Adds attribute mlstrustedsocket, along with the interface.

Sample AVC:
 type=AVC msg=audit(1459979143.990:219): avc:  denied  { sendto } for  pid=1935
 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0

This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html

policy/mls

@@ -209,14 +209,16 @@ mlsconstrain unix_stream_socket connectto
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ) or
-	 ( t2 == mlstrustedobject ));
+	 ( t2 == mlstrustedobject ) or
+	 ( t2 == mlstrustedsocket ));
 
 mlsconstrain unix_dgram_socket sendto
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ) or
-	 ( t2 == mlstrustedobject ));
+	 ( t2 == mlstrustedobject ) or
+	 ( t2 == mlstrustedsocket ));
 
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }

policy/modules/kernel/mls.if

@@ -800,6 +800,33 @@ interface(`mls_trusted_object',`
 	typeattribute $1 mlstrustedobject;
 ')
 
+########################################
+## <summary>
+##	Make specified socket MLS trusted.
+## </summary>
+## <desc>
+##	<p>
+##	Make specified socket MLS trusted. For sockets
+##	marked as such, this allows all levels to:
+##	 * sendto to unix_dgram_sockets
+##	 * connectto to unix_stream_sockets
+##	respectively.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the object.
+##	</summary>
+## </param>
+#
+interface(`mls_trusted_socket',`
+	gen_require(`
+		attribute mlstrustedsocket;
+	')
+
+	typeattribute $1 mlstrustedsocket;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified domain trusted

policy/modules/kernel/mls.te

@@ -56,6 +56,7 @@ attribute mlsdbupgrade;
 attribute mlsdbdowngrade;
 
 attribute mlstrustedobject;
+attribute mlstrustedsocket;
 
 attribute privrangetrans;
 attribute mlsrangetrans;

policy/modules/system/logging.te

@@ -68,6 +68,7 @@ type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
 init_named_socket_activation(syslogd_t, syslogd_var_run_t)
+mls_trusted_socket(syslogd_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)