platform_system_sepolicy/net.te
Stephen Smalley ca0759b175 Restore netdomain allow rules.
Change I4be1c987a5d69ac784a56d42fc2c9063c402de11 removed all
netdomain allow rules at the same time domains were made unconfined.
Prior to that change, any domain that used the net_domain() macro
would be granted permissions required to use the network via these rules.
The change made the netdomain attribute unused in any rules, thereby
rendering the net_domain() calls pointless and requiring the allow
rules to be duplicated for any domain requiring network access. There
are two ways to resolve this inconsistency:
1.  Restore the netdomain rules as in this change.  In that case,
some rules in app.te can be removed as they are redundant with these rules.
-or-
2.  Completely remove the netdomain attribute, the net_domain() macro,
and all calls to it.  In that case, each domain that requires network
access will need to duplicate these rules or the necessary subset in order
to function.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Change-Id: Ia54f0cd0bbda5c510423b1046626bd50f79ed7b6
2013-09-30 15:07:55 -04:00

18 lines
592 B
Text

# Network types
type node, node_type;
type netif, netif_type;
type port, port_type;
# Use network sockets.
allow netdomain self:{ tcp_socket udp_socket } *;
# Connect to ports.
allow netdomain port_type:tcp_socket name_connect;
# Bind to ports.
allow netdomain node_type:{ tcp_socket udp_socket } node_bind;
allow netdomain port_type:udp_socket name_bind;
allow netdomain port_type:tcp_socket name_bind;
# Get route information.
allow netdomain self:netlink_route_socket { create bind read nlmsg_read };
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)