commit: 24762b278b67aca295c421b75683c3bf5e27ed21
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 15 18:50:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 15 18:50:28 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=24762b27
Update corenetwork builds after adding bitcoin ports
---
policy/modules/kernel/corenetwork.if | 443 +++++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te | 10 +-
2 files changed, 452 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corenetwork.if
b/policy/modules/kernel/corenetwork.if
index 3385d83..ee210d4 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -12021,6 +12021,449 @@ interface(`corenet_relabelto_bgp_server_packets',`
########################################
## <summary>
+## Send and receive TCP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+## Send UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ dontaudit $1 bitcoin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+## Receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ dontaudit $1 bitcoin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+## Send and receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_bitcoin_port',`
+ corenet_udp_send_bitcoin_port($1)
+ corenet_udp_receive_bitcoin_port($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive
+## UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',`
+ corenet_dontaudit_udp_send_bitcoin_port($1)
+ corenet_dontaudit_udp_receive_bitcoin_port($1)
+')
+
+########################################
+## <summary>
+## Bind TCP sockets to the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:tcp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+## Bind UDP sockets to the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:udp_socket name_bind;
+
+')
+
+########################################
+## <summary>
+## Make a TCP connection to the bitcoin port.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_connect_bitcoin_port',`
+ gen_require(`
+ type bitcoin_port_t;
+ ')
+
+ allow $1 bitcoin_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+## Send bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bitcoin_client_packets',`
+ gen_require(`
+ type bitcoin_client_packet_t;
+ ')
+
+ allow $1 bitcoin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bitcoin_client_packets',`
+ gen_require(`
+ type bitcoin_client_packet_t;
+ ')
+
+ dontaudit $1 bitcoin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bitcoin_client_packets',`
+ gen_require(`
+ type bitcoin_client_packet_t;
+ ')
+
+ allow $1 bitcoin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bitcoin_client_packets',`
+ gen_require(`
+ type bitcoin_client_packet_t;
+ ')
+
+ dontaudit $1 bitcoin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bitcoin_client_packets',`
+ corenet_send_bitcoin_client_packets($1)
+ corenet_receive_bitcoin_client_packets($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',`
+ corenet_dontaudit_send_bitcoin_client_packets($1)
+ corenet_dontaudit_receive_bitcoin_client_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to bitcoin_client the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_bitcoin_client_packets',`
+ gen_require(`
+ type bitcoin_client_packet_t;
+ ')
+
+ allow $1 bitcoin_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+## Send bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bitcoin_server_packets',`
+ gen_require(`
+ type bitcoin_server_packet_t;
+ ')
+
+ allow $1 bitcoin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bitcoin_server_packets',`
+ gen_require(`
+ type bitcoin_server_packet_t;
+ ')
+
+ dontaudit $1 bitcoin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+## Receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bitcoin_server_packets',`
+ gen_require(`
+ type bitcoin_server_packet_t;
+ ')
+
+ allow $1 bitcoin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bitcoin_server_packets',`
+ gen_require(`
+ type bitcoin_server_packet_t;
+ ')
+
+ dontaudit $1 bitcoin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+## Send and receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bitcoin_server_packets',`
+ corenet_send_bitcoin_server_packets($1)
+ corenet_receive_bitcoin_server_packets($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to send and receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',`
+ corenet_dontaudit_send_bitcoin_server_packets($1)
+ corenet_dontaudit_receive_bitcoin_server_packets($1)
+')
+
+########################################
+## <summary>
+## Relabel packets to bitcoin_server the packet type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_relabelto_bitcoin_server_packets',`
+ gen_require(`
+ type bitcoin_server_packet_t;
+ ')
+
+ allow $1 bitcoin_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
## Send and receive TCP traffic on the boinc port.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te
b/policy/modules/kernel/corenetwork.te
index 1bbf3c5..af43a4e 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -2,7 +2,7 @@
# This is a generated file! Instead of modifying this file, the
# corenetwork.te.in or corenetwork.te.m4 file should be modified.
#
-policy_module(corenetwork, 1.20.2)
+policy_module(corenetwork, 1.21.0)
########################################
#
@@ -236,6 +236,14 @@ portcon tcp 2605
gen_context(system_u:object_r:bgp_port_t,s0)
portcon udp 2605 gen_context(system_u:object_r:bgp_port_t,s0)
+type bitcoin_port_t, port_type, defined_port_type;
+type bitcoin_client_packet_t, packet_type, client_packet_type;
+type bitcoin_server_packet_t, packet_type, server_packet_type;
+typeattribute bitcoin_port_t unreserved_port_type;
+portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0)
+portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0)
+
+
type boinc_port_t, port_type, defined_port_type;
type boinc_client_packet_t, packet_type, client_packet_type;
type boinc_server_packet_t, packet_type, server_packet_type;
