commit: 90ec32ea3f90abce8f678b879cf3a48875221d5a
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 22 15:43:40 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 15:47:48 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90ec32ea
Revert "refpolicy: Update for kernel sctp support"
This reverts commit 9ae0383e041bfa3c531eb028f38a7444cf1cbfaa.
This requires selinux 2.8 userspace. Reverting this until it's stable so
the policy can be released in the mean time.
policy/constraints | 1 -
policy/flask/access_vectors | 2 -
policy/mcs | 2 +-
policy/mls | 18 +-
policy/modules/kernel/corenetwork.if.in | 413 --------------------------------
policy/modules/kernel/corenetwork.te.in | 8 +-
policy/support/obj_perm_sets.spt | 4 +-
7 files changed, 14 insertions(+), 434 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index e9e05f06..90a794b3 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -130,7 +130,6 @@ exempted_ubac_constraint(fd, ubacfd)
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
-exempted_ubac_constraint(sctp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0630f012..b213ce5b 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -985,8 +985,6 @@ class sctp_socket
inherits socket
{
node_bind
- name_connect
- association
}
class icmp_socket
diff --git a/policy/mcs b/policy/mcs
index c0d424a9..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain key { create link read search setattr view write }
diff --git a/policy/mls b/policy/mls
index eeca15a8..73ff301b 100644
--- a/policy/mls
+++ b/policy/mls
@@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount
relabelfrom quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write
overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } {
accept connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept
connect }
(( l1 eq l2 ) or
(((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket
netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen
accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt
recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr
relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect
setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto
( t2 == mlstrustedsocket ));
# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket unix_stream_socket unix_dgram_socket netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket
netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock
append bind sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket unix_stream_socket unix_dgram_socket netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket
netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind
sendto send_msg name_bind }
#
-# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
+# { tcp_socket udp_socket rawip_socket } node_bind
#
-# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom
}
+# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
#
-# { tcp_socket sctp_socket } name_connect
+# tcp_socket name_connect
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
diff --git a/policy/modules/kernel/corenetwork.if.in
b/policy/modules/kernel/corenetwork.if.in
index 4a91feb3..3671fa8e 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -634,24 +634,6 @@ interface(`corenet_raw_send_all_if',`
allow $1 netif_type:netif { rawip_send egress };
')
-########################################
-## <summary>
-## Send and receive SCTP network traffic on generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_sendrecv_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:node { sendto recvfrom };
-')
-
########################################
## <summary>
## Receive raw IP packets on all interfaces.
@@ -859,24 +841,6 @@ interface(`corenet_raw_sendrecv_generic_node',`
corenet_raw_receive_generic_node($1)
')
-########################################
-## <summary>
-## Bind SCTP sockets to generic nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_generic_node',`
- gen_require(`
- type node_t;
- ')
-
- allow $1 node_t:sctp_socket node_bind;
-')
-
########################################
## <summary>
## Bind TCP sockets to generic nodes.
@@ -1071,24 +1035,6 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
dontaudit $1 node_type:node { udp_send sendto };
')
-########################################
-## <summary>
-## Send and receive SCTP network traffic on all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_sendrecv_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:node { sendto recvfrom };
-')
-
########################################
## <summary>
## Receive UDP network traffic on all nodes.
@@ -1281,25 +1227,6 @@ interface(`corenet_tcp_sendrecv_generic_port',`
allow $1 port_t:tcp_socket { send_msg recv_msg };
')
-########################################
-## <summary>
-## Bind SCTP sockets to all nodes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_all_nodes',`
- gen_require(`
- attribute node_type;
- ')
-
- allow $1 node_type:sctp_socket node_bind;
-')
-
-
########################################
## <summary>
## Do not audit send and receive TCP network traffic on generic ports.
@@ -1507,26 +1434,6 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
')
-########################################
-## <summary>
-## Bind SCTP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_generic_port',`
- gen_require(`
- type port_t, unreserved_port_t;
- attribute defined_port_type;
- ')
-
- allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
- dontaudit $1 defined_port_type:sctp_socket name_bind;
-')
-
########################################
## <summary>
## Receive UDP network traffic on all ports.
@@ -1584,25 +1491,6 @@ interface(`corenet_udp_sendrecv_all_ports',`
corenet_udp_receive_all_ports($1)
')
-########################################
-## <summary>
-## Do not audit attempts to bind SCTP
-## sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_sctp_bind_generic_port',`
- gen_require(`
- type port_t, unreserved_port_t;
- ')
-
- dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
-')
-
########################################
## <summary>
## Bind TCP sockets to all ports.
@@ -1659,24 +1547,6 @@ interface(`corenet_udp_bind_all_ports',`
allow $1 self:capability net_bind_service;
')
-########################################
-## <summary>
-## Connect SCTP sockets to generic ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_connect_generic_port',`
- gen_require(`
- type port_t, unreserved_port_t;
- ')
-
- allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Do not audit attepts to bind UDP sockets to any ports.
@@ -1848,25 +1718,6 @@ interface(`corenet_tcp_bind_reserved_port',`
allow $1 self:capability net_bind_service;
')
-########################################
-## <summary>
-## Bind SCTP sockets to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:sctp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
########################################
## <summary>
## Bind UDP sockets to generic reserved ports.
@@ -1904,24 +1755,6 @@ interface(`corenet_tcp_connect_reserved_port',`
allow $1 reserved_port_t:tcp_socket name_connect;
')
-########################################
-## <summary>
-## Do not audit attempts to bind SCTP sockets to any ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_sctp_bind_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- dontaudit $1 port_type:sctp_socket name_bind;
-')
-
########################################
## <summary>
## Send and receive TCP network traffic on all reserved ports.
@@ -1991,24 +1824,6 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
corenet_udp_receive_all_reserved_ports($1)
')
-########################################
-## <summary>
-## Connect SCTP sockets to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_connect_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- allow $1 port_type:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Bind TCP sockets to all reserved ports.
@@ -2083,25 +1898,6 @@
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
-########################################
-## <summary>
-## Do not audit attempts to connect SCTP sockets
-## to all ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_sctp_connect_all_ports',`
- gen_require(`
- attribute port_type;
- ')
-
- dontaudit $1 port_type:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Bind TCP sockets to all ports > 1024.
@@ -2156,24 +1952,6 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
allow $1 reserved_port_type:tcp_socket name_connect;
')
-########################################
-## <summary>
-## Connect SCTP sockets to all ports > 1024.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_connect_all_unreserved_ports',`
- gen_require(`
- attribute unreserved_port_type;
- ')
-
- allow $1 unreserved_port_type:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Do not audit connect attempts to TCP sockets on
@@ -2267,25 +2045,6 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
-########################################
-## <summary>
-## Bind SCTP sockets to generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:sctp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
########################################
## <summary>
## Read the TUN/TAP virtual network device.
@@ -2343,24 +2102,6 @@ interface(`corenet_rw_tun_tap_dev',`
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
-########################################
-## <summary>
-## Connect SCTP sockets to generic reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_connect_reserved_port',`
- gen_require(`
- type reserved_port_t;
- ')
-
- allow $1 reserved_port_t:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Do not audit attempts to read or write the TUN/TAP
@@ -2491,25 +2232,6 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
dontaudit $1 rpc_port_type:udp_socket name_bind;
')
-########################################
-## <summary>
-## Bind SCTP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:sctp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
########################################
## <summary>
## Receive TCP packets from a NetLabel connection.
@@ -2549,24 +2271,6 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
-########################################
-## <summary>
-## Do not audit attempts to bind SCTP sockets to all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- dontaudit $1 reserved_port_type:sctp_socket name_bind;
-')
-
########################################
## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
@@ -2647,24 +2351,6 @@ interface(`corenet_udp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
-########################################
-## <summary>
-## Bind SCTP sockets to all ports > 1024.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_bind_all_unreserved_ports',`
- gen_require(`
- attribute unreserved_port_type;
- ')
-
- allow $1 unreserved_port_type:sctp_socket name_bind;
-')
-
########################################
## <summary>
## Do not audit attempts to receive UDP packets from a NetLabel
@@ -2765,24 +2451,6 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
-########################################
-## <summary>
-## Connect SCTP sockets to reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- allow $1 reserved_port_type:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Do not audit attempts to receive Raw IP packets from an unlabeled
@@ -2890,25 +2558,6 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
-########################################
-## <summary>
-## Do not audit attempts to connect SCTP sockets
-## all reserved ports.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
- gen_require(`
- attribute reserved_port_type;
- ')
-
- dontaudit $1 reserved_port_type:sctp_socket name_connect;
-')
-
########################################
## <summary>
## Do not audit attempts to receive packets from a NetLabel
@@ -3040,7 +2689,6 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
- corenet_sctp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
@@ -3311,24 +2959,6 @@ interface(`corenet_send_all_server_packets',`
allow $1 server_packet_type:packet send;
')
-########################################
-## <summary>
-## Receive SCTP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_recvfrom_netlabel',`
- gen_require(`
- type netlabel_peer_t;
- ')
-
- allow $1 netlabel_peer_t:peer recv;
-')
-
########################################
## <summary>
## Receive all server packets.
@@ -3380,21 +3010,6 @@ interface(`corenet_relabelto_all_server_packets',`
allow $1 server_packet_type:packet relabelto;
')
-########################################
-## <summary>
-## Receive SCTP packets from an unlabled connection.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_recvfrom_unlabeled',`
- kernel_recvfrom_unlabeled_peer($1)
- kernel_sendrecv_unlabeled_association($1)
-')
-
########################################
## <summary>
## Send all packets.
@@ -3528,34 +3143,6 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',`
kernel_ib_manage_subnet_unlabeled_endports($1)
')
-########################################
-## <summary>
-## Rules for receiving labeled SCTP packets.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="peer_domain">
-## <summary>
-## Peer domain.
-## </summary>
-## </param>
-#
-interface(`corenet_sctp_recvfrom_labeled',`
- allow { $1 $2 } self:association sendto;
- allow $1 $2:association recvfrom;
- allow $2 $1:association recvfrom;
-
- allow $1 $2:peer recv;
- allow $2 $1:peer recv;
-
- # allow receiving packets from MLS-only peers using NetLabel
- corenet_sctp_recvfrom_netlabel($1)
- corenet_sctp_recvfrom_netlabel($2)
-')
-
########################################
## <summary>
## Unconfined access to network objects.
diff --git a/policy/modules/kernel/corenetwork.te.in
b/policy/modules/kernel/corenetwork.te.in
index 56ca81ac..94d6f119 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -313,12 +313,9 @@ network_port(zope, tcp,8021,s0)
portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
-portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
-portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
-portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
@@ -364,12 +361,11 @@ allow corenet_unconfined_type node_type:node { tcp_recv
tcp_send udp_recv udp_se
allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv
udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in
flow_out forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg
name_connect };
-allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg
name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket }
name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket }
node_bind;
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index e27330a9..fdbb4927 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket
unix_dgram_socket }')
#
# Stream socket classes.
#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket
}')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket sctp_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket }')
########################################
