allowed access. ## ## # interface(`corenet_rw_ppp_dev',` gen_require(` type ppp_device_t; ') dev_list_all_dev_nodes($1) allow $1 ppp_device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Bind TCP sockets to all RPC ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_bind_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_bind_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:tcp_socket name_bind; ') ######################################## ## ## Bind UDP sockets to all RPC ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_bind_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Do not audit attempts to bind UDP sockets to all RPC ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_bind_all_rpc_ports',` gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:udp_socket name_bind; ') ######################################## ## ## Bind SCTP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:sctp_socket name_bind; allow $1 self:capability net_bind_service; ') ######################################## ## ## Receive TCP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:tcp_socket recvfrom; ') ######################################## ## ## Receive TCP packets from an unlabled connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_tcp_recvfrom_unlabeled',` kernel_tcp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') ######################################## ## ## Do not audit attempts to bind SCTP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:sctp_socket name_bind; ') ######################################## ## ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; ') ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',` kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) ') ######################################## ## ## Receive UDP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:udp_socket recvfrom; ') ######################################## ## ## Receive UDP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_udp_recvfrom_unlabeled',` kernel_udp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') ######################################## ## ## Bind SCTP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_bind_all_unreserved_ports',` gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:sctp_socket name_bind; ') ######################################## ## ## Do not audit attempts to receive UDP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:udp_socket recvfrom; ') ######################################## ## ## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_udp_recvfrom_unlabeled',` kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) ') ######################################## ## ## Receive Raw IP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:rawip_socket recvfrom; ') ######################################## ## ## Receive Raw IP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_raw_recvfrom_unlabeled',` kernel_raw_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_raw_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; ') ######################################## ## ## Connect SCTP sockets to reserved ports. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:sctp_socket name_connect; ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` kernel_dontaudit_raw_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) ') ######################################## ## ## Receive packets from an unlabeled connection. ## ## ##

## Allow the specified domain to receive packets from an ## unlabeled connection. On machines that do not utilize ## labeled networking, this will be required on all ## networking domains. On machines tha do utilize ## labeled networking, this will be required for any ## networking domain that is allowed to receive ## network traffic that does not have a label. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_all_recvfrom_unlabeled',` kernel_tcp_recvfrom_unlabeled($1) kernel_udp_recvfrom_unlabeled($1) kernel_raw_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) ') ######################################## ## ## Receive packets from a NetLabel connection. ## ## ##

## Allow the specified domain to receive NetLabel ## network traffic, which utilizes the Commercial IP ## Security Option (CIPSO) to set the MLS level ## of the network packets. This is required for ## all networking domains that receive NetLabel ## network traffic. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`corenet_all_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; ') ######################################## ## ## Do not audit attempts to receive packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_dontaudit_all_recvfrom_unlabeled',` kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) ') ######################################## ## ## Do not audit attempts to connect SCTP sockets ## all reserved ports. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',` gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:sctp_socket name_connect; ') ######################################## ## ## Do not audit attempts to receive packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # interface(`corenet_dontaudit_all_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom; ') ######################################## ## ## Rules for receiving labeled TCP packets. ## ## ##

## Rules for receiving labeled TCP packets. ##

##

## Due to the nature of TCP, this is bidirectional. ##

##
## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # interface(`corenet_tcp_recvfrom_labeled',` allow { $1 $2 } self:association sendto; allow $1 $2:{ association tcp_socket } recvfrom; allow $2 $1:{ association tcp_socket } recvfrom; allow $1 $2:peer recv; allow $2 $1:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_tcp_recvfrom_netlabel($1) corenet_tcp_recvfrom_netlabel($2) ') ######################################## ## ## Rules for receiving labeled UDP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # interface(`corenet_udp_recvfrom_labeled',` allow $2 self:association sendto; allow $1 $2:{ association udp_socket } recvfrom; allow $1 $2:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_udp_recvfrom_netlabel($1) ') ######################################## ## ## Rules for receiving labeled raw IP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # interface(`corenet_raw_recvfrom_labeled',` allow $2 self:association sendto; allow $1 $2:{ association rawip_socket } recvfrom; allow $1 $2:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_raw_recvfrom_netlabel($1) ') ######################################## ## ## Rules for receiving labeled packets via TCP, UDP and raw IP. ## ## ##

## Rules for receiving labeled packets via TCP, UDP and raw IP. ##

##

## Due to the nature of TCP, the rules (for TCP ## networking only) are bidirectional. ##

##
## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # interface(`corenet_all_recvfrom_labeled',` corenet_sctp_recvfrom_labeled($1, $2) corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) ') ######################################## ## ## Allow specified type to set the context of ## a SPD entry for labeled ipsec associations. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_setcontext_all_spds',` gen_require(` attribute ipsec_spd_type; ') allow $1 ipsec_spd_type:association setcontext; ') ######################################## ## ## Send generic client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_send_generic_client_packets',` gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet send; ') ######################################## ## ## Receive generic client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_receive_generic_client_packets',` gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet recv; ') ######################################## ## ## Send and receive generic client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_generic_client_packets',` corenet_send_generic_client_packets($1) corenet_receive_generic_client_packets($1) ') ######################################## ## ## Relabel packets to the generic client packet type. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_relabelto_generic_client_packets',` gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet relabelto; ') ######################################## ## ## Send generic server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_send_generic_server_packets',` gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet send; ') ######################################## ## ## Receive generic server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_receive_generic_server_packets',` gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet recv; ') ######################################## ## ## Send and receive generic server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_generic_server_packets',` corenet_send_generic_server_packets($1) corenet_receive_generic_server_packets($1) ') ######################################## ## ## Relabel packets to the generic server packet type. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_relabelto_generic_server_packets',` gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet relabelto; ') ######################################## ## ## Send and receive unlabeled packets. ## ## ##

## Send and receive unlabeled packets. ## These packets do not match any netfilter ## SECMARK rules. ##

##
## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_unlabeled_packets',` kernel_sendrecv_unlabeled_packets($1) ') ######################################## ## ## Send all client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_send_all_client_packets',` gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet send; ') ######################################## ## ## Receive all client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_receive_all_client_packets',` gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet recv; ') ######################################## ## ## Send and receive all client packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_all_client_packets',` corenet_send_all_client_packets($1) corenet_receive_all_client_packets($1) ') ######################################## ## ## Relabel packets to any client packet type. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_relabelto_all_client_packets',` gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet relabelto; ') ######################################## ## ## Send all server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_send_all_server_packets',` gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet send; ') ######################################## ## ## Receive SCTP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_recvfrom_netlabel',` gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; ') ######################################## ## ## Receive all server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_receive_all_server_packets',` gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet recv; ') ######################################## ## ## Send and receive all server packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_all_server_packets',` corenet_send_all_server_packets($1) corenet_receive_all_server_packets($1) ') ######################################## ## ## Relabel packets to any server packet type. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_relabelto_all_server_packets',` gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet relabelto; ') ######################################## ## ## Receive SCTP packets from an unlabled connection. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sctp_recvfrom_unlabeled',` gen_require(` attribute corenet_unlabeled_type; ') kernel_recvfrom_unlabeled_peer($1) typeattribute $1 corenet_unlabeled_type; kernel_sendrecv_unlabeled_association($1) ') ######################################## ## ## Send all packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_send_all_packets',` gen_require(` attribute packet_type; ') allow $1 packet_type:packet send; ') ######################################## ## ## Receive all packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_receive_all_packets',` gen_require(` attribute packet_type; ') allow $1 packet_type:packet recv; ') ######################################## ## ## Send and receive all packets. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_sendrecv_all_packets',` corenet_send_all_packets($1) corenet_receive_all_packets($1) ') ######################################## ## ## Relabel packets to any packet type. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_relabelto_all_packets',` gen_require(` attribute packet_type; ') allow $1 packet_type:packet relabelto; ') ######################################## ## ## Access unlabeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_ib_access_unlabeled_pkeys',` kernel_ib_access_unlabeled_pkeys($1) ') ######################################## ## ## Access all labeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # interface(`corenet_ib_access_all_pkeys',` gen_require(` attribute ibpkey_type; ') allow $1 ibpkey_type:infiniband_pkey access; ') ######################################## ## ## Manage subnets on all labeled Infiniband endports ## ## ## ## Domain allowed access. ## ## # interface(`corenet_ib_manage_subnet_all_endports',` gen_require(` attribute ibendport_type; ') allow $1 ibendport_type:infiniband_endport manage_subnet; ') ######################################## ## ## Manage subnet on all unlabeled Infiniband endports ## ## ## ## Domain allowed access. ## ## # interface(`corenet_ib_manage_subnet_unlabeled_endports',` kernel_ib_manage_subnet_unlabeled_endports($1) ') ######################################## ## ## Rules for receiving labeled SCTP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # interface(`corenet_sctp_recvfrom_labeled',` allow { $1 $2 } self:association sendto; allow $1 $2:association recvfrom; allow $2 $1:association recvfrom; allow $1 $2:peer recv; allow $2 $1:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_sctp_recvfrom_netlabel($1) corenet_sctp_recvfrom_netlabel($2) ') ######################################## ## ## Unconfined access to network objects. ## ## ## ## The domain allowed access. ## ## # interface(`corenet_unconfined',` gen_require(` attribute corenet_unconfined_type; ') typeattribute $1 corenet_unconfined_type; ')