next up previous contents
Next: Domains Up: General Types Previous: NFS Types   Contents


Network Types

The network.te file contains declarations for types used for network objects. At the end of the file, several rules are specified to define relationships among these network object types.

The any_socket_t type is the default destination socket type for UDP or raw IP traffic. The can_network macro grants the domain permission to send to this socket type. This macro is applied to any domain that uses the network.

The icmp_socket_t type is the type of the kernel socket used to send ICMP messages. This socket type is allowed to send and receive raw IP messages. The tcp_socket_t type is the type of the kernel socket used to send TCP resets. This socket is allowed to send and receive TCP messages. No domain is granted permissions to these socket types since they are only used internally by the kernel.

The port_t type is the default type for INET port numbers. All domains are allowed to bind port numbers with this type. Separate types are defined for several port numbers. Only the lpd_t domain is allowed to bind printer_port_t. Only the sendmail_t domain is allowed to bind smtp_port_t. No domain is currently allowed to bind http_port_t. The inetd_t domain is allowed to bind the other types (ftp_port_t, telnet_port_t, rlogin_port_t, rsh_port_t). Hence, these types could be collapsed into a single inetd_port_t type. Port types are associated with specific port numbers through the network context configuration described in Section 7.3.

The netif_t type is the default type for network interfaces. The netmsg_t type is the default type for unlabeled messages received on network interfaces. Separate pairs of types are defined for several network interfaces: netif_eth0_t and netmsg_eth0_t, netif_eth1_t and netmsg_eth1_t, and netif_lo_t and netmsg_lo_t. Network interface types are associated with specific network interface names through the network context configuration described in Section 7.3. Permissions are granted for each unlabeled message type to be received on the corresponding network interface type. The initrc_t and administrator domains are allowed to configure any network interface. Several domains are allowed to get the configuration of any network interface. The can_network macro grants the domain permissions to send and receive on any network interface.

The node_t type is the default type for nodes. The node_lo_t type is the type for the loopback address. The node_internal_t type is the type for nodes on the local area network. Any of the unlabeled message types are allowed to be received from any node type. The can_network macro grants the domain permissions to send to any node type. Node types are associated with specific network addresses through the network context configuration described in Section 7.3.


next up previous contents
Next: Domains Up: General Types Previous: NFS Types   Contents