From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id D8988138A2F for ; Fri, 15 Aug 2014 13:39:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1D5EE08A1; Fri, 15 Aug 2014 13:39:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3BDE4E08A4 for ; Fri, 15 Aug 2014 13:39:33 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 02C90340432 for ; Fri, 15 Aug 2014 13:39:32 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id BB0D41881C for ; Fri, 15 Aug 2014 13:39:30 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1408109948.d47c778ccbce70463fed9a0ddd79c41570508f86.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/kernel/corenetwork.if X-VCS-Directories: policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d47c778ccbce70463fed9a0ddd79c41570508f86 X-VCS-Branch: salt Date: Fri, 15 Aug 2014 13:39:30 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c70aba7d-4cfa-4720-ac7c-974942702b16 X-Archives-Hash: 6db4499c52e0960e53fabbd4775e5f82 Message-ID: <20140815133930.4VXr9i2oeqswCVgfLV03YluHmL1_mISNCBTeznAxto4@z> commit: d47c778ccbce70463fed9a0ddd79c41570508f86 Author: Sven Vermeulen siphos be> AuthorDate: Fri Aug 15 13:39:08 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Fri Aug 15 13:39:08 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d47c778c Add built version of corenetwork.if with salt ports --- policy/modules/kernel/corenetwork.if | 443 +++++++++++++++++++++++++++++++++++ 1 file changed, 443 insertions(+) diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index 22e8137..5431c56 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -75813,6 +75813,449 @@ interface(`corenet_relabelto_rwho_server_packets',` ######################################## ## +## Send and receive TCP traffic on the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_sendrecv_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:tcp_socket { send_msg recv_msg }; +') + +######################################## +## +## Send UDP traffic on the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_send_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:udp_socket send_msg; +') + +######################################## +## +## Do not audit attempts to send UDP traffic on the salt port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_send_salt_port',` + gen_require(` + type salt_port_t; + ') + + dontaudit $1 salt_port_t:udp_socket send_msg; +') + +######################################## +## +## Receive UDP traffic on the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_receive_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:udp_socket recv_msg; +') + +######################################## +## +## Do not audit attempts to receive UDP traffic on the salt port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_receive_salt_port',` + gen_require(` + type salt_port_t; + ') + + dontaudit $1 salt_port_t:udp_socket recv_msg; +') + +######################################## +## +## Send and receive UDP traffic on the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_sendrecv_salt_port',` + corenet_udp_send_salt_port($1) + corenet_udp_receive_salt_port($1) +') + +######################################## +## +## Do not audit attempts to send and receive +## UDP traffic on the salt port. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_udp_sendrecv_salt_port',` + corenet_dontaudit_udp_send_salt_port($1) + corenet_dontaudit_udp_receive_salt_port($1) +') + +######################################## +## +## Bind TCP sockets to the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_tcp_bind_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:tcp_socket name_bind; + +') + +######################################## +## +## Bind UDP sockets to the salt port. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_udp_bind_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:udp_socket name_bind; + +') + +######################################## +## +## Make a TCP connection to the salt port. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_tcp_connect_salt_port',` + gen_require(` + type salt_port_t; + ') + + allow $1 salt_port_t:tcp_socket name_connect; +') + + +######################################## +## +## Send salt_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_salt_client_packets',` + gen_require(` + type salt_client_packet_t; + ') + + allow $1 salt_client_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send salt_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_salt_client_packets',` + gen_require(` + type salt_client_packet_t; + ') + + dontaudit $1 salt_client_packet_t:packet send; +') + +######################################## +## +## Receive salt_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_salt_client_packets',` + gen_require(` + type salt_client_packet_t; + ') + + allow $1 salt_client_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive salt_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_salt_client_packets',` + gen_require(` + type salt_client_packet_t; + ') + + dontaudit $1 salt_client_packet_t:packet recv; +') + +######################################## +## +## Send and receive salt_client packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_salt_client_packets',` + corenet_send_salt_client_packets($1) + corenet_receive_salt_client_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive salt_client packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_salt_client_packets',` + corenet_dontaudit_send_salt_client_packets($1) + corenet_dontaudit_receive_salt_client_packets($1) +') + +######################################## +## +## Relabel packets to salt_client the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_salt_client_packets',` + gen_require(` + type salt_client_packet_t; + ') + + allow $1 salt_client_packet_t:packet relabelto; +') + + +######################################## +## +## Send salt_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_salt_server_packets',` + gen_require(` + type salt_server_packet_t; + ') + + allow $1 salt_server_packet_t:packet send; +') + +######################################## +## +## Do not audit attempts to send salt_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_salt_server_packets',` + gen_require(` + type salt_server_packet_t; + ') + + dontaudit $1 salt_server_packet_t:packet send; +') + +######################################## +## +## Receive salt_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_salt_server_packets',` + gen_require(` + type salt_server_packet_t; + ') + + allow $1 salt_server_packet_t:packet recv; +') + +######################################## +## +## Do not audit attempts to receive salt_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_salt_server_packets',` + gen_require(` + type salt_server_packet_t; + ') + + dontaudit $1 salt_server_packet_t:packet recv; +') + +######################################## +## +## Send and receive salt_server packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_salt_server_packets',` + corenet_send_salt_server_packets($1) + corenet_receive_salt_server_packets($1) +') + +######################################## +## +## Do not audit attempts to send and receive salt_server packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_sendrecv_salt_server_packets',` + corenet_dontaudit_send_salt_server_packets($1) + corenet_dontaudit_receive_salt_server_packets($1) +') + +######################################## +## +## Relabel packets to salt_server the packet type. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_relabelto_salt_server_packets',` + gen_require(` + type salt_server_packet_t; + ') + + allow $1 salt_server_packet_t:packet relabelto; +') + + + + +######################################## +## ## Send and receive TCP traffic on the sap port. ## ##