commit: 90ec32ea3f90abce8f678b879cf3a48875221d5a Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Sun Apr 22 15:43:40 2018 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Apr 22 15:47:48 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90ec32ea
Revert "refpolicy: Update for kernel sctp support" This reverts commit 9ae0383e041bfa3c531eb028f38a7444cf1cbfaa. This requires selinux 2.8 userspace. Reverting this until it's stable so the policy can be released in the mean time. policy/constraints | 1 - policy/flask/access_vectors | 2 - policy/mcs | 2 +- policy/mls | 18 +- policy/modules/kernel/corenetwork.if.in | 413 -------------------------------- policy/modules/kernel/corenetwork.te.in | 8 +- policy/support/obj_perm_sets.spt | 4 +- 7 files changed, 14 insertions(+), 434 deletions(-) diff --git a/policy/constraints b/policy/constraints index e9e05f06..90a794b3 100644 --- a/policy/constraints +++ b/policy/constraints @@ -130,7 +130,6 @@ exempted_ubac_constraint(fd, ubacfd) exempted_ubac_constraint(socket, ubacsock) exempted_ubac_constraint(tcp_socket, ubacsock) -exempted_ubac_constraint(sctp_socket, ubacsock) exempted_ubac_constraint(udp_socket, ubacsock) exempted_ubac_constraint(rawip_socket, ubacsock) exempted_ubac_constraint(netlink_socket, ubacsock) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 0630f012..b213ce5b 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -985,8 +985,6 @@ class sctp_socket inherits socket { node_bind - name_connect - association } class icmp_socket diff --git a/policy/mcs b/policy/mcs index c0d424a9..94319570 100644 --- a/policy/mcs +++ b/policy/mcs @@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop } mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain key { create link read search setattr view write } diff --git a/policy/mls b/policy/mls index eeca15a8..73ff301b 100644 --- a/policy/mls +++ b/policy/mls @@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } # # new socket labels must be dominated by the relabeling subjects clearance -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto ( h1 dom h2 ); # the socket "read+write" ops # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), # require equal levels for unprivileged subjects, or read *and* write overrides) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { accept connect } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } (( l1 eq l2 ) or (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )) and @@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s # the socket "read" ops (note the check is dominance of the low level) -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen accept getopt recv_msg } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg } (( l1 dom l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock ( t1 == mlsnetread )); # the socket "write" ops -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr relabelfrom connect setopt shutdown } +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown } (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsnetwrite )); # used by netlabel to restrict normal domains to same level connections -mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom +mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom (( l1 eq l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread )); @@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto ( t2 == mlstrustedsocket )); # these access vectors have no MLS restrictions -# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock append bind sendto send_msg name_bind } +# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } # -# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind +# { tcp_socket udp_socket rawip_socket } node_bind # -# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom } +# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } # -# { tcp_socket sctp_socket } name_connect +# tcp_socket name_connect # # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write # diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 4a91feb3..3671fa8e 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -634,24 +634,6 @@ interface(`corenet_raw_send_all_if',` allow $1 netif_type:netif { rawip_send egress }; ') -######################################## -## <summary> -## Send and receive SCTP network traffic on generic nodes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_sendrecv_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:node { sendto recvfrom }; -') - ######################################## ## <summary> ## Receive raw IP packets on all interfaces. @@ -859,24 +841,6 @@ interface(`corenet_raw_sendrecv_generic_node',` corenet_raw_receive_generic_node($1) ') -######################################## -## <summary> -## Bind SCTP sockets to generic nodes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_generic_node',` - gen_require(` - type node_t; - ') - - allow $1 node_t:sctp_socket node_bind; -') - ######################################## ## <summary> ## Bind TCP sockets to generic nodes. @@ -1071,24 +1035,6 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` dontaudit $1 node_type:node { udp_send sendto }; ') -######################################## -## <summary> -## Send and receive SCTP network traffic on all nodes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_sendrecv_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:node { sendto recvfrom }; -') - ######################################## ## <summary> ## Receive UDP network traffic on all nodes. @@ -1281,25 +1227,6 @@ interface(`corenet_tcp_sendrecv_generic_port',` allow $1 port_t:tcp_socket { send_msg recv_msg }; ') -######################################## -## <summary> -## Bind SCTP sockets to all nodes. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_all_nodes',` - gen_require(` - attribute node_type; - ') - - allow $1 node_type:sctp_socket node_bind; -') - - ######################################## ## <summary> ## Do not audit send and receive TCP network traffic on generic ports. @@ -1507,26 +1434,6 @@ interface(`corenet_udp_send_all_ports',` allow $1 port_type:udp_socket send_msg; ') -######################################## -## <summary> -## Bind SCTP sockets to generic ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_generic_port',` - gen_require(` - type port_t, unreserved_port_t; - attribute defined_port_type; - ') - - allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; - dontaudit $1 defined_port_type:sctp_socket name_bind; -') - ######################################## ## <summary> ## Receive UDP network traffic on all ports. @@ -1584,25 +1491,6 @@ interface(`corenet_udp_sendrecv_all_ports',` corenet_udp_receive_all_ports($1) ') -######################################## -## <summary> -## Do not audit attempts to bind SCTP -## sockets to generic ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_sctp_bind_generic_port',` - gen_require(` - type port_t, unreserved_port_t; - ') - - dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; -') - ######################################## ## <summary> ## Bind TCP sockets to all ports. @@ -1659,24 +1547,6 @@ interface(`corenet_udp_bind_all_ports',` allow $1 self:capability net_bind_service; ') -######################################## -## <summary> -## Connect SCTP sockets to generic ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_connect_generic_port',` - gen_require(` - type port_t, unreserved_port_t; - ') - - allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; -') - ######################################## ## <summary> ## Do not audit attepts to bind UDP sockets to any ports. @@ -1848,25 +1718,6 @@ interface(`corenet_tcp_bind_reserved_port',` allow $1 self:capability net_bind_service; ') -######################################## -## <summary> -## Bind SCTP sockets to all ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:sctp_socket name_bind; - allow $1 self:capability net_bind_service; -') - ######################################## ## <summary> ## Bind UDP sockets to generic reserved ports. @@ -1904,24 +1755,6 @@ interface(`corenet_tcp_connect_reserved_port',` allow $1 reserved_port_t:tcp_socket name_connect; ') -######################################## -## <summary> -## Do not audit attempts to bind SCTP sockets to any ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_sctp_bind_all_ports',` - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:sctp_socket name_bind; -') - ######################################## ## <summary> ## Send and receive TCP network traffic on all reserved ports. @@ -1991,24 +1824,6 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` corenet_udp_receive_all_reserved_ports($1) ') -######################################## -## <summary> -## Connect SCTP sockets to all ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_connect_all_ports',` - gen_require(` - attribute port_type; - ') - - allow $1 port_type:sctp_socket name_connect; -') - ######################################## ## <summary> ## Bind TCP sockets to all reserved ports. @@ -2083,25 +1898,6 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',` dontaudit $1 reserved_port_type:udp_socket name_bind; ') -######################################## -## <summary> -## Do not audit attempts to connect SCTP sockets -## to all ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_sctp_connect_all_ports',` - gen_require(` - attribute port_type; - ') - - dontaudit $1 port_type:sctp_socket name_connect; -') - ######################################## ## <summary> ## Bind TCP sockets to all ports > 1024. @@ -2156,24 +1952,6 @@ interface(`corenet_tcp_connect_all_reserved_ports',` allow $1 reserved_port_type:tcp_socket name_connect; ') -######################################## -## <summary> -## Connect SCTP sockets to all ports > 1024. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_connect_all_unreserved_ports',` - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:sctp_socket name_connect; -') - ######################################## ## <summary> ## Do not audit connect attempts to TCP sockets on @@ -2267,25 +2045,6 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` dontaudit $1 rpc_port_type:tcp_socket name_connect; ') -######################################## -## <summary> -## Bind SCTP sockets to generic reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:sctp_socket name_bind; - allow $1 self:capability net_bind_service; -') - ######################################## ## <summary> ## Read the TUN/TAP virtual network device. @@ -2343,24 +2102,6 @@ interface(`corenet_rw_tun_tap_dev',` allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; ') -######################################## -## <summary> -## Connect SCTP sockets to generic reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_connect_reserved_port',` - gen_require(` - type reserved_port_t; - ') - - allow $1 reserved_port_t:sctp_socket name_connect; -') - ######################################## ## <summary> ## Do not audit attempts to read or write the TUN/TAP @@ -2491,25 +2232,6 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',` dontaudit $1 rpc_port_type:udp_socket name_bind; ') -######################################## -## <summary> -## Bind SCTP sockets to all reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:sctp_socket name_bind; - allow $1 self:capability net_bind_service; -') - ######################################## ## <summary> ## Receive TCP packets from a NetLabel connection. @@ -2549,24 +2271,6 @@ interface(`corenet_tcp_recvfrom_unlabeled',` kernel_sendrecv_unlabeled_association($1) ') -######################################## -## <summary> -## Do not audit attempts to bind SCTP sockets to all reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:sctp_socket name_bind; -') - ######################################## ## <summary> ## Do not audit attempts to receive TCP packets from a NetLabel @@ -2647,24 +2351,6 @@ interface(`corenet_udp_recvfrom_unlabeled',` kernel_sendrecv_unlabeled_association($1) ') -######################################## -## <summary> -## Bind SCTP sockets to all ports > 1024. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_bind_all_unreserved_ports',` - gen_require(` - attribute unreserved_port_type; - ') - - allow $1 unreserved_port_type:sctp_socket name_bind; -') - ######################################## ## <summary> ## Do not audit attempts to receive UDP packets from a NetLabel @@ -2765,24 +2451,6 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',` dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; ') -######################################## -## <summary> -## Connect SCTP sockets to reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - allow $1 reserved_port_type:sctp_socket name_connect; -') - ######################################## ## <summary> ## Do not audit attempts to receive Raw IP packets from an unlabeled @@ -2890,25 +2558,6 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',` kernel_dontaudit_sendrecv_unlabeled_association($1) ') -######################################## -## <summary> -## Do not audit attempts to connect SCTP sockets -## all reserved ports. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',` - gen_require(` - attribute reserved_port_type; - ') - - dontaudit $1 reserved_port_type:sctp_socket name_connect; -') - ######################################## ## <summary> ## Do not audit attempts to receive packets from a NetLabel @@ -3040,7 +2689,6 @@ interface(`corenet_raw_recvfrom_labeled',` ## </param> # interface(`corenet_all_recvfrom_labeled',` - corenet_sctp_recvfrom_labeled($1, $2) corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) @@ -3311,24 +2959,6 @@ interface(`corenet_send_all_server_packets',` allow $1 server_packet_type:packet send; ') -######################################## -## <summary> -## Receive SCTP packets from a NetLabel connection. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_recvfrom_netlabel',` - gen_require(` - type netlabel_peer_t; - ') - - allow $1 netlabel_peer_t:peer recv; -') - ######################################## ## <summary> ## Receive all server packets. @@ -3380,21 +3010,6 @@ interface(`corenet_relabelto_all_server_packets',` allow $1 server_packet_type:packet relabelto; ') -######################################## -## <summary> -## Receive SCTP packets from an unlabled connection. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`corenet_sctp_recvfrom_unlabeled',` - kernel_recvfrom_unlabeled_peer($1) - kernel_sendrecv_unlabeled_association($1) -') - ######################################## ## <summary> ## Send all packets. @@ -3528,34 +3143,6 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',` kernel_ib_manage_subnet_unlabeled_endports($1) ') -######################################## -## <summary> -## Rules for receiving labeled SCTP packets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="peer_domain"> -## <summary> -## Peer domain. -## </summary> -## </param> -# -interface(`corenet_sctp_recvfrom_labeled',` - allow { $1 $2 } self:association sendto; - allow $1 $2:association recvfrom; - allow $2 $1:association recvfrom; - - allow $1 $2:peer recv; - allow $2 $1:peer recv; - - # allow receiving packets from MLS-only peers using NetLabel - corenet_sctp_recvfrom_netlabel($1) - corenet_sctp_recvfrom_netlabel($2) -') - ######################################## ## <summary> ## Unconfined access to network objects. diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 56ca81ac..94d6f119 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -313,12 +313,9 @@ network_port(zope, tcp,8021,s0) portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) -portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) -portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) -portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) ######################################## # @@ -364,12 +361,11 @@ allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_se allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress }; allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out }; allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect }; -allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect }; allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind; # Infiniband corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index e27330a9..fdbb4927 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }') # # Stream socket classes. # -define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }') +define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }') # # Unprivileged socket classes (exclude rawip, netlink, packet). # -define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }') +define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }') ########################################