From mboxrd@z Thu Jan 1 00:00:00 1970 From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 21 Mar 2018 14:13:22 -0400 Subject: [refpolicy] [PATCH 1/1] refpolicy: Update for kernel sctp support In-Reply-To: <20180319095954.3935-1-richard_c_haines@btinternet.com> References: <20180319095954.3935-1-richard_c_haines@btinternet.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/19/2018 05:59 AM, Richard Haines via refpolicy wrote: > Add additional entries to support the kernel SCTP implementation > introduced in kernel 4.16 > > Signed-off-by: Richard Haines > --- > policy/constraints | 1 + > policy/flask/access_vectors | 2 + > policy/mcs | 2 +- > policy/mls | 18 +- > policy/modules/kernel/corenetwork.if.in | 419 ++++++++++++++++++++++++++++++++ > policy/modules/kernel/corenetwork.te.in | 8 +- > policy/support/obj_perm_sets.spt | 4 +- > 7 files changed, 440 insertions(+), 14 deletions(-) > > diff --git a/policy/constraints b/policy/constraints > index 90a794b3..e9e05f06 100644 > --- a/policy/constraints > +++ b/policy/constraints > @@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd) > > exempted_ubac_constraint(socket, ubacsock) > exempted_ubac_constraint(tcp_socket, ubacsock) > +exempted_ubac_constraint(sctp_socket, ubacsock) > exempted_ubac_constraint(udp_socket, ubacsock) > exempted_ubac_constraint(rawip_socket, ubacsock) > exempted_ubac_constraint(netlink_socket, ubacsock) > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index 9c9db71b..4f57fb40 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -985,6 +985,8 @@ class sctp_socket > inherits socket > { > node_bind > + name_connect > + association > } > > class icmp_socket > diff --git a/policy/mcs b/policy/mcs > index 94319570..c0d424a9 100644 > --- a/policy/mcs > +++ b/policy/mcs > @@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop } > mlsconstrain process { signal } > (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); > > -mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind > +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind > (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); > > mlsconstrain key { create link read search setattr view write } > diff --git a/policy/mls b/policy/mls > index 73ff301b..eeca15a8 100644 > --- a/policy/mls > +++ b/policy/mls > @@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } > # > > # new socket labels must be dominated by the relabeling subjects clearance > -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto > +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto > ( h1 dom h2 ); > > # the socket "read+write" ops > # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), > # require equal levels for unprivileged subjects, or read *and* write overrides) > -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } > +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } > (( l1 eq l2 ) or > (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ( t1 == mlsnetread )) and > @@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s > > > # the socket "read" ops (note the check is dominance of the low level) > -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg } > +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg } > (( l1 dom l2 ) or > (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ( t1 == mlsnetread )); > @@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock > ( t1 == mlsnetread )); > > # the socket "write" ops > -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown } > +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } > (( l1 eq l2 ) or > (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or > (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or > ( t1 == mlsnetwrite )); > > # used by netlabel to restrict normal domains to same level connections > -mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom > +mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom > (( l1 eq l2 ) or > (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or > ( t1 == mlsnetread )); > @@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto > ( t2 == mlstrustedsocket )); > > # these access vectors have no MLS restrictions > -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } > +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind } > # > -# { tcp_socket udp_socket rawip_socket } node_bind > +# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind > # > -# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } > +# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom } > # > -# tcp_socket name_connect > +# { tcp_socket sctp_socket } name_connect > # > # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write > # > diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in > index 58c010fc..37aeb06d 100644 > --- a/policy/modules/kernel/corenetwork.if.in > +++ b/policy/modules/kernel/corenetwork.if.in > @@ -634,6 +634,24 @@ interface(`corenet_raw_send_all_if',` > allow $1 netif_type:netif { rawip_send egress }; > ') > > +######################################## > +## > +## Send and receive SCTP network traffic on generic nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_sendrecv_generic_node',` > + gen_require(` > + type node_t; > + ') > + > + allow $1 node_t:node { sendto recvfrom }; > +') > + > ######################################## > ## > ## Receive raw IP packets on all interfaces. > @@ -841,6 +859,24 @@ interface(`corenet_raw_sendrecv_generic_node',` > corenet_raw_receive_generic_node($1) > ') > > +######################################## > +## > +## Bind SCTP sockets to generic nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_generic_node',` > + gen_require(` > + type node_t; > + ') > + > + allow $1 node_t:sctp_socket node_bind; > +') > + > ######################################## > ## > ## Bind TCP sockets to generic nodes. > @@ -1035,6 +1071,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` > dontaudit $1 node_type:node { udp_send sendto }; > ') > > +######################################## > +## > +## Send and receive SCTP network traffic on all nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_sendrecv_all_nodes',` > + gen_require(` > + attribute node_type; > + ') > + > + allow $1 node_type:node { sendto recvfrom }; > +') > + > ######################################## > ## > ## Receive UDP network traffic on all nodes. > @@ -1227,6 +1281,25 @@ interface(`corenet_tcp_sendrecv_generic_port',` > allow $1 port_t:tcp_socket { send_msg recv_msg }; > ') > > +######################################## > +## > +## Bind SCTP sockets to all nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_all_nodes',` > + gen_require(` > + attribute node_type; > + ') > + > + allow $1 node_type:sctp_socket node_bind; > +') > + > + > ######################################## > ## > ## Do not audit send and receive TCP network traffic on generic ports. > @@ -1434,6 +1507,26 @@ interface(`corenet_udp_send_all_ports',` > allow $1 port_type:udp_socket send_msg; > ') > > +######################################## > +## > +## Bind SCTP sockets to generic ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_generic_port',` > + gen_require(` > + type port_t, unreserved_port_t, ephemeral_port_t; > + attribute defined_port_type; > + ') > + > + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; > + dontaudit $1 defined_port_type:sctp_socket name_bind; > +') > + > ######################################## > ## > ## Receive UDP network traffic on all ports. > @@ -1491,6 +1584,25 @@ interface(`corenet_udp_sendrecv_all_ports',` > corenet_udp_receive_all_ports($1) > ') > > +######################################## > +## > +## Do not audit attempts to bind SCTP > +## sockets to generic ports. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`corenet_dontaudit_sctp_bind_generic_port',` > + gen_require(` > + type port_t, unreserved_port_t, ephemeral_port_t; > + ') > + > + dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; > +') > + > ######################################## > ## > ## Bind TCP sockets to all ports. > @@ -1547,6 +1659,24 @@ interface(`corenet_udp_bind_all_ports',` > allow $1 self:capability net_bind_service; > ') > > +######################################## > +## > +## Connect SCTP sockets to generic ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_connect_generic_port',` > + gen_require(` > + type port_t, unreserved_port_t,ephemeral_port_t; > + ') > + > + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Do not audit attepts to bind UDP sockets to any ports. > @@ -1718,6 +1848,25 @@ interface(`corenet_tcp_bind_reserved_port',` > allow $1 self:capability net_bind_service; > ') > > +######################################## > +## > +## Bind SCTP sockets to all ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_all_ports',` > + gen_require(` > + attribute port_type; > + ') > + > + allow $1 port_type:sctp_socket name_bind; > + allow $1 self:capability net_bind_service; > +') > + > ######################################## > ## > ## Bind UDP sockets to generic reserved ports. > @@ -1755,6 +1904,24 @@ interface(`corenet_tcp_connect_reserved_port',` > allow $1 reserved_port_t:tcp_socket name_connect; > ') > > +######################################## > +## > +## Do not audit attepts to bind SCTP sockets to any ports. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`corenet_dontaudit_sctp_bind_all_ports',` > + gen_require(` > + attribute port_type; > + ') > + > + dontaudit $1 port_type:sctp_socket name_bind; > +') > + > ######################################## > ## > ## Send and receive TCP network traffic on all reserved ports. > @@ -1824,6 +1991,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` > corenet_udp_receive_all_reserved_ports($1) > ') > > +######################################## > +## > +## Connect SCTP sockets to all ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_connect_all_ports',` > + gen_require(` > + attribute port_type; > + ') > + > + allow $1 port_type:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Bind TCP sockets to all reserved ports. > @@ -1898,6 +2083,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` > dontaudit $1 reserved_port_type:udp_socket name_bind; > ') > > +######################################## > +## > +## Do not audit attempts to connect SCTP sockets > +## to all ports. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`corenet_dontaudit_sctp_connect_all_ports',` > + gen_require(` > + attribute port_type; > + ') > + > + dontaudit $1 port_type:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Bind TCP sockets to all ports > 1024. > @@ -1952,6 +2156,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',` > allow $1 reserved_port_type:tcp_socket name_connect; > ') > > +######################################## > +## > +## Connect SCTP sockets to all ports > 1024. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_connect_all_unreserved_ports',` > + gen_require(` > + attribute unreserved_port_type; > + ') > + > + allow $1 unreserved_port_type:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Connect TCP sockets to all ports > 1024. > @@ -2026,6 +2248,25 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` > dontaudit $1 rpc_port_type:tcp_socket name_connect; > ') > > +######################################## > +## > +## Bind SCTP sockets to generic reserved ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_reserved_port',` > + gen_require(` > + type reserved_port_t; > + ') > + > + allow $1 reserved_port_t:sctp_socket name_bind; > + allow $1 self:capability net_bind_service; > +') > + > ######################################## > ## > ## Read the TUN/TAP virtual network device. > @@ -2083,6 +2324,24 @@ interface(`corenet_rw_tun_tap_dev',` > allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; > ') > > +######################################## > +## > +## Connect SCTP sockets to generic reserved ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_connect_reserved_port',` > + gen_require(` > + type reserved_port_t; > + ') > + > + allow $1 reserved_port_t:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Do not audit attempts to read or write the TUN/TAP > @@ -2213,6 +2472,25 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',` > dontaudit $1 rpc_port_type:udp_socket name_bind; > ') > > +######################################## > +## > +## Bind SCTP sockets to all reserved ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_all_reserved_ports',` > + gen_require(` > + attribute reserved_port_type; > + ') > + > + allow $1 reserved_port_type:sctp_socket name_bind; > + allow $1 self:capability net_bind_service; > +') > + > ######################################## > ## > ## Receive TCP packets from a NetLabel connection. > @@ -2252,6 +2530,24 @@ interface(`corenet_tcp_recvfrom_unlabeled',` > kernel_sendrecv_unlabeled_association($1) > ') > > +######################################## > +## > +## Do not audit attempts to bind SCTP sockets to all reserved ports. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',` > + gen_require(` > + attribute reserved_port_type; > + ') > + > + dontaudit $1 reserved_port_type:sctp_socket name_bind; > +') > + > ######################################## > ## > ## Do not audit attempts to receive TCP packets from a NetLabel > @@ -2332,6 +2628,24 @@ interface(`corenet_udp_recvfrom_unlabeled',` > kernel_sendrecv_unlabeled_association($1) > ') > > +######################################## > +## > +## Bind SCTP sockets to all ports > 1024. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_bind_all_unreserved_ports',` > + gen_require(` > + attribute unreserved_port_type; > + ') > + > + allow $1 unreserved_port_type:sctp_socket name_bind; > +') > + > ######################################## > ## > ## Do not audit attempts to receive UDP packets from a NetLabel > @@ -2432,6 +2746,24 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',` > dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; > ') > > +######################################## > +## > +## Connect SCTP sockets to reserved ports. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_connect_all_reserved_ports',` > + gen_require(` > + attribute reserved_port_type; > + ') > + > + allow $1 reserved_port_type:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Do not audit attempts to receive Raw IP packets from an unlabeled > @@ -2539,6 +2871,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',` > kernel_dontaudit_sendrecv_unlabeled_association($1) > ') > > +######################################## > +## > +## Do not audit attempts to connect SCTP sockets > +## all reserved ports. > +## > +## > +## > +## Domain to not audit. > +## > +## > +# > +interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',` > + gen_require(` > + attribute reserved_port_type; > + ') > + > + dontaudit $1 reserved_port_type:sctp_socket name_connect; > +') > + > ######################################## > ## > ## Do not audit attempts to receive packets from a NetLabel > @@ -2670,6 +3021,7 @@ interface(`corenet_raw_recvfrom_labeled',` > ## > # > interface(`corenet_all_recvfrom_labeled',` > + corenet_sctp_recvfrom_labeled($1, $2) > corenet_tcp_recvfrom_labeled($1, $2) > corenet_udp_recvfrom_labeled($1, $2) > corenet_raw_recvfrom_labeled($1, $2) > @@ -2940,6 +3292,24 @@ interface(`corenet_send_all_server_packets',` > allow $1 server_packet_type:packet send; > ') > > +######################################## > +## > +## Receive SCTP packets from a NetLabel connection. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_recvfrom_netlabel',` > + gen_require(` > + type netlabel_peer_t; > + ') > + > + allow $1 netlabel_peer_t:peer recv; > +') > + > ######################################## > ## > ## Receive all server packets. > @@ -2991,6 +3361,27 @@ interface(`corenet_relabelto_all_server_packets',` > allow $1 server_packet_type:packet relabelto; > ') > > +######################################## > +## > +## Receive SCTP packets from an unlabled connection. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`corenet_sctp_recvfrom_unlabeled',` > + gen_require(` > + attribute corenet_unlabeled_type; > + ') > + > + kernel_recvfrom_unlabeled_peer($1) > + > + typeattribute $1 corenet_unlabeled_type; > + kernel_sendrecv_unlabeled_association($1) > +') > + > ######################################## > ## > ## Send all packets. > @@ -3124,6 +3515,34 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',` > kernel_ib_manage_subnet_unlabeled_endports($1) > ') > > +######################################## > +## > +## Rules for receiving labeled SCTP packets. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Peer domain. > +## > +## > +# > +interface(`corenet_sctp_recvfrom_labeled',` > + allow { $1 $2 } self:association sendto; > + allow $1 $2:association recvfrom; > + allow $2 $1:association recvfrom; > + > + allow $1 $2:peer recv; > + allow $2 $1:peer recv; > + > + # allow receiving packets from MLS-only peers using NetLabel > + corenet_sctp_recvfrom_netlabel($1) > + corenet_sctp_recvfrom_netlabel($2) > +') > + > ######################################## > ## > ## Unconfined access to network objects. > diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in > index ba4feb04..d2031cc8 100644 > --- a/policy/modules/kernel/corenetwork.te.in > +++ b/policy/modules/kernel/corenetwork.te.in > @@ -307,9 +307,12 @@ network_port(zope, tcp,8021,s0) > portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) > portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) > portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) > +portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) > +portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) > portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) > portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) > portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) > +portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) > > ######################################## > # > @@ -355,11 +358,12 @@ allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_se > allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress }; > allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out }; > allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; > +allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect }; > allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; > > # Bind to any network address. > -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; > -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; > +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; > +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; > > # Infiniband > corenet_ib_access_all_pkeys(corenet_unconfined_type) > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index b15e2332..9aed9484 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') > # > # Stream socket classes. > # > -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') > +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }') > > # > # Unprivileged socket classes (exclude rawip, netlink, packet). > # > -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') > +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') > > > ######################################## Merged. -- Chris PeBenito