add support for netfilter_contexts

diff --git a/Makefile b/Makefile
index 51304e9beee7f482557e7d6b8f2b92069df707e8..bd1cd4c7e234133041d29d6c521e985bdb1d218a 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -146,6 +146,7 @@ SRCPATH = $(INSTALLDIR)/src
 USERPATH = $(INSTALLDIR)/users
 CONTEXTPATH = $(INSTALLDIR)/contexts
 FCPATH = $(CONTEXTPATH)/files/file_contexts
+NCPATH = $(CONTEXTPATH)/netfilter_contexts
 SHAREDIR = $(PREFIX)/share/selinux
 MODPKGDIR = $(SHAREDIR)/$(NAME)
 HEADERDIR = $(MODPKGDIR)/include

diff --git a/Rules.modular b/Rules.modular
index 9962498030a1da83bc780dc3b4b8b83b9f6e4601..d58d27d2c727ba48dc7563c1178f0f76be62b146 100644 (file)
--- a/Rules.modular
+++ b/Rules.modular
@@ -89,10 +89,10 @@ $(BUILDDIR)%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
 #
 # Create a base module package
 #
-$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS)
+$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) $(SEUSERS) $(net_contexts)
        @echo "Creating $(NAME) base module package"
        @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
-       $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS)
+       $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) -s $(SEUSERS) -n $(net_contexts)
 
 $(BASE_MOD): $(BASE_CONF)
        @echo "Compiling $(NAME) base module"

diff --git a/Rules.monolithic b/Rules.monolithic
index b066653c84a430e906b9120f95d6ff601a9fbe6a..303d0d7919f52a27ec8b3db156a28244304b6933 100644 (file)
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -42,7 +42,7 @@ default: policy
 
 policy: $(POLVER)
 
-install: $(LOADPATH) $(FCPATH) $(APPFILES) $(USERPATH)/local.users
+install: $(LOADPATH) $(FCPATH) $(NCPATH) $(APPFILES) $(USERPATH)/local.users
 
 load: $(TMPDIR)/load
 
@@ -199,6 +199,14 @@ ifeq "$(DISTRO)" "rhel4"
        $(verbose) rm -f $@.homedirs
 endif
 
+########################################
+#
+# Intall netfilter_contexts
+#
+$(NCPATH): $(net_contexts)
+       @echo "Installing $(NAME) netfilter_contexts."
+       $(verbose) install -m 0644 $^ $@
+
 ########################################
 #
 # Run policy source checks

diff --git a/support/gennetfilter.py b/support/gennetfilter.py
index 1821b62de77a4be6f6204f626011be4867b7430b..866db91a9a5f02b1711b75ca01c7da522006fcf2 100644 (file)
--- a/support/gennetfilter.py
+++ b/support/gennetfilter.py
@@ -43,7 +43,7 @@ class Packet:
                self.ports = ports
 
 def print_input_rules(packets,mls,mcs):
-       line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
+       line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
        if mls:
                line += ":"+DEFAULT_MLS
        elif mcs:
@@ -53,18 +53,18 @@ def print_input_rules(packets,mls,mcs):
 
        for i in packets:
                for j in i.ports:
-                       line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+                       line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
                        if mls:
                                line += ":"+j.mls_sens
                        elif mcs:
                                line += ":"+j.mcs_cats
                        print line
 
-       print "-A selinux_new_input -j CONNSECMARK --save"
-       print "-A selinux_new_input -j RETURN"
+       print "post -A selinux_new_input -j CONNSECMARK --save"
+       print "post -A selinux_new_input -j RETURN"
 
 def print_output_rules(packets,mls,mcs):
-       line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
+       line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
        if mls:
                line += ":"+DEFAULT_MLS
        elif mcs:
@@ -73,15 +73,15 @@ def print_output_rules(packets,mls,mcs):
 
        for i in packets:
                for j in i.ports:
-                       line = "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+                       line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
                        if mls:
                                line += ":"+j.mls_sens
                        elif mcs:
                                line += ":"+j.mcs_cats
                        print line
 
-       print "-A selinux_new_output -j CONNSECMARK --save"
-       print "-A selinux_new_output -j RETURN"
+       print "post -A selinux_new_output -j CONNSECMARK --save"
+       print "post -A selinux_new_output -j RETURN"
 
 def parse_corenet(file_name):
        packets = []
@@ -118,25 +118,25 @@ def parse_corenet(file_name):
        return packets
 
 def print_netfilter_config(packets,mls,mcs):
-       print "*mangle"
-       print ":PREROUTING ACCEPT [0:0]"
-       print ":INPUT ACCEPT [0:0]"
-       print ":FORWARD ACCEPT [0:0]"
-       print ":OUTPUT ACCEPT [0:0]"
-       print ":POSTROUTING ACCEPT [0:0]"
-       print ":selinux_input - [0:0]"
-       print ":selinux_output - [0:0]"
-       print ":selinux_new_input - [0:0]"
-       print ":selinux_new_output - [0:0]"
-       print "-A INPUT -j selinux_input"
-       print "-A OUTPUT -j selinux_output"
-       print "-A selinux_input -m state --state NEW -j selinux_new_input"
-       print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
-       print "-A selinux_output -m state --state NEW -j selinux_new_output"
-       print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+       print "pre *mangle"
+       print "pre :PREROUTING ACCEPT [0:0]"
+       print "pre :INPUT ACCEPT [0:0]"
+       print "pre :FORWARD ACCEPT [0:0]"
+       print "pre :OUTPUT ACCEPT [0:0]"
+       print "pre :POSTROUTING ACCEPT [0:0]"
+       print "pre :selinux_input - [0:0]"
+       print "pre :selinux_output - [0:0]"
+       print "pre :selinux_new_input - [0:0]"
+       print "pre :selinux_new_output - [0:0]"
+       print "pre -A INPUT -j selinux_input"
+       print "pre -A OUTPUT -j selinux_output"
+       print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
+       print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+       print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
+       print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
        print_input_rules(packets,mls,mcs)
        print_output_rules(packets,mls,mcs)
-       print "COMMIT"
+       print "post COMMIT"
 
 mls = False
 mcs = False