From 5a7c06fdd15ae5088607dc8a6055e05d66e11efb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 07 2006 17:25:09 +0000 Subject: add support for netfilter_contexts --- diff --git a/Makefile b/Makefile index 51304e9..bd1cd4c 100644 --- a/Makefile +++ b/Makefile @@ -146,6 +146,7 @@ SRCPATH = $(INSTALLDIR)/src USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts FCPATH = $(CONTEXTPATH)/files/file_contexts +NCPATH = $(CONTEXTPATH)/netfilter_contexts SHAREDIR = $(PREFIX)/share/selinux MODPKGDIR = $(SHAREDIR)/$(NAME) HEADERDIR = $(MODPKGDIR)/include diff --git a/Rules.modular b/Rules.modular index 9962498..d58d27d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -89,10 +89,10 @@ $(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc # # Create a base module package # -$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) +$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) $(net_contexts) @echo "Creating $(NAME) base module package" @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR) - $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) + $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) -n $(net_contexts) $(BASE_MOD): $(BASE_CONF) @echo "Compiling $(NAME) base module" diff --git a/Rules.monolithic b/Rules.monolithic index b066653..303d0d7 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -42,7 +42,7 @@ default: policy policy: $(POLVER) -install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users +install: $(LOADPATH) $(FCPATH) $(NCPATH) $(APPFILES) $(USERPATH)/local.users load: $(TMPDIR)/load @@ -201,6 +201,14 @@ endif ######################################## # +# Intall netfilter_contexts +# +$(NCPATH): $(net_contexts) + @echo "Installing $(NAME) netfilter_contexts." + $(verbose) install -m 0644 $^ $@ + +######################################## +# # Run policy source checks # check: $(BUILDDIR)check.res diff --git a/support/gennetfilter.py b/support/gennetfilter.py index 1821b62..866db91 100644 --- a/support/gennetfilter.py +++ b/support/gennetfilter.py @@ -43,7 +43,7 @@ class Packet: self.ports = ports def print_input_rules(packets,mls,mcs): - line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET + line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET if mls: line += ":"+DEFAULT_MLS elif mcs: @@ -53,18 +53,18 @@ def print_input_rules(packets,mls,mcs): for i in packets: for j in i.ports: - line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT + line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT if mls: line += ":"+j.mls_sens elif mcs: line += ":"+j.mcs_cats print line - print "-A selinux_new_input -j CONNSECMARK --save" - print "-A selinux_new_input -j RETURN" + print "post -A selinux_new_input -j CONNSECMARK --save" + print "post -A selinux_new_input -j RETURN" def print_output_rules(packets,mls,mcs): - line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET + line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET if mls: line += ":"+DEFAULT_MLS elif mcs: @@ -73,15 +73,15 @@ def print_output_rules(packets,mls,mcs): for i in packets: for j in i.ports: - line = "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT + line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT if mls: line += ":"+j.mls_sens elif mcs: line += ":"+j.mcs_cats print line - print "-A selinux_new_output -j CONNSECMARK --save" - print "-A selinux_new_output -j RETURN" + print "post -A selinux_new_output -j CONNSECMARK --save" + print "post -A selinux_new_output -j RETURN" def parse_corenet(file_name): packets = [] @@ -118,25 +118,25 @@ def parse_corenet(file_name): return packets def print_netfilter_config(packets,mls,mcs): - print "*mangle" - print ":PREROUTING ACCEPT [0:0]" - print ":INPUT ACCEPT [0:0]" - print ":FORWARD ACCEPT [0:0]" - print ":OUTPUT ACCEPT [0:0]" - print ":POSTROUTING ACCEPT [0:0]" - print ":selinux_input - [0:0]" - print ":selinux_output - [0:0]" - print ":selinux_new_input - [0:0]" - print ":selinux_new_output - [0:0]" - print "-A INPUT -j selinux_input" - print "-A OUTPUT -j selinux_output" - print "-A selinux_input -m state --state NEW -j selinux_new_input" - print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" - print "-A selinux_output -m state --state NEW -j selinux_new_output" - print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" + print "pre *mangle" + print "pre :PREROUTING ACCEPT [0:0]" + print "pre :INPUT ACCEPT [0:0]" + print "pre :FORWARD ACCEPT [0:0]" + print "pre :OUTPUT ACCEPT [0:0]" + print "pre :POSTROUTING ACCEPT [0:0]" + print "pre :selinux_input - [0:0]" + print "pre :selinux_output - [0:0]" + print "pre :selinux_new_input - [0:0]" + print "pre :selinux_new_output - [0:0]" + print "pre -A INPUT -j selinux_input" + print "pre -A OUTPUT -j selinux_output" + print "pre -A selinux_input -m state --state NEW -j selinux_new_input" + print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" + print "pre -A selinux_output -m state --state NEW -j selinux_new_output" + print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" print_input_rules(packets,mls,mcs) print_output_rules(packets,mls,mcs) - print "COMMIT" + print "post COMMIT" mls = False mcs = False