From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 39D201389E2 for ; Mon, 15 Dec 2014 18:52:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2A032E0804; Mon, 15 Dec 2014 18:52:25 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A906DE0804 for ; Mon, 15 Dec 2014 18:52:24 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B50B23405B9 for ; Mon, 15 Dec 2014 18:52:23 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 626BEC806 for ; Mon, 15 Dec 2014 18:52:22 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1418669428.24762b278b67aca295c421b75683c3bf5e27ed21.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corenetwork.if policy/modules/kernel/corenetwork.te X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 24762b278b67aca295c421b75683c3bf5e27ed21 X-VCS-Branch: master Date: Mon, 15 Dec 2014 18:52:22 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 19ac63eb-21da-43c4-8e61-cf89404257bc X-Archives-Hash: c4c250f3d001c9123afd5dbc3ce75f23 commit: 24762b278b67aca295c421b75683c3bf5e27ed21 Author: Sven Vermeulen siphos be> AuthorDate: Mon Dec 15 18:50:28 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Dec 15 18:50:28 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=24762b27 Update corenetwork builds after adding bitcoin ports --- policy/modules/kernel/corenetwork.if | 443 +++++++++++++++++++++++++++++++++++ policy/modules/kernel/corenetwork.te | 10 +- 2 files changed, 452 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index 3385d83..ee210d4 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -12021,6 +12021,449 @@ interface(`corenet_relabelto_bgp_server_packets',` ######################################## ## +## Send and receive TCP traffic on the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_sendrecv_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg }; +') + +######################################## +## +## Send UDP traffic on the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_send_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:udp_socket send_msg; +') + +######################################## +## +## Do not audit attempts to send UDP traffic on the bitcoin port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_send_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + dontaudit $1 bitcoin_port_t:udp_socket send_msg; +') + +######################################## +## +## Receive UDP traffic on the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_receive_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:udp_socket recv_msg; +') + +######################################## +## +## Do not audit attempts to receive UDP traffic on the bitcoin port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_receive_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + dontaudit $1 bitcoin_port_t:udp_socket recv_msg; +') + +######################################## +## +## Send and receive UDP traffic on the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_sendrecv_bitcoin_port',` + corenet_udp_send_bitcoin_port($1) + corenet_udp_receive_bitcoin_port($1) +') + +######################################## +## +## Do not audit attempts to send and receive +## UDP traffic on the bitcoin port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',` + corenet_dontaudit_udp_send_bitcoin_port($1) + corenet_dontaudit_udp_receive_bitcoin_port($1) +') + +######################################## +## +## Bind TCP sockets to the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_bind_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:tcp_socket name_bind; + +') + +######################################## +## +## Bind UDP sockets to the bitcoin port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_bind_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:udp_socket name_bind; + +') + +######################################## +## +## Make a TCP connection to the bitcoin port. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_connect_bitcoin_port',` + gen_require(` + type bitcoin_port_t; + ') + + allow $1 bitcoin_port_t:tcp_socket name_connect; +') + + +######################################## +## +## Send bitcoin_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_bitcoin_client_packets',` + gen_require(` + type bitcoin_client_packet_t; + ') + + allow $1 bitcoin_client_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send bitcoin_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_bitcoin_client_packets',` + gen_require(` + type bitcoin_client_packet_t; + ') + + dontaudit $1 bitcoin_client_packet_t:packet send; +') + +######################################## +## +## Receive bitcoin_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_bitcoin_client_packets',` + gen_require(` + type bitcoin_client_packet_t; + ') + + allow $1 bitcoin_client_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive bitcoin_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_bitcoin_client_packets',` + gen_require(` + type bitcoin_client_packet_t; + ') + + dontaudit $1 bitcoin_client_packet_t:packet recv; +') + +######################################## +## +## Send and receive bitcoin_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_bitcoin_client_packets',` + corenet_send_bitcoin_client_packets($1) + corenet_receive_bitcoin_client_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive bitcoin_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',` + corenet_dontaudit_send_bitcoin_client_packets($1) + corenet_dontaudit_receive_bitcoin_client_packets($1) +') + +######################################## +## +## Relabel packets to bitcoin_client the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_bitcoin_client_packets',` + gen_require(` + type bitcoin_client_packet_t; + ') + + allow $1 bitcoin_client_packet_t:packet relabelto; +') + + +######################################## +## +## Send bitcoin_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_bitcoin_server_packets',` + gen_require(` + type bitcoin_server_packet_t; + ') + + allow $1 bitcoin_server_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send bitcoin_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_bitcoin_server_packets',` + gen_require(` + type bitcoin_server_packet_t; + ') + + dontaudit $1 bitcoin_server_packet_t:packet send; +') + +######################################## +## +## Receive bitcoin_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_bitcoin_server_packets',` + gen_require(` + type bitcoin_server_packet_t; + ') + + allow $1 bitcoin_server_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive bitcoin_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_bitcoin_server_packets',` + gen_require(` + type bitcoin_server_packet_t; + ') + + dontaudit $1 bitcoin_server_packet_t:packet recv; +') + +######################################## +## +## Send and receive bitcoin_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_bitcoin_server_packets',` + corenet_send_bitcoin_server_packets($1) + corenet_receive_bitcoin_server_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive bitcoin_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',` + corenet_dontaudit_send_bitcoin_server_packets($1) + corenet_dontaudit_receive_bitcoin_server_packets($1) +') + +######################################## +## +## Relabel packets to bitcoin_server the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_bitcoin_server_packets',` + gen_require(` + type bitcoin_server_packet_t; + ') + + allow $1 bitcoin_server_packet_t:packet relabelto; +') + + + + +######################################## +## ## Send and receive TCP traffic on the boinc port. ## ## diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te index 1bbf3c5..af43a4e 100644 --- a/policy/modules/kernel/corenetwork.te +++ b/policy/modules/kernel/corenetwork.te @@ -2,7 +2,7 @@ # This is a generated file! Instead of modifying this file, the # corenetwork.te.in or corenetwork.te.m4 file should be modified. # -policy_module(corenetwork, 1.20.2) +policy_module(corenetwork, 1.21.0) ######################################## # @@ -236,6 +236,14 @@ portcon tcp 2605 gen_context(system_u:object_r:bgp_port_t,s0) portcon udp 2605 gen_context(system_u:object_r:bgp_port_t,s0) +type bitcoin_port_t, port_type, defined_port_type; +type bitcoin_client_packet_t, packet_type, client_packet_type; +type bitcoin_server_packet_t, packet_type, server_packet_type; +typeattribute bitcoin_port_t unreserved_port_type; +portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0) +portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0) + + type boinc_port_t, port_type, defined_port_type; type boinc_client_packet_t, packet_type, client_packet_type; type boinc_server_packet_t, packet_type, server_packet_type;