Navigation

← Previous Changeset
Next Changeset →

Changeset 2187

Timestamp:

05/27/08 10:17:36 (4 months ago)

Author:

dsugar

Message:

minor changes for ipsec network stuff

Files:

trunk/framework-plugin/resources/cdsframework.spt (modified) (1 diff)
trunk/framework-plugin/resources/dictionary/dictionary.fdic (modified) (1 diff)
trunk/framework-plugin/resources/link/eth0.flnk (deleted)
trunk/framework-plugin/resources/link/eth1.flnk (deleted)
trunk/framework-plugin/resources/link/tcp_client.flnk (modified) (1 diff)
trunk/framework-plugin/resources/link/tcp_server.flnk (modified) (1 diff)
trunk/framework-plugin/src/com/tresys/framework/compiler/translator/SELinuxPolicy.java (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/framework-plugin/resources/cdsframework.spt

r2113	r2187
59	59	')
60	60
	61	define(`SEFramework_ipsec_endpoint',`
	62	gen_require(`
	63	type unlabeled_t;
	64	')
	65	allow $1 unlabeled_t:association { polmatch };
	66	')
	67
61	68	define(`SEFramework_read_boolean',`
62	69	allow $1 $2:file { read getattr };

trunk/framework-plugin/resources/dictionary/dictionary.fdic

r2172	r2187
265	265
266	266
267
268		~~rdef otheripsec~~
269		~~[desc: "Another Labeled Networking (ipsec) configured network connection"]~~
270		{
271		~~requires { ipsec }~~
272		~~# owner {~~
273		~~# resource {~~
274		~~# #TODO: I do not think this is correct, but the dictionary parser requires something here~~
275		~~# association { polmatch }~~
276		~~# }~~
277		~~# }~~
278		~~read {~~
279		~~default { read }~~
280		~~read~~
281		~~[desc: "Read data over UDP network connection"]~~
282		~~[backflow: 2]~~
283		{
284		~~self {~~
285		~~association { sendto }~~
286		}
287		~~other write {~~
288		~~association { recvfrom }~~
289		}
290		}
291		}
292
293		~~write {~~
294		~~default { write }~~
295		~~write~~
296		~~[desc: "Write data over UDP network connection"]~~
297		~~[backflow: 2]~~
298		{
299		~~self {~~
300		~~association { recvfrom }~~
301		}
302		~~other read {~~
303		~~association { sendto }~~
304		}
305		}
306		}
307
308		~~readwrite {~~
309		~~default { connrw }~~
310		~~connrw~~
311		~~[desc: "read and write over TCP network connection"]~~
312		{
313		~~resource {~~
314		~~association { recvfrom }~~
315		}
316		~~self {~~
317		~~association { sendto }~~
318		}
319		~~other readwrite {~~
320		~~association { sendto recvfrom }~~
321		}
322		}
323		}
324		}
325
326		~~rdef ohtersecmark~~
327		~~[desc: "Another IPTables (secmark) configured network connection"]~~
328		{
329		~~requires { secmark }~~
330		~~# owner {~~
331		~~# resource {~~
332		~~# #TODO: I do not think this is correct, but the dictionary parser requires something here~~
333		~~# packet { send recv }~~
334		~~# }~~
335		~~# }~~
336		~~read {~~
337		~~default { read }~~
338		~~read~~
339		~~[desc : "read data over network connection"]~~
340		~~[backflow: 2]~~
341		{
342		~~resource {~~
343		~~packet { recv }~~
344		}
345		}
346		}
347
348		~~write {~~
349		~~default { write }~~
350		~~write~~
351		~~[desc : "write data over network connection"]~~
352		~~[backflow: 1]~~
353		{
354		~~resource {~~
355		~~packet { send }~~
356		}
357		}
358		}
359
360		~~readwrite {~~
361		~~default { networkrw }~~
362		~~networkrw~~
363		~~[desc : "read and write over network connection"]~~
364		{
365		~~resource {~~
366		~~packet { send recv }~~
367		}
368		}
369		}
370		}
371
372	267	rdef namedPipesDir
373	268	[desc: "named pipe and the directory it lives in"]

trunk/framework-plugin/resources/link/tcp_client.flnk

r2113	r2187
2	2	[ desc:"Domain that communicates over the network as a TCP Client " ]
3	3	{
	4	corenet_tcp_connect_all_ports($)
4	5	self
5	6	{
6		tcp_socket { connect create getopt name_connect node_bind setopt write }
	7	tcp_socket { connect create getopt name_connect node_bind setopt read write }
7	8	}
8	9	}

trunk/framework-plugin/resources/link/tcp_server.flnk

r2113	r2187
2	2	[ desc:"Domain that communicates over the network as a TCP Server" ]
3	3	{
	4	corenet_tcp_bind_all_ports($)
	5	corenet_tcp_bind_generic_port($)
	6	corenet_tcp_bind_inaddr_any_node($)
	7	corenet_tcp_bind_generic_node($)
4	8	self
5	9	{

trunk/framework-plugin/src/com/tresys/framework/compiler/translator/SELinuxPolicy.java

r2151	r2187
799	799	public void Visit (AccessNetwork i_access)
800	800	{
	801	NetworkResource i_resource = (NetworkResource) i_access.getResource ();
	802
	803	Rdef rdef = i_resource.getRdef ();
	804
	805	// ipsec resource don't get a type - uses remote type from connection(s)
	806	if (rdef.GetSysResourceState (SystemResourceTypes.ipsec) != SysResourceState.No)
	807	{
	808	IDomain dom = i_access.getDomain ();
	809	m_bufferPolicy.println ("SEFramework_ipsec_endpoint(" + dom.getType () + ")");
	810	}
	811
801	812	Visit ((AccessResource) i_access);
802	813	}
…	…
909	920	Endpoint target = con.getTarget ();
910	921	m_bufferPolicy.println ("type " + target.getType () + ";");
911		this.MakeDomain (target.getType (), m_bufferPolicy, null);
	922	MakeDomain (target.getType (), m_bufferPolicy, null);
	923	m_bufferPolicy.println ("SEFramework_ipsec_endpoint(" + target.getType () + ")");
912	924	}
913	925	}
…	…
948	960	generateParentSearchPerms (i_access.getDomain (), resource, false, outStream, sIndent, sDomType);
949	961	}
950
951	962
952	963	// Create the perms for other

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.