From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ABE081382C5 for ; Mon, 11 Jan 2021 01:27:15 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 61AE7E0AE1; Mon, 11 Jan 2021 01:27:12 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 275D8E0AE1 for ; Mon, 11 Jan 2021 01:27:12 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2754B34105B for ; Mon, 11 Jan 2021 01:27:11 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C9BF63A6 for ; Mon, 11 Jan 2021 01:27:07 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1610320556.d5515d5dcba81e818b43721fe0ac36dcd50315a6.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corenetwork.if policy/modules/kernel/corenetwork.te X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: d5515d5dcba81e818b43721fe0ac36dcd50315a6 X-VCS-Branch: master Date: Mon, 11 Jan 2021 01:27:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 7ddbe719-92d2-46dd-b3a4-311c430f9da4 X-Archives-Hash: 8541f9a90c7d8619c7d4454d96e562ab commit: d5515d5dcba81e818b43721fe0ac36dcd50315a6 Author: Jason Zaman gentoo org> AuthorDate: Sun Jan 10 23:15:56 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 10 23:15:56 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5515d5d Regenerate corenetwork Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corenetwork.if | 570 ++++++++++++++++++++++++++++++++++- policy/modules/kernel/corenetwork.te | 20 +- 2 files changed, 574 insertions(+), 16 deletions(-) diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index 9b19cea2..368ad3b7 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -1498,11 +1498,11 @@ interface(`corenet_udp_send_all_ports',` # interface(`corenet_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; attribute defined_port_type; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; dontaudit $1 defined_port_type:sctp_socket name_bind; ') @@ -1571,10 +1571,10 @@ interface(`corenet_udp_sendrecv_all_ports',` # interface(`corenet_dontaudit_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; ') - dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; ') ######################################## @@ -1645,10 +1645,10 @@ interface(`corenet_udp_bind_all_ports',` # interface(`corenet_sctp_connect_generic_port',` gen_require(` - type port_t, unreserved_port_t,ephemeral_port_t; + type port_t, unreserved_port_t; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; + allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; ') ######################################## @@ -2761,7 +2761,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## Allow the specified domain to receive packets from an ## unlabeled connection. On machines that do not utilize ## labeled networking, this will be required on all -## networking domains. On machines tha do utilize +## networking domains. On machines that do utilize ## labeled networking, this will be required for any ## networking domain that is allowed to receive ## network traffic that does not have a label. @@ -3339,13 +3339,7 @@ interface(`corenet_relabelto_all_server_packets',` ## # interface(`corenet_sctp_recvfrom_unlabeled',` - gen_require(` - attribute corenet_unlabeled_type; - ') - kernel_recvfrom_unlabeled_peer($1) - - typeattribute $1 corenet_unlabeled_type; kernel_sendrecv_unlabeled_association($1) ') @@ -3529,6 +3523,135 @@ interface(`corenet_unconfined',` ') +######################################## +## +## Send icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + allow $1 icmp_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send icmp packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + dontaudit $1 icmp_packet_t:packet send; +') + +######################################## +## +## Receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + allow $1 icmp_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + dontaudit $1 icmp_packet_t:packet recv; +') + +######################################## +## +## Send and receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_icmp_packets',` + corenet_send_icmp_packets($1) + corenet_receive_icmp_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive icmp packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_icmp_packets',` + corenet_dontaudit_send_icmp_packets($1) + corenet_dontaudit_receive_icmp_packets($1) +') + +######################################## +## +## Relabel packets to icmp the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + allow $1 icmp_packet_t:packet relabelto; +') + + + + ######################################## ## ## Send and receive TCP traffic on the adb port. @@ -9844,6 +9967,427 @@ interface(`corenet_relabelto_apertus_ldp_server_packets',` +######################################## +## +## Send and receive TCP traffic on the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_sendrecv_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Send UDP traffic on the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_send_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Do not audit attempts to send UDP traffic on the aptcacher port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_send_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Receive UDP traffic on the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_receive_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Do not audit attempts to receive UDP traffic on the aptcacher port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_receive_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Send and receive UDP traffic on the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_sendrecv_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Do not audit attempts to send and receive +## UDP traffic on the aptcacher port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_aptcacher_port',` + refpolicywarn(`$0() has been deprecated, please remove.') +') + +######################################## +## +## Bind TCP sockets to the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_bind_aptcacher_port',` + gen_require(` + type aptcacher_port_t; + ') + + allow $1 aptcacher_port_t:tcp_socket name_bind; + +') + +######################################## +## +## Bind UDP sockets to the aptcacher port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_bind_aptcacher_port',` + gen_require(` + type aptcacher_port_t; + ') + + allow $1 aptcacher_port_t:udp_socket name_bind; + +') + +######################################## +## +## Make a TCP connection to the aptcacher port. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_connect_aptcacher_port',` + gen_require(` + type aptcacher_port_t; + ') + + allow $1 aptcacher_port_t:tcp_socket name_connect; +') + + +######################################## +## +## Send aptcacher_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_aptcacher_client_packets',` + gen_require(` + type aptcacher_client_packet_t; + ') + + allow $1 aptcacher_client_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send aptcacher_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_aptcacher_client_packets',` + gen_require(` + type aptcacher_client_packet_t; + ') + + dontaudit $1 aptcacher_client_packet_t:packet send; +') + +######################################## +## +## Receive aptcacher_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_aptcacher_client_packets',` + gen_require(` + type aptcacher_client_packet_t; + ') + + allow $1 aptcacher_client_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive aptcacher_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_aptcacher_client_packets',` + gen_require(` + type aptcacher_client_packet_t; + ') + + dontaudit $1 aptcacher_client_packet_t:packet recv; +') + +######################################## +## +## Send and receive aptcacher_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_aptcacher_client_packets',` + corenet_send_aptcacher_client_packets($1) + corenet_receive_aptcacher_client_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive aptcacher_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_aptcacher_client_packets',` + corenet_dontaudit_send_aptcacher_client_packets($1) + corenet_dontaudit_receive_aptcacher_client_packets($1) +') + +######################################## +## +## Relabel packets to aptcacher_client the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_aptcacher_client_packets',` + gen_require(` + type aptcacher_client_packet_t; + ') + + allow $1 aptcacher_client_packet_t:packet relabelto; +') + + +######################################## +## +## Send aptcacher_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_aptcacher_server_packets',` + gen_require(` + type aptcacher_server_packet_t; + ') + + allow $1 aptcacher_server_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send aptcacher_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_aptcacher_server_packets',` + gen_require(` + type aptcacher_server_packet_t; + ') + + dontaudit $1 aptcacher_server_packet_t:packet send; +') + +######################################## +## +## Receive aptcacher_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_aptcacher_server_packets',` + gen_require(` + type aptcacher_server_packet_t; + ') + + allow $1 aptcacher_server_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive aptcacher_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_aptcacher_server_packets',` + gen_require(` + type aptcacher_server_packet_t; + ') + + dontaudit $1 aptcacher_server_packet_t:packet recv; +') + +######################################## +## +## Send and receive aptcacher_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_aptcacher_server_packets',` + corenet_send_aptcacher_server_packets($1) + corenet_receive_aptcacher_server_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive aptcacher_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_aptcacher_server_packets',` + corenet_dontaudit_send_aptcacher_server_packets($1) + corenet_dontaudit_receive_aptcacher_server_packets($1) +') + +######################################## +## +## Relabel packets to aptcacher_server the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_aptcacher_server_packets',` + gen_require(` + type aptcacher_server_packet_t; + ') + + allow $1 aptcacher_server_packet_t:packet relabelto; +') + + + + ######################################## ## ## Send and receive TCP traffic on the armtechdaemon port. diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te index d6499ceb..030df0c0 100644 --- a/policy/modules/kernel/corenetwork.te +++ b/policy/modules/kernel/corenetwork.te @@ -2,7 +2,7 @@ # This is a generated file! Instead of modifying this file, the # corenetwork.te.in or corenetwork.te.m4 file should be modified. # -policy_module(corenetwork, 1.26.2) +policy_module(corenetwork, 1.28.0) ######################################## # @@ -46,6 +46,13 @@ dev_node(tun_tap_device_t) # type client_packet_t, packet_type, client_packet_type; +# +# ICMP and ICMPv6 +# + +type icmp_packet_t, packet_type; + + # # The netlabel_peer_t is used by the kernel's NetLabel subsystem for network # connections using NetLabel which do not carry full SELinux contexts. @@ -196,6 +203,13 @@ portcon tcp 539 gen_context(system_u:object_r:apertus_ldp_port_t,s0) portcon udp 539 gen_context(system_u:object_r:apertus_ldp_port_t,s0) +type aptcacher_port_t, port_type, defined_port_type; +type aptcacher_client_packet_t, packet_type, client_packet_type; +type aptcacher_server_packet_t, packet_type, server_packet_type; +typeattribute aptcacher_port_t unreserved_port_type; +portcon tcp 3142 gen_context(system_u:object_r:aptcacher_port_t,s0) + + type armtechdaemon_port_t, port_type, defined_port_type; type armtechdaemon_client_packet_t, packet_type, client_packet_type; type armtechdaemon_server_packet_t, packet_type, server_packet_type; @@ -1850,7 +1864,7 @@ type winshadow_port_t, port_type, defined_port_type; type winshadow_client_packet_t, packet_type, client_packet_type; type winshadow_server_packet_t, packet_type, server_packet_type; typeattribute winshadow_port_t unreserved_port_type; -portcon tcp 3161 gen_context(system_u:object_r:winshadow_port_t,s0) +portcon tcp 3261 gen_context(system_u:object_r:winshadow_port_t,s0) portcon udp 3261 gen_context(system_u:object_r:winshadow_port_t,s0) @@ -2011,7 +2025,7 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) ifdef(`enable_mls',` -gen_require(`type unlabeled_t;') +gen_require(`type unlabeled_t;') #selint-disable:S-001 type lo_netif_t, netif_type; netifcon lo gen_context(system_u:object_r:lo_netif_t,s0 - mls_systemhigh) gen_context(system_u:object_r:unlabeled_t,s0 - mls_systemhigh)