updated mls comments from chad hanson
This commit is contained in:
parent
77b81c6bb3
commit
63e0a1e078
|
@ -1,3 +1,4 @@
|
||||||
|
- Updated comments in mls file from Chad Hanson.
|
||||||
- Added modules:
|
- Added modules:
|
||||||
amavis (Erich Schubert)
|
amavis (Erich Schubert)
|
||||||
apt (Erich Schubert)
|
apt (Erich Schubert)
|
||||||
|
|
|
@ -293,8 +293,14 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
|
||||||
#
|
#
|
||||||
# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
|
# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
|
||||||
#
|
#
|
||||||
|
# tcp_socket name_connect
|
||||||
|
#
|
||||||
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
|
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
|
||||||
#
|
#
|
||||||
|
# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
|
||||||
|
#
|
||||||
|
# netlink_kobject_uevent_socket *
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -365,7 +371,7 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
|
||||||
(( l1 dom l2 ) and ( l1 domby h2 ));
|
(( l1 dom l2 ) and ( l1 domby h2 ));
|
||||||
|
|
||||||
# these access vectors have no MLS restrictions
|
# these access vectors have no MLS restrictions
|
||||||
# { netif node } { enforce_dest }
|
# node enforce_dest
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -397,7 +403,7 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec se
|
||||||
( t1 == mlsprocwrite ));
|
( t1 == mlsprocwrite ));
|
||||||
|
|
||||||
# these access vectors have no MLS restrictions
|
# these access vectors have no MLS restrictions
|
||||||
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem }
|
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -663,6 +669,6 @@ mlsconstrain xinput { setattr relabelinput }
|
||||||
#
|
#
|
||||||
|
|
||||||
# these access vectors have no MLS restrictions
|
# these access vectors have no MLS restrictions
|
||||||
# association { sendto recvfrom }
|
# association *
|
||||||
|
|
||||||
') dnl end enable_mls
|
') dnl end enable_mls
|
||||||
|
|
Loading…
Reference in New Issue