commit: 0d797afccb4ad5dd993c25bf217303343127901d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar 25 10:03:18 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d797afc
corenetwork: regenerate for query scripts
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/corenetwork.if | 646 +++++++++++++++++++++++++++++------
policy/modules/kernel/corenetwork.te | 26 +-
2 files changed, 556 insertions(+), 116 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.if
b/policy/modules/kernel/corenetwork.if
index d7473484..e6fbf90f 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -215,6 +215,60 @@ interface(`corenet_spd_type',`
typeattribute $1 ipsec_spd_type;
')
+########################################
+## <summary>
+## Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband pkey type
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband pkeys.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+## Define type to be an infiniband endport
+## </summary>
+## <desc>
+## <p>
+## Define type to be an infiniband endport
+## </p>
+## <p>
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be used for infiniband endports.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ typeattribute $1 ibendport_type;
+')
+
########################################
## <summary>
## Send and receive TCP network traffic on generic interfaces.
@@ -584,6 +638,24 @@ interface(`corenet_raw_send_all_if',`
allow $1 netif_type:netif { rawip_send egress };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive raw IP packets on all interfaces.
@@ -791,6 +863,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
corenet_raw_receive_generic_node($1)
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:sctp_socket node_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to generic nodes.
@@ -985,6 +1075,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
dontaudit $1 node_type:node { udp_send sendto };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive UDP network traffic on all nodes.
@@ -1177,6 +1285,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
allow $1 port_t:tcp_socket { send_msg recv_msg };
')
+########################################
+## <summary>
+## Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:sctp_socket node_bind;
+')
+
+
########################################
## <summary>
## Do not audit send and receive TCP network traffic on generic ports.
@@ -1384,6 +1511,26 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_bind;
+ dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Receive UDP network traffic on all ports.
@@ -1441,6 +1588,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
corenet_udp_receive_all_ports($1)
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP
+## sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports.
@@ -1497,6 +1663,24 @@ interface(`corenet_udp_bind_all_ports',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t,ephemeral_port_t;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_connect;
+')
+
########################################
## <summary>
## Do not audit attepts to bind UDP sockets to any ports.
@@ -1668,6 +1852,25 @@ interface(`corenet_tcp_bind_reserved_port',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Bind UDP sockets to generic reserved ports.
@@ -1705,6 +1908,24 @@ interface(`corenet_tcp_connect_reserved_port',`
allow $1 reserved_port_t:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Send and receive TCP network traffic on all reserved ports.
@@ -1774,6 +1995,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
corenet_udp_receive_all_reserved_ports($1)
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all reserved ports.
@@ -1848,6 +2087,25 @@
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports > 1024.
@@ -1902,6 +2160,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
allow $1 reserved_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit connect attempts to TCP sockets on
@@ -1995,6 +2271,63 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+## Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain read allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain allowed write access.
+## </summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
########################################
## <summary>
## Read and write the TUN/TAP virtual network device.
@@ -2014,6 +2347,24 @@ interface(`corenet_rw_tun_tap_dev',`
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to read or write the TUN/TAP
@@ -2146,73 +2497,21 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
########################################
## <summary>
-## Send and receive messages on a
-## non-encrypted (no IPSEC) network
-## session.
+## Bind SCTP sockets to all reserved ports.
## </summary>
-## <desc>
-## <p>
-## Send and receive messages on a
-## non-encrypted (no IPSEC) network
-## session. (Deprecated)
-## </p>
-## <p>
-## The corenet_all_recvfrom_unlabeled() interface should be used instead
-## of this one.
-## </p>
-## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
-interface(`corenet_non_ipsec_sendrecv',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_all_recvfrom_unlabeled() instead.')
- corenet_all_recvfrom_unlabeled($1)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to send and receive
-## messages on a non-encrypted (no IPSEC) network
-## session.
-## </summary>
-## <desc>
-## <p>
-## Do not audit attempts to send and receive
-## messages on a non-encrypted (no IPSEC) network
-## session.
-## </p>
-## <p>
-## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
-## used instead of this one.
-## </p>
-## </desc>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_non_ipsec_sendrecv',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_dontaudit_all_recvfrom_unlabeled() instead.')
- corenet_dontaudit_all_recvfrom_unlabeled($1)
-')
+interface(`corenet_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
-########################################
-## <summary>
-## Receive TCP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_tcp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_tcp_recvfrom_netlabel() instead.')
- corenet_tcp_recvfrom_netlabel($1)
+ allow $1 reserved_port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
')
########################################
@@ -2256,8 +2555,7 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection.
+## Do not audit attempts to bind SCTP sockets to all reserved ports.
## </summary>
## <param name="domain">
## <summary>
@@ -2265,9 +2563,12 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_tcp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
- corenet_dontaudit_tcp_recvfrom_netlabel($1)
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_bind;
')
########################################
@@ -2311,21 +2612,6 @@ interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
-########################################
-## <summary>
-## Receive UDP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_udp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_udp_recvfrom_netlabel() instead.')
- corenet_udp_recvfrom_netlabel($1)
-')
-
########################################
## <summary>
## Receive UDP packets from a NetLabel connection.
@@ -2367,18 +2653,20 @@ interface(`corenet_udp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection.
+## Bind SCTP sockets to all ports > 1024.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`corenet_dontaudit_udp_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
- corenet_dontaudit_udp_recvfrom_netlabel($1)
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_bind;
')
########################################
@@ -2422,21 +2710,6 @@ interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
-########################################
-## <summary>
-## Receive Raw IP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_raw_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_raw_recvfrom_netlabel() instead.')
- corenet_raw_recvfrom_netlabel($1)
-')
-
########################################
## <summary>
## Receive Raw IP packets from a NetLabel connection.
@@ -2487,29 +2760,31 @@ interface(`corenet_raw_recvfrom_unlabeled',`
## </summary>
## </param>
#
-interface(`corenet_dontaudit_raw_recv_netlabel',`
- refpolicywarn(`$0($*) has been deprecated, use
corenet_dontaudit_raw_recvfrom_netlabel() instead.')
- corenet_dontaudit_raw_recvfrom_netlabel($1)
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:peer recv;
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection.
+## Connect SCTP sockets to reserved ports.
## </summary>
## <param name="domain">
## <summary>
-## Domain to not audit.
+## Domain allowed access.
## </summary>
## </param>
#
-interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+interface(`corenet_sctp_connect_all_reserved_ports',`
gen_require(`
- type netlabel_peer_t;
+ attribute reserved_port_type;
')
- dontaudit $1 netlabel_peer_t:peer recv;
- dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+ allow $1 reserved_port_type:sctp_socket name_connect;
')
########################################
@@ -2619,6 +2894,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to receive packets from a NetLabel
@@ -2750,6 +3044,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
+ corenet_sctp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
@@ -3020,6 +3315,24 @@ interface(`corenet_send_all_server_packets',`
allow $1 server_packet_type:packet send;
')
+########################################
+## <summary>
+## Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+')
+
########################################
## <summary>
## Receive all server packets.
@@ -3071,6 +3384,27 @@ interface(`corenet_relabelto_all_server_packets',`
allow $1 server_packet_type:packet relabelto;
')
+########################################
+## <summary>
+## Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
+ kernel_recvfrom_unlabeled_peer($1)
+
+ typeattribute $1 corenet_unlabeled_type;
+ kernel_sendrecv_unlabeled_association($1)
+')
+
########################################
## <summary>
## Send all packets.
@@ -3140,6 +3474,98 @@ interface(`corenet_relabelto_all_packets',`
allow $1 packet_type:packet relabelto;
')
+########################################
+## <summary>
+## Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_access_unlabeled_pkeys',`
+ kernel_ib_access_unlabeled_pkeys($1)
+')
+
+########################################
+## <summary>
+## Access all labeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_access_all_pkeys',`
+ gen_require(`
+ attribute ibpkey_type;
+ ')
+
+ allow $1 ibpkey_type:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+## Manage subnets on all labeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_all_endports',`
+ gen_require(`
+ attribute ibendport_type;
+ ')
+
+ allow $1 ibendport_type:infiniband_endport manage_subnet;
+')
+
+########################################
+## <summary>
+## Manage subnet on all unlabeled Infiniband endports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+ kernel_ib_manage_subnet_unlabeled_endports($1)
+')
+
+########################################
+## <summary>
+## Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+ allow { $1 $2 } self:association sendto;
+ allow $1 $2:association recvfrom;
+ allow $2 $1:association recvfrom;
+
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_sctp_recvfrom_netlabel($1)
+ corenet_sctp_recvfrom_netlabel($2)
+')
+
########################################
## <summary>
## Unconfined access to network objects.
diff --git a/policy/modules/kernel/corenetwork.te
b/policy/modules/kernel/corenetwork.te
index a7eb9045..707933c9 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -2,7 +2,7 @@
# This is a generated file! Instead of modifying this file, the
# corenetwork.te.in or corenetwork.te.m4 file should be modified.
#
-policy_module(corenetwork, 1.23.3)
+policy_module(corenetwork, 1.25.1)
########################################
#
@@ -20,6 +20,8 @@ attribute port_type;
attribute reserved_port_type;
attribute rpc_port_type;
attribute server_packet_type;
+attribute ibpkey_type;
+attribute ibendport_type;
# This is an optimization for { port_type -reserved_port_type }
attribute unreserved_port_type;
@@ -471,8 +473,10 @@ type dns_port_t, port_type, defined_port_type;
type dns_client_packet_t, packet_type, client_packet_type;
type dns_server_packet_t, packet_type, server_packet_type;
typeattribute dns_port_t reserved_port_type;
+typeattribute dns_port_t rpc_port_type;
portcon tcp 53 gen_context(system_u:object_r:dns_port_t,s0)
portcon udp 53 gen_context(system_u:object_r:dns_port_t,s0)
+portcon tcp 853 gen_context(system_u:object_r:dns_port_t,s0)
type dropbox_port_t, port_type, defined_port_type;
@@ -1969,9 +1973,12 @@ portcon tcp 8021
gen_context(system_u:object_r:zope_port_t,s0)
portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
@@ -2023,12 +2030,19 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
# Unconfined access to this module
#
-allow corenet_unconfined_type node_type:node *;
-allow corenet_unconfined_type netif_type:netif *;
-allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv
udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto
};
+allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv
udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
+allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in
flow_out forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg
name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg
name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket }
name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket }
node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } node_bind;
+
+# Infiniband
+corenet_ib_access_all_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
+corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)
