commit: 9ae0383e041bfa3c531eb028f38a7444cf1cbfaa
Author: Richard Haines <richard_c_haines <AT> btinternet <DOT> com>
AuthorDate: Mon Mar 19 09:59:54 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 10:27:39 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae0383e
refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines <AT> btinternet.com>
policy/constraints | 1 +
policy/flask/access_vectors | 2 +
policy/mcs | 2 +-
policy/mls | 18 +-
policy/modules/kernel/corenetwork.if.in | 419 ++++++++++++++++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 8 +-
policy/support/obj_perm_sets.spt | 4 +-
7 files changed, 440 insertions(+), 14 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 90a794b3..e9e05f06 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -130,6 +130,7 @@ exempted_ubac_constraint(fd, ubacfd)
exempted_ubac_constraint(socket, ubacsock)
exempted_ubac_constraint(tcp_socket, ubacsock)
+exempted_ubac_constraint(sctp_socket, ubacsock)
exempted_ubac_constraint(udp_socket, ubacsock)
exempted_ubac_constraint(rawip_socket, ubacsock)
exempted_ubac_constraint(netlink_socket, ubacsock)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 9c9db71b..4f57fb40 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -985,6 +985,8 @@ class sctp_socket
inherits socket
{
node_bind
+ name_connect
+ association
}
class icmp_socket
diff --git a/policy/mcs b/policy/mcs
index 94319570..c0d424a9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,7 @@ mlsconstrain process { sigkill sigstop }
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain key { create link read search setattr view write }
diff --git a/policy/mls b/policy/mls
index 73ff301b..eeca15a8 100644
--- a/policy/mls
+++ b/policy/mls
@@ -166,13 +166,13 @@ mlsconstrain filesystem { mount remount unmount
relabelfrom quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write
overrides)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept
connect }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } {
accept connect }
(( l1 eq l2 ) or
(((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
@@ -182,7 +182,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket
netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt
recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } { read getattr listen
accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -193,14 +193,14 @@ mlsconstrain { netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect
setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
packet_socket key_socket unix_stream_socket unix_dgram_socket
netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket sctp_socket } { write setattr
relabelfrom connect setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -223,13 +223,13 @@ mlsconstrain unix_dgram_socket sendto
( t2 == mlstrustedsocket ));
# these access vectors have no MLS restrictions
-# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket unix_stream_socket unix_dgram_socket netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket
netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind
sendto send_msg name_bind }
+# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
key_socket unix_stream_socket unix_dgram_socket netlink_route_socket
netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket
netlink_ip6fw_socket netlink_dnrt_socket sctp_socket } { ioctl create lock
append bind sendto send_msg name_bind }
#
-# { tcp_socket udp_socket rawip_socket } node_bind
+# { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
#
-# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
+# { tcp_socket unix_stream_socket sctp_socket } { connectto newconn acceptfrom
}
#
-# tcp_socket name_connect
+# { tcp_socket sctp_socket } name_connect
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
diff --git a/policy/modules/kernel/corenetwork.if.in
b/policy/modules/kernel/corenetwork.if.in
index 3671fa8e..64e98632 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -634,6 +634,24 @@ interface(`corenet_raw_send_all_if',`
allow $1 netif_type:netif { rawip_send egress };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive raw IP packets on all interfaces.
@@ -841,6 +859,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
corenet_raw_receive_generic_node($1)
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:sctp_socket node_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to generic nodes.
@@ -1035,6 +1071,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
dontaudit $1 node_type:node { udp_send sendto };
')
+########################################
+## <summary>
+## Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:node { sendto recvfrom };
+')
+
########################################
## <summary>
## Receive UDP network traffic on all nodes.
@@ -1227,6 +1281,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
allow $1 port_t:tcp_socket { send_msg recv_msg };
')
+########################################
+## <summary>
+## Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+ gen_require(`
+ attribute node_type;
+ ')
+
+ allow $1 node_type:sctp_socket node_bind;
+')
+
+
########################################
## <summary>
## Do not audit send and receive TCP network traffic on generic ports.
@@ -1434,6 +1507,26 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ attribute defined_port_type;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_bind;
+ dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Receive UDP network traffic on all ports.
@@ -1491,6 +1584,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
corenet_udp_receive_all_ports($1)
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP
+## sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t, ephemeral_port_t;
+ ')
+
+ dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_bind;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports.
@@ -1547,6 +1659,24 @@ interface(`corenet_udp_bind_all_ports',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+ gen_require(`
+ type port_t, unreserved_port_t,ephemeral_port_t;
+ ')
+
+ allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket
name_connect;
+')
+
########################################
## <summary>
## Do not audit attepts to bind UDP sockets to any ports.
@@ -1718,6 +1848,25 @@ interface(`corenet_tcp_bind_reserved_port',`
allow $1 self:capability net_bind_service;
')
+########################################
+## <summary>
+## Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Bind UDP sockets to generic reserved ports.
@@ -1755,6 +1904,24 @@ interface(`corenet_tcp_connect_reserved_port',`
allow $1 reserved_port_t:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Send and receive TCP network traffic on all reserved ports.
@@ -1824,6 +1991,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
corenet_udp_receive_all_reserved_ports($1)
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ allow $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all reserved ports.
@@ -1898,6 +2083,25 @@
interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
dontaudit $1 reserved_port_type:udp_socket name_bind;
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## to all ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+ gen_require(`
+ attribute port_type;
+ ')
+
+ dontaudit $1 port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Bind TCP sockets to all ports > 1024.
@@ -1952,6 +2156,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
allow $1 reserved_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit connect attempts to TCP sockets on
@@ -2045,6 +2267,25 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
dontaudit $1 rpc_port_type:tcp_socket name_connect;
')
+########################################
+## <summary>
+## Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Read the TUN/TAP virtual network device.
@@ -2102,6 +2343,24 @@ interface(`corenet_rw_tun_tap_dev',`
allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+ gen_require(`
+ type reserved_port_t;
+ ')
+
+ allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to read or write the TUN/TAP
@@ -2232,6 +2491,25 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
dontaudit $1 rpc_port_type:udp_socket name_bind;
')
+########################################
+## <summary>
+## Bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:sctp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
########################################
## <summary>
## Receive TCP packets from a NetLabel connection.
@@ -2271,6 +2549,24 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Do not audit attempts to bind SCTP sockets to all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Do not audit attempts to receive TCP packets from a NetLabel
@@ -2351,6 +2647,24 @@ interface(`corenet_udp_recvfrom_unlabeled',`
kernel_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Bind SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+ gen_require(`
+ attribute unreserved_port_type;
+ ')
+
+ allow $1 unreserved_port_type:sctp_socket name_bind;
+')
+
########################################
## <summary>
## Do not audit attempts to receive UDP packets from a NetLabel
@@ -2451,6 +2765,24 @@ interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
')
+########################################
+## <summary>
+## Connect SCTP sockets to reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ allow $1 reserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to receive Raw IP packets from an unlabeled
@@ -2558,6 +2890,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
kernel_dontaudit_sendrecv_unlabeled_association($1)
')
+########################################
+## <summary>
+## Do not audit attempts to connect SCTP sockets
+## all reserved ports.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+ gen_require(`
+ attribute reserved_port_type;
+ ')
+
+ dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
########################################
## <summary>
## Do not audit attempts to receive packets from a NetLabel
@@ -2689,6 +3040,7 @@ interface(`corenet_raw_recvfrom_labeled',`
## </param>
#
interface(`corenet_all_recvfrom_labeled',`
+ corenet_sctp_recvfrom_labeled($1, $2)
corenet_tcp_recvfrom_labeled($1, $2)
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
@@ -2959,6 +3311,24 @@ interface(`corenet_send_all_server_packets',`
allow $1 server_packet_type:packet send;
')
+########################################
+## <summary>
+## Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:peer recv;
+')
+
########################################
## <summary>
## Receive all server packets.
@@ -3010,6 +3380,27 @@ interface(`corenet_relabelto_all_server_packets',`
allow $1 server_packet_type:packet relabelto;
')
+########################################
+## <summary>
+## Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+ gen_require(`
+ attribute corenet_unlabeled_type;
+ ')
+
+ kernel_recvfrom_unlabeled_peer($1)
+
+ typeattribute $1 corenet_unlabeled_type;
+ kernel_sendrecv_unlabeled_association($1)
+')
+
########################################
## <summary>
## Send all packets.
@@ -3143,6 +3534,34 @@ interface(`corenet_ib_manage_subnet_unlabeled_endports',`
kernel_ib_manage_subnet_unlabeled_endports($1)
')
+########################################
+## <summary>
+## Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="peer_domain">
+## <summary>
+## Peer domain.
+## </summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+ allow { $1 $2 } self:association sendto;
+ allow $1 $2:association recvfrom;
+ allow $2 $1:association recvfrom;
+
+ allow $1 $2:peer recv;
+ allow $2 $1:peer recv;
+
+ # allow receiving packets from MLS-only peers using NetLabel
+ corenet_sctp_recvfrom_netlabel($1)
+ corenet_sctp_recvfrom_netlabel($2)
+')
+
########################################
## <summary>
## Unconfined access to network objects.
diff --git a/policy/modules/kernel/corenetwork.te.in
b/policy/modules/kernel/corenetwork.te.in
index 6a96d6cc..cb3d4718 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -313,9 +313,12 @@ network_port(zope, tcp,8021,s0)
portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
########################################
#
@@ -361,11 +364,12 @@ allow corenet_unconfined_type node_type:node { tcp_recv
tcp_send udp_recv udp_se
allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv
udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in
flow_out forward_in forward_out };
allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg
name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg
name_connect };
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket }
name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket }
node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket
sctp_socket } node_bind;
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index fdbb4927..e27330a9 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -44,12 +44,12 @@ define(`dgram_socket_class_set', `{ udp_socket
unix_dgram_socket }')
#
# Stream socket classes.
#
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket
}')
#
# Unprivileged socket classes (exclude rawip, netlink, packet).
#
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket
unix_dgram_socket sctp_socket }')
########################################
