From: Daniel J Walsh <dwalsh@redhat.com>
To: jwcart2@epoch.ncsc.mil
Cc: Russell Coker <russell@coker.com.au>,
Thomas Bleher <bleher@informatik.uni-muenchen.de>,
SELinux <selinux@tycho.nsa.gov>
Subject: can_network patch.
Date: Thu, 18 Nov 2004 09:33:12 -0500 [thread overview]
Message-ID: <419CB2A8.7020504@redhat.com> (raw)
In-Reply-To: <1100722524.22035.18.camel@moss-lions.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: policy-network.patch --]
[-- Type: text/x-patch, Size: 31941 bytes --]
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/ssh.te policy-1.19.2.good/domains/program/ssh.te
--- policy-1.19.2/domains/program/ssh.te 2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/ssh.te 2004-11-18 08:35:53.834772235 -0500
@@ -69,6 +69,7 @@
allow $1_t urandom_device_t:chr_file { getattr read };
can_network($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/apache.te policy-1.19.2.good/domains/program/unused/apache.te
--- policy-1.19.2/domains/program/unused/apache.te 2004-11-18 08:50:10.113157831 -0500
+++ policy-1.19.2.good/domains/program/unused/apache.te 2004-11-18 08:35:53.836772009 -0500
@@ -140,6 +140,7 @@
can_network(httpd_t)
can_ypbind(httpd_t)
+allow httpd_t self:{ tcp_socket udp_socket } connect;
###################
# Allow httpd to search users diretories
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/canna.te policy-1.19.2.good/domains/program/unused/canna.te
--- policy-1.19.2/domains/program/unused/canna.te 2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/canna.te 2004-11-18 08:35:53.837771897 -0500
@@ -28,8 +28,9 @@
rw_dir_create_file(canna_t, canna_var_lib_t)
-can_network(canna_t)
+can_tcp_network(canna_t)
can_ypbind(canna_t)
+allow canna_t self:tcp_socket connect;
allow userdomain canna_var_run_t:dir search;
allow userdomain canna_var_run_t:sock_file write;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cups.te policy-1.19.2.good/domains/program/unused/cups.te
--- policy-1.19.2/domains/program/unused/cups.te 2004-11-18 08:51:22.563983161 -0500
+++ policy-1.19.2.good/domains/program/unused/cups.te 2004-11-18 08:35:53.839771671 -0500
@@ -19,6 +19,7 @@
typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
can_network(cupsd_t)
+allow cupsd_t self:{ tcp_socket udp_socket } connect;
logdir_domain(cupsd)
@@ -194,6 +195,7 @@
can_network(cupsd_config_t)
can_tcp_connect(cupsd_config_t, cupsd_t)
+allow cupsd_config_t self:tcp_socket connect;
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/cyrus.te policy-1.19.2.good/domains/program/unused/cyrus.te
--- policy-1.19.2/domains/program/unused/cyrus.te 2004-11-18 08:51:47.260196672 -0500
+++ policy-1.19.2.good/domains/program/unused/cyrus.te 2004-11-18 08:35:53.839771671 -0500
@@ -20,6 +20,7 @@
can_network(cyrus_t)
can_ypbind(cyrus_t)
+allow cyrus_t self:{ tcp_socket udp_socket } connect;
can_exec(cyrus_t, bin_t)
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
allow cyrus_t cyrus_var_lib_t:{file sock_file } create_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpc.te policy-1.19.2.good/domains/program/unused/dhcpc.te
--- policy-1.19.2/domains/program/unused/dhcpc.te 2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/dhcpc.te 2004-11-18 08:52:51.492949252 -0500
@@ -22,8 +22,9 @@
# for SSP
allow dhcpc_t urandom_device_t:chr_file read;
-can_network(dhcpc_t)
+can_network(dhcpc_t, `{ dhcpc_port_t dhcpd_port_t }')
can_ypbind(dhcpc_t)
+allow dhcpc_t self:tcp_socket connect;
allow dhcpc_t self:unix_dgram_socket create_socket_perms;
allow dhcpc_t self:unix_stream_socket create_socket_perms;
allow dhcpc_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dhcpd.te policy-1.19.2.good/domains/program/unused/dhcpd.te
--- policy-1.19.2/domains/program/unused/dhcpd.te 2004-11-18 08:53:24.057275000 -0500
+++ policy-1.19.2.good/domains/program/unused/dhcpd.te 2004-11-18 08:35:53.840771558 -0500
@@ -31,6 +31,7 @@
# Use the network.
can_network(dhcpd_t)
can_ypbind(dhcpd_t)
+allow dhcpd_t self:tcp_socket connect;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
allow dhcpd_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/dovecot.te policy-1.19.2.good/domains/program/unused/dovecot.te
--- policy-1.19.2/domains/program/unused/dovecot.te 2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/dovecot.te 2004-11-18 08:35:53.841771445 -0500
@@ -15,6 +15,8 @@
allow dovecot_t self:process setrlimit;
can_network(dovecot_t)
can_ypbind(dovecot_t)
+allow dovecot_t self:tcp_socket connect;
+
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dovecot_t, self)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ftpd.te policy-1.19.2.good/domains/program/unused/ftpd.te
--- policy-1.19.2/domains/program/unused/ftpd.te 2004-11-18 08:54:09.695125653 -0500
+++ policy-1.19.2.good/domains/program/unused/ftpd.te 2004-11-18 08:35:53.842771333 -0500
@@ -16,6 +16,7 @@
typealias ftpd_etc_t alias etc_ftpd_t;
can_network(ftpd_t)
+allow ftpd_t self:udp_socket connect;
allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
allow ftpd_t self:unix_stream_socket create_socket_perms;
allow ftpd_t self:process { getcap setcap setsched setrlimit };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/i18n_input.te policy-1.19.2.good/domains/program/unused/i18n_input.te
--- policy-1.19.2/domains/program/unused/i18n_input.te 2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/i18n_input.te 2004-11-18 08:35:53.842771333 -0500
@@ -11,6 +11,7 @@
can_exec(i18n_input_t, i18n_input_exec_t)
can_network(i18n_input_t)
can_ypbind(i18n_input_t)
+allow i18n_input_t self:udp_socket connect;
can_tcp_connect(userdomain, i18n_input_t)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/inetd.te policy-1.19.2.good/domains/program/unused/inetd.te
--- policy-1.19.2/domains/program/unused/inetd.te 2004-11-18 08:14:56.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/inetd.te 2004-11-18 08:35:53.843771220 -0500
@@ -21,6 +21,8 @@
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
can_network(inetd_t)
+allow inetd_t self:{ tcp_socket udp_socket } connect;
+
allow inetd_t self:unix_dgram_socket create_socket_perms;
allow inetd_t self:unix_stream_socket create_socket_perms;
allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/innd.te policy-1.19.2.good/domains/program/unused/innd.te
--- policy-1.19.2/domains/program/unused/innd.te 2004-11-18 08:54:50.625507454 -0500
+++ policy-1.19.2.good/domains/program/unused/innd.te 2004-11-18 08:35:53.843771220 -0500
@@ -30,6 +30,7 @@
can_network(innd_t)
can_ypbind(innd_t)
+allow innd_t self:udp_socket connect;
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
allow innd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/kerberos.te policy-1.19.2.good/domains/program/unused/kerberos.te
--- policy-1.19.2/domains/program/unused/kerberos.te 2004-11-18 08:14:50.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/kerberos.te 2004-11-18 08:35:53.844771107 -0500
@@ -16,10 +16,6 @@
#
# Rules for the krb5kdc_t,kadmind_t domains.
#
-type kerberos_port_t, port_type, reserved_port_type;
-type kerberos_admin_port_t, port_type, reserved_port_type;
-type kerberos_master_port_t, port_type;
-
daemon_domain(krb5kdc)
daemon_domain(kadmind)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/mailman.te policy-1.19.2.good/domains/program/unused/mailman.te
--- policy-1.19.2/domains/program/unused/mailman.te 2004-11-18 08:14:49.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/mailman.te 2004-11-18 08:35:53.845770994 -0500
@@ -29,12 +29,14 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
+allow mailman_$1_t self:udp_socket connect;
allow mailman_$1_t self:unix_stream_socket create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
')
mailman_domain(queue, `, auth_chkpwd, nscd_client_domain')
can_tcp_connect(mailman_queue_t, mail_server_domain)
+allow mailman_queue_t self:tcp_socket connect;
can_exec(mailman_queue_t, su_exec_t)
allow mailman_queue_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/named.te policy-1.19.2.good/domains/program/unused/named.te
--- policy-1.19.2/domains/program/unused/named.te 2004-11-18 08:55:41.707743815 -0500
+++ policy-1.19.2.good/domains/program/unused/named.te 2004-11-18 08:35:53.847770768 -0500
@@ -51,6 +51,8 @@
#Named can use network
can_network(named_t)
can_ypbind(named_t)
+allow named_t self:tcp_socket connect;
+
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
@@ -102,6 +104,8 @@
uses_shlib(ndc_t)
can_network(ndc_t)
can_ypbind(ndc_t)
+allow ndc_t self:tcp_socket connect;
+can_resolve(ndc_t)
read_locale(ndc_t)
can_tcp_connect(ndc_t, named_t)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/nscd.te policy-1.19.2.good/domains/program/unused/nscd.te
--- policy-1.19.2/domains/program/unused/nscd.te 2004-11-18 08:14:48.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/nscd.te 2004-11-18 08:35:53.847770768 -0500
@@ -24,6 +24,7 @@
allow nscd_t etc_t:lnk_file read;
can_network(nscd_t)
can_ypbind(nscd_t)
+allow nscd_t self:{ tcp_socket udp_socket } connect;
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ntpd.te policy-1.19.2.good/domains/program/unused/ntpd.te
--- policy-1.19.2/domains/program/unused/ntpd.te 2004-11-18 09:16:48.946760475 -0500
+++ policy-1.19.2.good/domains/program/unused/ntpd.te 2004-11-18 08:35:53.848770656 -0500
@@ -39,6 +39,7 @@
# Use the network.
can_network(ntpd_t)
can_ypbind(ntpd_t)
+allow ntpd_t self:{ tcp_socket udp_socket } connect;
allow ntpd_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ping.te policy-1.19.2.good/domains/program/unused/ping.te
--- policy-1.19.2/domains/program/unused/ping.te 2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/ping.te 2004-11-18 08:35:53.848770656 -0500
@@ -35,6 +35,7 @@
can_ypbind(ping_t)
allow ping_t etc_t:file { getattr read };
allow ping_t self:unix_stream_socket create_socket_perms;
+allow ping_t self:{ tcp_socket udp_socket } connect;
# Let ping create raw ICMP packets.
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postfix.te policy-1.19.2.good/domains/program/unused/postfix.te
--- policy-1.19.2/domains/program/unused/postfix.te 2004-11-18 08:14:50.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/postfix.te 2004-11-18 08:35:53.849770543 -0500
@@ -119,6 +119,8 @@
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
can_network(postfix_master_t)
can_ypbind(postfix_master_t)
+allow postfix_master_t self:{ tcp_socket udp_socket } connect;
+
allow postfix_master_t smtp_port_t:tcp_socket name_bind;
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
@@ -158,6 +160,7 @@
allow postfix_$1_t self:capability { setuid setgid dac_override };
can_network(postfix_$1_t)
can_ypbind(postfix_$1_t)
+allow postfix_$1_t self:{ tcp_socket udp_socket } connect;
')
postfix_server_domain(smtp, `, mail_server_sender')
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/postgresql.te policy-1.19.2.good/domains/program/unused/postgresql.te
--- policy-1.19.2/domains/program/unused/postgresql.te 2004-11-18 08:57:40.718315780 -0500
+++ policy-1.19.2.good/domains/program/unused/postgresql.te 2004-11-18 08:35:53.850770430 -0500
@@ -14,6 +14,7 @@
daemon_domain(postgresql)
allow initrc_t postgresql_exec_t:lnk_file read;
allow postgresql_t usr_t:file { getattr read };
+allow postgresql_t self:udp_socket connect;
allow postgresql_t postgresql_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/privoxy.te policy-1.19.2.good/domains/program/unused/privoxy.te
--- policy-1.19.2/domains/program/unused/privoxy.te 2004-11-18 08:14:49.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/privoxy.te 2004-11-18 08:35:53.851770317 -0500
@@ -18,6 +18,7 @@
# Use the network.
can_network(privoxy_t)
allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
+allow privoxy_t self:{ tcp_socket udp_socket } connect;
allow privoxy_t etc_t:file { getattr read };
allow privoxy_t self:capability { setgid setuid };
allow privoxy_t self:unix_stream_socket create_socket_perms ;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/rpcd.te policy-1.19.2.good/domains/program/unused/rpcd.te
--- policy-1.19.2/domains/program/unused/rpcd.te 2004-11-18 08:58:17.120208533 -0500
+++ policy-1.19.2.good/domains/program/unused/rpcd.te 2004-11-18 08:35:53.851770317 -0500
@@ -14,6 +14,7 @@
daemon_base_domain($1)
can_network($1_t)
can_ypbind($1_t)
+allow $1_t self:{ udp_socket tcp_socket } connect;
allow $1_t etc_t:file { getattr read };
read_locale($1_t)
allow $1_t self:capability net_bind_service;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/sendmail.te policy-1.19.2.good/domains/program/unused/sendmail.te
--- policy-1.19.2/domains/program/unused/sendmail.te 2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/sendmail.te 2004-11-18 08:35:53.852770204 -0500
@@ -27,6 +27,7 @@
# Use the network.
can_network(sendmail_t)
can_ypbind(sendmail_t)
+allow sendmail_t self:{ tcp_socket udp_socket } connect;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/slapd.te policy-1.19.2.good/domains/program/unused/slapd.te
--- policy-1.19.2/domains/program/unused/slapd.te 2004-11-18 08:14:51.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/slapd.te 2004-11-18 08:35:53.852770204 -0500
@@ -30,6 +30,7 @@
allow slapd_t self:unix_dgram_socket create_socket_perms;
# allow any domain to connect to the LDAP server
can_tcp_connect(domain, slapd_t)
+allow slapd_t self:{ tcp_socket udp_socket } connect;
# Use capabilities should not need kill...
allow slapd_t self:capability { kill setgid setuid net_bind_service net_raw };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/snmpd.te policy-1.19.2.good/domains/program/unused/snmpd.te
--- policy-1.19.2/domains/program/unused/snmpd.te 2004-11-18 08:58:52.256244113 -0500
+++ policy-1.19.2.good/domains/program/unused/snmpd.te 2004-11-18 08:35:53.853770092 -0500
@@ -15,6 +15,7 @@
can_network(snmpd_t)
can_ypbind(snmpd_t)
+allow snmpd_t self:{ tcp_socket udp_socket } connect;
type snmp_port_t, port_type, reserved_port_type;
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/spamd.te policy-1.19.2.good/domains/program/unused/spamd.te
--- policy-1.19.2/domains/program/unused/spamd.te 2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/spamd.te 2004-11-18 08:35:53.853770092 -0500
@@ -24,6 +24,7 @@
dontaudit spamd_t sysadm_home_dir_t:dir getattr;
can_network(spamd_t)
+allow spamd_t self:{ tcp_socket udp_socket } connect;
allow spamd_t self:capability net_bind_service;
allow spamd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/squid.te policy-1.19.2.good/domains/program/unused/squid.te
--- policy-1.19.2/domains/program/unused/squid.te 2004-11-18 08:59:29.988986705 -0500
+++ policy-1.19.2.good/domains/program/unused/squid.te 2004-11-18 08:35:53.854769979 -0500
@@ -55,6 +55,7 @@
can_network(squid_t)
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
+allow squid_t self:{ tcp_socket udp_socket } connect;
# tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
allow squid_t http_cache_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/traceroute.te policy-1.19.2.good/domains/program/unused/traceroute.te
--- policy-1.19.2/domains/program/unused/traceroute.te 2004-11-18 08:14:54.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/traceroute.te 2004-11-18 08:35:53.855769866 -0500
@@ -20,6 +20,7 @@
uses_shlib(traceroute_t)
can_network(traceroute_t)
can_ypbind(traceroute_t)
+allow traceroute_t self:{ tcp_socket udp_socket } connect;
allow traceroute_t node_t:rawip_socket node_bind;
type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/vpnc.te policy-1.19.2.good/domains/program/unused/vpnc.te
--- policy-1.19.2/domains/program/unused/vpnc.te 2004-11-18 09:17:37.765252256 -0500
+++ policy-1.19.2.good/domains/program/unused/vpnc.te 2004-11-18 08:35:53.855769866 -0500
@@ -17,6 +17,7 @@
# Use the network.
can_network(vpnc_t)
can_ypbind(vpnc_t)
+allow vpnc_t self:udp_socket connect;
allow vpnc_t self:socket create_socket_perms;
# Use capabilities.
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/xdm.te policy-1.19.2.good/domains/program/unused/xdm.te
--- policy-1.19.2/domains/program/unused/xdm.te 2004-11-18 09:01:02.054598887 -0500
+++ policy-1.19.2.good/domains/program/unused/xdm.te 2004-11-18 08:35:53.856769753 -0500
@@ -46,6 +46,7 @@
allow xdm_t default_context_t:file { read getattr };
can_network(xdm_t)
+allow xdm_t self:udp_socket connect;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow xdm_t self:unix_dgram_socket create_socket_perms;
allow xdm_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/domains/program/unused/ypbind.te policy-1.19.2.good/domains/program/unused/ypbind.te
--- policy-1.19.2/domains/program/unused/ypbind.te 2004-11-18 08:14:53.000000000 -0500
+++ policy-1.19.2.good/domains/program/unused/ypbind.te 2004-11-18 08:35:53.857769640 -0500
@@ -20,6 +20,7 @@
# Use the network.
can_network(ypbind_t)
allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
+allow ypbind_t self:{ tcp_socket udp_socket } connect;
allow ypbind_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/base_user_macros.te policy-1.19.2.good/macros/base_user_macros.te
--- policy-1.19.2/macros/base_user_macros.te 2004-11-18 09:01:27.432735456 -0500
+++ policy-1.19.2.good/macros/base_user_macros.te 2004-11-18 08:35:53.862769076 -0500
@@ -196,6 +196,7 @@
# Use the network.
can_network($1_t)
can_ypbind($1_t)
+allow $1_t self:{ tcp_socket udp_socket } connect;
ifdef(`pamconsole.te', `
allow $1_t pam_var_console_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/global_macros.te policy-1.19.2.good/macros/global_macros.te
--- policy-1.19.2/macros/global_macros.te 2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/global_macros.te 2004-11-18 08:35:53.865768738 -0500
@@ -118,64 +118,6 @@
#################################
#
-# can_network(domain)
-#
-# Permissions for accessing the network.
-# See types/network.te for the network types.
-# See net_contexts for security contexts for network entities.
-#
-define(`can_network',`
-#
-# Allow the domain to create and use UDP and TCP sockets.
-# Other kinds of sockets must be separately authorized for use.
-allow $1 self:udp_socket create_socket_perms;
-allow $1 self:tcp_socket create_stream_socket_perms;
-
-#
-# Allow the domain to send or receive using any network interface.
-# netif_type is a type attribute for all network interface types.
-#
-allow $1 netif_type:netif { tcp_send udp_send rawip_send };
-allow $1 netif_type:netif { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any node.
-# node_type is a type attribute for all node types.
-#
-allow $1 node_type:node { tcp_send udp_send rawip_send };
-allow $1 node_type:node { tcp_recv udp_recv rawip_recv };
-
-#
-# Allow the domain to send to or receive from any port.
-# port_type is a type attribute for all port types.
-#
-allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
-
-#
-# Allow the domain to send NFS client requests via the socket
-# created by mount.
-#
-allow $1 mount_t:udp_socket rw_socket_perms;
-
-#
-# Bind to the default port type.
-# Other port types must be separately authorized.
-#
-#allow $1 port_t:udp_socket name_bind;
-#allow $1 port_t:tcp_socket name_bind;
-
-# XXX Allow binding to any node type. Remove once
-# individual rules have been added to all domains that
-# bind sockets.
-allow $1 node_type: { tcp_socket udp_socket } node_bind;
-#
-# Allow access to network files including /etc/resolv.conf
-#
-allow $1 net_conf_t:file r_file_perms;
-')dnl end can_network definition
-
-#################################
-#
# can_sysctl(domain)
#
# Permissions for modifying sysctl parameters.
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/network_macros.te policy-1.19.2.good/macros/network_macros.te
--- policy-1.19.2/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.2.good/macros/network_macros.te 2004-11-18 08:35:53.865768738 -0500
@@ -0,0 +1,103 @@
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`base_can_network',`
+#
+# Allow the domain to create and use $2 sockets.
+# Other kinds of sockets must be separately authorized for use.
+allow $1 self:$2_socket connected_socket_perms;
+
+#
+# Allow the domain to send or receive using any network interface.
+# netif_type is a type attribute for all network interface types.
+#
+allow $1 netif_type:netif { $2_send rawip_send };
+allow $1 netif_type:netif { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any node.
+# node_type is a type attribute for all node types.
+#
+allow $1 node_type:node { $2_send rawip_send };
+allow $1 node_type:node { $2_recv rawip_recv };
+
+#
+# Allow the domain to send to or receive from any port.
+# port_type is a type attribute for all port types.
+#
+ifelse($3, `', `
+allow $1 port_type:$2_socket { send_msg recv_msg };
+', `
+allow $1 $3:$2_socket { send_msg recv_msg };
+')
+
+# XXX Allow binding to any node type. Remove once
+# individual rules have been added to all domains that
+# bind sockets.
+allow $1 node_type:$2_socket node_bind;
+#
+# Allow access to network files including /etc/resolv.conf
+#
+allow $1 net_conf_t:file r_file_perms;
+')dnl end can_network definition
+
+#################################
+#
+# can_tcp_network(domain)
+#
+# Permissions for accessing a tcp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_tcp_network',`
+base_can_network($1, tcp, `$2')
+allow $1 self:tcp_socket { listen accept };
+')
+
+#################################
+#
+# can_udp_network(domain)
+#
+# Permissions for accessing a udp network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_udp_network',`
+base_can_network($1, udp, `$2')
+')
+
+#################################
+#
+# can_network(domain)
+#
+# Permissions for accessing the network.
+# See types/network.te for the network types.
+# See net_contexts for security contexts for network entities.
+#
+define(`can_network',`
+
+can_tcp_network($1, `$2')
+can_udp_network($1, `$2')
+
+#
+# Allow the domain to send NFS client requests via the socket
+# created by mount.
+#
+allow $1 mount_t:udp_socket rw_socket_perms;
+
+')dnl end can_network definition
+
+define(`can_resolve',`
+can_udp_network($1, `dns_port_t')
+allow $1 self:udp_socket connect;
+')
+define(`can_ldap',`
+can_tcp_network($1, `ldap_port_t')
+allow $1 self:tcp_socket connect;
+')
+
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/chkpwd_macros.te policy-1.19.2.good/macros/program/chkpwd_macros.te
--- policy-1.19.2/macros/program/chkpwd_macros.te 2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/chkpwd_macros.te 2004-11-18 08:35:53.904764338 -0500
@@ -22,6 +22,8 @@
can_getcon($1_chkpwd_t)
can_ypbind($1_chkpwd_t)
can_kerberos($1_chkpwd_t)
+can_ldap($1_chkpwd_t)
+can_resolve($1_chkpwd_t)
# Transition from the user domain to this domain.
ifelse($1, system, `
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
@@ -31,6 +33,8 @@
dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
can_ypbind(auth_chkpwd)
can_kerberos(auth_chkpwd)
+can_ldap(auth_chkpwd)
+can_resolve(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/crond_macros.te policy-1.19.2.good/macros/program/crond_macros.te
--- policy-1.19.2/macros/program/crond_macros.te 2004-11-18 08:14:44.000000000 -0500
+++ policy-1.19.2.good/macros/program/crond_macros.te 2004-11-18 08:35:53.905764225 -0500
@@ -68,6 +68,7 @@
# This domain is granted permissions common to most domains.
can_network($1_crond_t)
can_ypbind($1_crond_t)
+allow $1_crond_t self:{ tcp_socket udp_socket } connect;
r_dir_file($1_crond_t, self)
allow $1_crond_t self:fifo_file rw_file_perms;
allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/kerberos_macros.te policy-1.19.2.good/macros/program/kerberos_macros.te
--- policy-1.19.2/macros/program/kerberos_macros.te 2004-11-18 09:08:04.893889675 -0500
+++ policy-1.19.2.good/macros/program/kerberos_macros.te 2004-11-18 08:35:53.906764112 -0500
@@ -1,7 +1,8 @@
define(`can_kerberos',`
ifdef(`kerberos.te',`
if (allow_kerberos) {
-can_network($1)
+allow $1 self:{ udp_socket tcp_socket } connect;
+can_network($1, `kerberos_port_t')
dontaudit $1 krb5_conf_t:file write;
allow $1 krb5_conf_t:file { getattr read };
}
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/lpr_macros.te policy-1.19.2.good/macros/program/lpr_macros.te
--- policy-1.19.2/macros/program/lpr_macros.te 2004-11-18 09:09:14.527032926 -0500
+++ policy-1.19.2.good/macros/program/lpr_macros.te 2004-11-18 08:35:53.906764112 -0500
@@ -103,6 +103,7 @@
# Connect to lpd via a TCP socket.
can_tcp_connect($1_lpr_t, lpd_t)
+allow $1_lpr_t self:tcp_socket connect;
allow $1_lpr_t fs_t:filesystem getattr;
# Send SIGHUP to lpd.
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mozilla_macros.te policy-1.19.2.good/macros/program/mozilla_macros.te
--- policy-1.19.2/macros/program/mozilla_macros.te 2004-11-18 09:10:42.462111158 -0500
+++ policy-1.19.2.good/macros/program/mozilla_macros.te 2004-11-18 09:10:17.656909944 -0500
@@ -17,6 +17,7 @@
#
define(`mozilla_domain',`
x_client_domain($1, mozilla, `, web_client_domain, privlog')
+allow $1_mozilla_t self:{ tcp_socket udp_socket } connect;
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/mta_macros.te policy-1.19.2.good/macros/program/mta_macros.te
--- policy-1.19.2/macros/program/mta_macros.te 2004-11-18 09:11:15.394395389 -0500
+++ policy-1.19.2.good/macros/program/mta_macros.te 2004-11-18 08:35:53.908763887 -0500
@@ -37,6 +37,7 @@
can_ypbind($1_mail_t)
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
allow $1_mail_t self:unix_stream_socket create_socket_perms;
+allow $1_mail_t self:{ tcp_socket udp_socket } connect;
read_locale($1_mail_t)
read_sysctl($1_mail_t)
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ssh_macros.te policy-1.19.2.good/macros/program/ssh_macros.te
--- policy-1.19.2/macros/program/ssh_macros.te 2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/ssh_macros.te 2004-11-18 08:35:53.909763774 -0500
@@ -84,6 +84,7 @@
# to access the network.
can_network($1_ssh_t)
can_ypbind($1_ssh_t)
+allow $1_ssh_t self:{ tcp_socket udp_socket } connect;
# Use capabilities.
allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/xserver_macros.te policy-1.19.2.good/macros/program/xserver_macros.te
--- policy-1.19.2/macros/program/xserver_macros.te 2004-11-18 09:12:18.809240254 -0500
+++ policy-1.19.2.good/macros/program/xserver_macros.te 2004-11-18 08:35:53.909763774 -0500
@@ -53,6 +52,7 @@
uses_shlib($1_xserver_t)
can_network($1_xserver_t)
can_ypbind($1_xserver_t)
+allow $1_xserver_t self:udp_socket connect;
allow $1_xserver_t xserver_port_t:tcp_socket name_bind;
# for access within the domain
diff --exclude-from=exclude -N -u -r policy-1.19.2/macros/program/ypbind_macros.te policy-1.19.2.good/macros/program/ypbind_macros.te
--- policy-1.19.2/macros/program/ypbind_macros.te 2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/macros/program/ypbind_macros.te 2004-11-18 08:35:53.910763661 -0500
@@ -4,6 +4,7 @@
can_network($1)
r_dir_file($1,var_yp_t)
allow $1 { reserved_port_t port_t }:{ tcp_socket udp_socket } name_bind;
+allow $1 self:{ tcp_socket udp_socket } connect;
dontaudit $1 self:capability net_bind_service;
')
diff --exclude-from=exclude -N -u -r policy-1.19.2/net_contexts policy-1.19.2.good/net_contexts
--- policy-1.19.2/net_contexts 2004-11-18 08:14:45.000000000 -0500
+++ policy-1.19.2.good/net_contexts 2004-11-18 08:35:53.911763548 -0500
@@ -113,7 +113,6 @@
portcon tcp 631 system_u:object_r:ipp_port_t
portcon udp 631 system_u:object_r:ipp_port_t
')
-ifdef(`kerberos.te', `
portcon tcp 88 system_u:object_r:kerberos_port_t
portcon udp 88 system_u:object_r:kerberos_port_t
portcon tcp 749 system_u:object_r:kerberos_admin_port_t
@@ -121,7 +120,6 @@
portcon udp 750 system_u:object_r:kerberos_port_t
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
portcon udp 4444 system_u:object_r:kerberos_master_port_t
-')
ifdef(`spamd.te', `portcon tcp 783 system_u:object_r:spamd_port_t')
ifdef(`rsync.te', `
portcon tcp 873 system_u:object_r:rsync_port_t
diff --exclude-from=exclude -N -u -r policy-1.19.2/types/network.te policy-1.19.2.good/types/network.te
--- policy-1.19.2/types/network.te 2004-11-18 08:14:44.000000000 -0500
+++ policy-1.19.2.good/types/network.te 2004-11-18 08:35:53.913763323 -0500
@@ -64,6 +64,13 @@
type mail_port_t, port_type;
#
+# Ports used to communicate with kerberos server
+#
+type kerberos_port_t, port_type, reserved_port_type;
+type kerberos_admin_port_t, port_type, reserved_port_type;
+type kerberos_master_port_t, port_type;
+
+#
# port_t is the default type of INET port numbers.
# The *_port_t types are used for specific port
# numbers in net_contexts or net_contexts.mls.
next prev parent reply other threads:[~2004-11-18 14:33 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-18 19:31 Adding alternate root patch to restorecon (setfiles?) Daniel J Walsh
2004-10-18 19:55 ` Stephen Smalley
2004-10-18 20:11 ` Daniel J Walsh
2004-10-18 20:51 ` Thomas Bleher
2004-10-19 13:33 ` Daniel J Walsh
2004-10-19 18:36 ` Luke Kenneth Casson Leighton
2004-10-19 18:26 ` Stephen Smalley
2004-10-19 20:27 ` Luke Kenneth Casson Leighton
2004-10-25 15:35 ` Russell Coker
2004-10-25 15:38 ` Russell Coker
2004-10-25 21:31 ` Thomas Bleher
2004-10-26 14:36 ` Russell Coker
2004-11-05 21:39 ` James Carter
2004-11-06 5:23 ` Remaining changes from my patch excluding can_network changes Daniel J Walsh
2004-11-08 17:33 ` Small patch to allow pam_console handle /dev/pmu Daniel J Walsh
2004-11-08 21:21 ` James Carter
2004-11-08 21:21 ` Remaining changes from my patch excluding can_network changes James Carter
2004-11-06 5:33 ` can_network patch Daniel J Walsh
2004-11-09 21:34 ` James Carter
2004-11-09 22:15 ` Daniel J Walsh
2004-11-06 10:40 ` Adding alternate root patch to restorecon (setfiles?) Thomas Bleher
2004-11-10 23:11 ` Patches without the can_network patch Daniel J Walsh
2004-11-10 23:38 ` Thomas Bleher
2004-11-17 20:15 ` James Carter
2004-11-18 14:32 ` Daniel J Walsh
2004-11-18 19:43 ` Thomas Bleher
2004-11-18 19:50 ` Daniel J Walsh
2004-11-18 19:59 ` Thomas Bleher
2004-11-19 22:05 ` James Carter
2004-11-18 14:33 ` Daniel J Walsh [this message]
2004-11-23 18:52 ` James Carter
2004-11-23 19:06 ` Stephen Smalley
2004-11-23 19:37 ` Daniel J Walsh
2004-11-23 20:07 ` Stephen Smalley
2004-11-25 19:40 ` Russell Coker
2004-11-26 11:55 ` Daniel J Walsh
2004-11-24 16:22 ` Daniel J Walsh
2004-11-24 16:39 ` Stephen Smalley
2004-11-24 16:54 ` Daniel J Walsh
2004-12-10 15:43 ` Stephen Smalley
2004-12-10 17:06 ` Daniel J Walsh
2004-12-10 17:10 ` Stephen Smalley
2004-12-10 18:01 ` Daniel J Walsh
2004-12-10 18:02 ` Stephen Smalley
2004-12-10 18:13 ` Daniel J Walsh
2004-12-10 18:11 ` Russell Coker
2004-12-10 19:11 ` Thomas Bleher
2004-12-10 20:23 ` James Carter
2004-12-10 21:39 ` Valdis.Kletnieks
2004-12-13 12:18 ` David Caplan
2004-12-10 21:01 ` Valdis.Kletnieks
2004-12-10 23:47 ` Russell Coker
2004-11-24 19:48 ` James Carter
2004-11-24 20:24 ` Daniel J Walsh
2004-11-30 21:19 ` Reissue previous patch Daniel J Walsh
2004-12-02 13:54 ` James Carter
2004-12-02 14:16 ` Daniel J Walsh
2004-12-02 15:51 ` Stephen Smalley
2004-12-02 18:35 ` Daniel J Walsh
2004-12-02 17:51 ` James Carter
2004-12-02 19:27 ` Latest patch Daniel J Walsh
2004-12-03 13:40 ` James Carter
2004-11-17 23:35 ` Patches without the can_network patch Kodungallur Varma
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=419CB2A8.7020504@redhat.com \
--to=dwalsh@redhat.com \
--cc=bleher@informatik.uni-muenchen.de \
--cc=jwcart2@epoch.ncsc.mil \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.