Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
A few of the socket classes added by commit 09ebf2b59a ("refpolicy:
Define extended_socket_class policy capability and socket classes") are
never used because sockets can never be created with the associated
address family. Remove these unused socket security classes.
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB,
and mpls_socket for PF_MPLS.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a (default disabled) definition for the extended_socket_class policy
capability used to enable the use of separate socket security classes
for all network address families rather than the generic socket class.
The capability also enables the use of separate security classes for ICMP
and SCTP sockets, which were previously mapped to rawip_socket class.
Add definitions for the new socket classes and access vectors enabled by
this capability. Add the new socket classes to the socket_class_set macro,
which also covers allowing access by unconfined domains. Allowing access
by other domains to the new socket security classes is left to future
commits.
The kernel support will be included in Linux 4.11+.
Building policy with this capability enabled will require libsepol 2.7+.
This change leaves the capability disabled by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Chris PeBenito
Stephen Smalley
Chris PeBenito