* [refpolicy] [PATCH 1/1] refpolicy: Update for kernel sctp support
@ 2018-03-19 9:59 Richard Haines
2018-03-21 18:13 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2018-03-19 9:59 UTC (permalink / raw)
To: refpolicy
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
policy/constraints | 1 +
policy/flask/access_vectors | 2 +
policy/mcs | 2 +-
policy/mls | 18 +-
policy/modules/kernel/corenetwork.if.in | 419 ++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 8 +-
policy/support/obj_perm_sets.spt | 4 +-
7 files changed, 440 insertions(+), 14 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 90a794b3..e9e05f06 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd)
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(sctp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 9c9db71b..4f57fb40 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -985,6 +985,8 @@ class sctp_socket
inherits socket
{
node_bind
+ name_connect
+ association
}
class icmp_socket
diff --git a/policy/mcs b/policy/mcs
index 94319570..c0d424a9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain key { create link read search setattr view write }
diff --git a/policy/mls b/policy/mls
index 73ff301b..eeca15a8 100644
--- a/policy/mls
+++ b/policy/mls
@@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect }
(( l1 eq l2 ) or
(((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto
( t2 == mlstrustedsocket ));
# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
-# { tcp_socket udp_socket rawip_socket } node_bind
+# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom }
#
-# tcp_socket name_connect
+# { tcp_socket sctp_socket } name_connect
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 58c010fc..37aeb06d 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -634,6 +634,24 @@ interface(`corenet_raw_send_all_if',`
allow $1 netif_type:netif { rawip_send egress };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive raw IP packets on all interfaces.
@@ -841,6 +859,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
corenet_raw_receive_generic_node($1)
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:sctp_socket node_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to generic nodes.
@@ -1035,6 +1071,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
dontaudit $1 node_type:node { udp_send sendto };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive UDP network traffic on all nodes.
@@ -1227,6 +1281,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
allow $1 port_t:tcp_socket { send_msg recv_msg };
')
+########################################
+## <summary>
+## Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:sctp_socket node_bind;
+')
+
+
########################################
## <summary>
## Do not audit send and receive TCP network traffic on generic ports.
@@ -1434,6 +1507,26 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+ dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Receive UDP network traffic on all ports.
@@ -1491,6 +1584,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
corenet_udp_receive_all_ports($1)
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP
+## sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports.
@@ -1547,6 +1659,24 @@ interface(`corenet_udp_bind_all_ports',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t,ephemeral_port_t;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attepts to bind UDP sockets to any ports.
@@ -1718,6 +1848,25 @@ interface(`corenet_tcp_bind_reserved_port',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Bind UDP sockets to generic reserved ports.
@@ -1755,6 +1904,24 @@ interface(`corenet_tcp_connect_reserved_port',`
allow $1 reserved_port_t:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Do not audit attepts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Send and receive TCP network traffic on all reserved ports.
@@ -1824,6 +1991,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
corenet_udp_receive_all_reserved_ports($1)
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all reserved ports.
@@ -1898,6 +2083,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports > 1024.
@@ -1952,6 +2156,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
allow $1 reserved_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Connect TCP sockets to all ports > 1024.
@@ -2026,6 +2248,25 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Read the TUN/TAP virtual network device.
@@ -2083,6 +2324,24 @@ interface(`corenet_rw_tun_tap_dev',`
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to read or write the TUN/TAP
@@ -2213,6 +2472,25 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
dontaudit $1 rpc_port_type:udp_socket name_bind;
')
+########################################
+## <summary>
+## Bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Receive TCP packets from a NetLabel connection.
@@ -2252,6 +2530,24 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
@@ -2332,6 +2628,24 @@ interface(`corenet_udp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Bind SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Do not audit attempts to receive UDP packets from a NetLabel
@@ -2432,6 +2746,24 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
+########################################
+## <summary>
+## Connect SCTP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to receive Raw IP packets from an unlabeled
@@ -2539,6 +2871,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to receive packets from a NetLabel
@@ -2670,6 +3021,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
+ corenet_sctp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
@@ -2940,6 +3292,24 @@ interface(`corenet_send_all_server_packets',`
allow $1 server_packet_type:packet send;
')
+########################################
+## <summary>
+## Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+')
+
########################################
## <summary>
## Receive all server packets.
@@ -2991,6 +3361,27 @@ interface(`corenet_relabelto_all_server_packets',`
allow $1 server_packet_type:packet relabelto;
')
+########################################
+## <summary>
+## Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
+ kernel_recvfrom_unlabeled_peer($1)
+
+ typeattribute $1 corenet_unlabeled_type;
+ kernel_sendrecv_unlabeled_association($1)
+')
+
########################################
## <summary>
## Send all packets.
@@ -3124,6 +3515,34 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',`
kernel_ib_manage_subnet_unlabeled_endports($1)
')
+########################################
+## <summary>
+## Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+ allow { $1 $2 } self:association sendto;
+ allow $1 $2:association recvfrom;
+ allow $2 $1:association recvfrom;
+
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_sctp_recvfrom_netlabel($1)
+ corenet_sctp_recvfrom_netlabel($2)
+')
+
########################################
## <summary>
## Unconfined access to network objects.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index ba4feb04..d2031cc8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -307,9 +307,12 @@ network_port(zope, tcp,8021,s0)
portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
@@ -355,11 +358,12 @@ allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_se
allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index b15e2332..9aed9484 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
#
# Stream socket classes.
#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
########################################
--
2.14.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 1/1] refpolicy: Update for kernel sctp support
2018-03-19 9:59 [refpolicy] [PATCH 1/1] refpolicy: Update for kernel sctp support Richard Haines
@ 2018-03-21 18:13 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2018-03-21 18:13 UTC (permalink / raw)
To: refpolicy
On 03/19/2018 05:59 AM, Richard Haines via refpolicy wrote:
> Add additional entries to support the kernel SCTP implementation
> introduced in kernel 4.16
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> policy/constraints | 1 +
> policy/flask/access_vectors | 2 +
> policy/mcs | 2 +-
> policy/mls | 18 +-
> policy/modules/kernel/corenetwork.if.in | 419 ++++++++++++++++++++++++++++++++
> policy/modules/kernel/corenetwork.te.in | 8 +-
> policy/support/obj_perm_sets.spt | 4 +-
> 7 files changed, 440 insertions(+), 14 deletions(-)
>
> diff --git a/policy/constraints b/policy/constraints
> index 90a794b3..e9e05f06 100644
> --- a/policy/constraints
> +++ b/policy/constraints
> @@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd)
>
> exempted_ubac_constraint(socket, ubacsock)
> exempted_ubac_constraint(tcp_socket, ubacsock)
> +exempted_ubac_constraint(sctp_socket, ubacsock)
> exempted_ubac_constraint(udp_socket, ubacsock)
> exempted_ubac_constraint(rawip_socket, ubacsock)
> exempted_ubac_constraint(netlink_socket, ubacsock)
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 9c9db71b..4f57fb40 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -985,6 +985,8 @@ class sctp_socket
> inherits socket
> {
> node_bind
> + name_connect
> + association
> }
>
> class icmp_socket
> diff --git a/policy/mcs b/policy/mcs
> index 94319570..c0d424a9 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
> mlsconstrain process { signal }
> (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>
> -mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
> (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>
> mlsconstrain key { create link read search setattr view write }
> diff --git a/policy/mls b/policy/mls
> index 73ff301b..eeca15a8 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
> #
>
> # new socket labels must be dominated by the relabeling subjects clearance
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
> ( h1 dom h2 );
>
> # the socket "read+write" ops
> # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
> # require equal levels for unprivileged subjects, or read *and* write overrides)
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect }
> (( l1 eq l2 ) or
> (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread )) and
> @@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
>
>
> # the socket "read" ops (note the check is dominance of the low level)
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg }
> (( l1 dom l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
> @@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
> ( t1 == mlsnetread ));
>
> # the socket "write" ops
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown }
> (( l1 eq l2 ) or
> (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> ( t1 == mlsnetwrite ));
>
> # used by netlabel to restrict normal domains to same level connections
> -mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
> +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
> (( l1 eq l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
> @@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto
> ( t2 == mlstrustedsocket ));
>
> # these access vectors have no MLS restrictions
> -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
> +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind }
> #
> -# { tcp_socket udp_socket rawip_socket } node_bind
> +# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
> #
> -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
> +# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom }
> #
> -# tcp_socket name_connect
> +# { tcp_socket sctp_socket } name_connect
> #
> # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
> #
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index 58c010fc..37aeb06d 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -634,6 +634,24 @@ interface(`corenet_raw_send_all_if',`
> allow $1 netif_type:netif { rawip_send egress };
> ')
>
> +########################################
> +## <summary>
> +## Send and receive SCTP network traffic on generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_sendrecv_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:node { sendto recvfrom };
> +')
> +
> ########################################
> ## <summary>
> ## Receive raw IP packets on all interfaces.
> @@ -841,6 +859,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
> corenet_raw_receive_generic_node($1)
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to generic nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_generic_node',`
> + gen_require(`
> + type node_t;
> + ')
> +
> + allow $1 node_t:sctp_socket node_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Bind TCP sockets to generic nodes.
> @@ -1035,6 +1071,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
> dontaudit $1 node_type:node { udp_send sendto };
> ')
>
> +########################################
> +## <summary>
> +## Send and receive SCTP network traffic on all nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_sendrecv_all_nodes',`
> + gen_require(`
> + attribute node_type;
> + ')
> +
> + allow $1 node_type:node { sendto recvfrom };
> +')
> +
> ########################################
> ## <summary>
> ## Receive UDP network traffic on all nodes.
> @@ -1227,6 +1281,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
> allow $1 port_t:tcp_socket { send_msg recv_msg };
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to all nodes.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_all_nodes',`
> + gen_require(`
> + attribute node_type;
> + ')
> +
> + allow $1 node_type:sctp_socket node_bind;
> +')
> +
> +
> ########################################
> ## <summary>
> ## Do not audit send and receive TCP network traffic on generic ports.
> @@ -1434,6 +1507,26 @@ interface(`corenet_udp_send_all_ports',`
> allow $1 port_type:udp_socket send_msg;
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to generic ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_generic_port',`
> + gen_require(`
> + type port_t, unreserved_port_t, ephemeral_port_t;
> + attribute defined_port_type;
> + ')
> +
> + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
> + dontaudit $1 defined_port_type:sctp_socket name_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Receive UDP network traffic on all ports.
> @@ -1491,6 +1584,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
> corenet_udp_receive_all_ports($1)
> ')
>
> +########################################
> +## <summary>
> +## Do not audit attempts to bind SCTP
> +## sockets to generic ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_dontaudit_sctp_bind_generic_port',`
> + gen_require(`
> + type port_t, unreserved_port_t, ephemeral_port_t;
> + ')
> +
> + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Bind TCP sockets to all ports.
> @@ -1547,6 +1659,24 @@ interface(`corenet_udp_bind_all_ports',`
> allow $1 self:capability net_bind_service;
> ')
>
> +########################################
> +## <summary>
> +## Connect SCTP sockets to generic ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_connect_generic_port',`
> + gen_require(`
> + type port_t, unreserved_port_t,ephemeral_port_t;
> + ')
> +
> + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attepts to bind UDP sockets to any ports.
> @@ -1718,6 +1848,25 @@ interface(`corenet_tcp_bind_reserved_port',`
> allow $1 self:capability net_bind_service;
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to all ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_all_ports',`
> + gen_require(`
> + attribute port_type;
> + ')
> +
> + allow $1 port_type:sctp_socket name_bind;
> + allow $1 self:capability net_bind_service;
> +')
> +
> ########################################
> ## <summary>
> ## Bind UDP sockets to generic reserved ports.
> @@ -1755,6 +1904,24 @@ interface(`corenet_tcp_connect_reserved_port',`
> allow $1 reserved_port_t:tcp_socket name_connect;
> ')
>
> +########################################
> +## <summary>
> +## Do not audit attepts to bind SCTP sockets to any ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_dontaudit_sctp_bind_all_ports',`
> + gen_require(`
> + attribute port_type;
> + ')
> +
> + dontaudit $1 port_type:sctp_socket name_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Send and receive TCP network traffic on all reserved ports.
> @@ -1824,6 +1991,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
> corenet_udp_receive_all_reserved_ports($1)
> ')
>
> +########################################
> +## <summary>
> +## Connect SCTP sockets to all ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_connect_all_ports',`
> + gen_require(`
> + attribute port_type;
> + ')
> +
> + allow $1 port_type:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Bind TCP sockets to all reserved ports.
> @@ -1898,6 +2083,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
> dontaudit $1 reserved_port_type:udp_socket name_bind;
> ')
>
> +########################################
> +## <summary>
> +## Do not audit attempts to connect SCTP sockets
> +## to all ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_dontaudit_sctp_connect_all_ports',`
> + gen_require(`
> + attribute port_type;
> + ')
> +
> + dontaudit $1 port_type:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Bind TCP sockets to all ports > 1024.
> @@ -1952,6 +2156,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
> allow $1 reserved_port_type:tcp_socket name_connect;
> ')
>
> +########################################
> +## <summary>
> +## Connect SCTP sockets to all ports > 1024.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_connect_all_unreserved_ports',`
> + gen_require(`
> + attribute unreserved_port_type;
> + ')
> +
> + allow $1 unreserved_port_type:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Connect TCP sockets to all ports > 1024.
> @@ -2026,6 +2248,25 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
> dontaudit $1 rpc_port_type:tcp_socket name_connect;
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to generic reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_reserved_port',`
> + gen_require(`
> + type reserved_port_t;
> + ')
> +
> + allow $1 reserved_port_t:sctp_socket name_bind;
> + allow $1 self:capability net_bind_service;
> +')
> +
> ########################################
> ## <summary>
> ## Read the TUN/TAP virtual network device.
> @@ -2083,6 +2324,24 @@ interface(`corenet_rw_tun_tap_dev',`
> allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
> ')
>
> +########################################
> +## <summary>
> +## Connect SCTP sockets to generic reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_connect_reserved_port',`
> + gen_require(`
> + type reserved_port_t;
> + ')
> +
> + allow $1 reserved_port_t:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to read or write the TUN/TAP
> @@ -2213,6 +2472,25 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
> dontaudit $1 rpc_port_type:udp_socket name_bind;
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to all reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_all_reserved_ports',`
> + gen_require(`
> + attribute reserved_port_type;
> + ')
> +
> + allow $1 reserved_port_type:sctp_socket name_bind;
> + allow $1 self:capability net_bind_service;
> +')
> +
> ########################################
> ## <summary>
> ## Receive TCP packets from a NetLabel connection.
> @@ -2252,6 +2530,24 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
> kernel_sendrecv_unlabeled_association($1)
> ')
>
> +########################################
> +## <summary>
> +## Do not audit attempts to bind SCTP sockets to all reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
> + gen_require(`
> + attribute reserved_port_type;
> + ')
> +
> + dontaudit $1 reserved_port_type:sctp_socket name_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to receive TCP packets from a NetLabel
> @@ -2332,6 +2628,24 @@ interface(`corenet_udp_recvfrom_unlabeled',`
> kernel_sendrecv_unlabeled_association($1)
> ')
>
> +########################################
> +## <summary>
> +## Bind SCTP sockets to all ports > 1024.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_bind_all_unreserved_ports',`
> + gen_require(`
> + attribute unreserved_port_type;
> + ')
> +
> + allow $1 unreserved_port_type:sctp_socket name_bind;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to receive UDP packets from a NetLabel
> @@ -2432,6 +2746,24 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
> dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
> ')
>
> +########################################
> +## <summary>
> +## Connect SCTP sockets to reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_connect_all_reserved_ports',`
> + gen_require(`
> + attribute reserved_port_type;
> + ')
> +
> + allow $1 reserved_port_type:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to receive Raw IP packets from an unlabeled
> @@ -2539,6 +2871,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
> kernel_dontaudit_sendrecv_unlabeled_association($1)
> ')
>
> +########################################
> +## <summary>
> +## Do not audit attempts to connect SCTP sockets
> +## all reserved ports.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
> + gen_require(`
> + attribute reserved_port_type;
> + ')
> +
> + dontaudit $1 reserved_port_type:sctp_socket name_connect;
> +')
> +
> ########################################
> ## <summary>
> ## Do not audit attempts to receive packets from a NetLabel
> @@ -2670,6 +3021,7 @@ interface(`corenet_raw_recvfrom_labeled',`
> ## </param>
> #
> interface(`corenet_all_recvfrom_labeled',`
> + corenet_sctp_recvfrom_labeled($1, $2)
> corenet_tcp_recvfrom_labeled($1, $2)
> corenet_udp_recvfrom_labeled($1, $2)
> corenet_raw_recvfrom_labeled($1, $2)
> @@ -2940,6 +3292,24 @@ interface(`corenet_send_all_server_packets',`
> allow $1 server_packet_type:packet send;
> ')
>
> +########################################
> +## <summary>
> +## Receive SCTP packets from a NetLabel connection.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_recvfrom_netlabel',`
> + gen_require(`
> + type netlabel_peer_t;
> + ')
> +
> + allow $1 netlabel_peer_t:peer recv;
> +')
> +
> ########################################
> ## <summary>
> ## Receive all server packets.
> @@ -2991,6 +3361,27 @@ interface(`corenet_relabelto_all_server_packets',`
> allow $1 server_packet_type:packet relabelto;
> ')
>
> +########################################
> +## <summary>
> +## Receive SCTP packets from an unlabled connection.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_recvfrom_unlabeled',`
> + gen_require(`
> + attribute corenet_unlabeled_type;
> + ')
> +
> + kernel_recvfrom_unlabeled_peer($1)
> +
> + typeattribute $1 corenet_unlabeled_type;
> + kernel_sendrecv_unlabeled_association($1)
> +')
> +
> ########################################
> ## <summary>
> ## Send all packets.
> @@ -3124,6 +3515,34 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',`
> kernel_ib_manage_subnet_unlabeled_endports($1)
> ')
>
> +########################################
> +## <summary>
> +## Rules for receiving labeled SCTP packets.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="peer_domain">
> +## <summary>
> +## Peer domain.
> +## </summary>
> +## </param>
> +#
> +interface(`corenet_sctp_recvfrom_labeled',`
> + allow { $1 $2 } self:association sendto;
> + allow $1 $2:association recvfrom;
> + allow $2 $1:association recvfrom;
> +
> + allow $1 $2:peer recv;
> + allow $2 $1:peer recv;
> +
> + # allow receiving packets from MLS-only peers using NetLabel
> + corenet_sctp_recvfrom_netlabel($1)
> + corenet_sctp_recvfrom_netlabel($2)
> +')
> +
> ########################################
> ## <summary>
> ## Unconfined access to network objects.
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index ba4feb04..d2031cc8 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -307,9 +307,12 @@ network_port(zope, tcp,8021,s0)
> portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
> portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
> portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
> +portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
> +portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
> portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
> portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
> portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
> +portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
>
> ########################################
> #
> @@ -355,11 +358,12 @@ allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_se
> allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
> allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
> allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
> +allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect };
> allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
>
> # Bind to any network address.
> -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
> -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
> +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
> +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
>
> # Infiniband
> corenet_ib_access_all_pkeys(corenet_unconfined_type)
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index b15e2332..9aed9484 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
> #
> # Stream socket classes.
> #
> -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
> +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
>
> #
> # Unprivileged socket classes (exclude rawip, netlink, packet).
> #
> -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
> +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
>
>
> ########################################
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-21 18:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-19 9:59 [refpolicy] [PATCH 1/1] refpolicy: Update for kernel sctp support Richard Haines
2018-03-21 18:13 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).