Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
This commit is contained in:
Chris PeBenito
commit
203d4a70db
|
|
@ -209,14 +209,16 @@ mlsconstrain unix_stream_socket connectto
|
|||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
( t1 == mlsnetwrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
( t2 == mlstrustedobject ) or
|
||||
( t2 == mlstrustedsocket ));
|
||||
|
||||
mlsconstrain unix_dgram_socket sendto
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
( t1 == mlsnetwrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
( t2 == mlstrustedobject ) or
|
||||
( t2 == mlstrustedsocket ));
|
||||
|
||||
# these access vectors have no MLS restrictions
|
||||
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
|
||||
|
|
|
|||
|
|
@ -800,6 +800,33 @@ interface(`mls_trusted_object',`
|
|||
typeattribute $1 mlstrustedobject;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified socket MLS trusted.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Make specified socket MLS trusted. For sockets
|
||||
## marked as such, this allows all levels to:
|
||||
## * sendto to unix_dgram_sockets
|
||||
## * connectto to unix_stream_sockets
|
||||
## respectively.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the object.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mls_trusted_socket',`
|
||||
gen_require(`
|
||||
attribute mlstrustedsocket;
|
||||
')
|
||||
|
||||
typeattribute $1 mlstrustedsocket;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified domain trusted
|
||||
|
|
|
|||
|
|
@ -56,6 +56,7 @@ attribute mlsdbupgrade;
|
|||
attribute mlsdbdowngrade;
|
||||
|
||||
attribute mlstrustedobject;
|
||||
attribute mlstrustedsocket;
|
||||
|
||||
attribute privrangetrans;
|
||||
attribute mlsrangetrans;
|
||||
|
|
|
|||
|
|
@ -68,6 +68,7 @@ type syslogd_t;
|
|||
type syslogd_exec_t;
|
||||
init_daemon_domain(syslogd_t, syslogd_exec_t)
|
||||
init_named_socket_activation(syslogd_t, syslogd_var_run_t)
|
||||
mls_trusted_socket(syslogd_t)
|
||||
|
||||
type syslogd_initrc_exec_t;
|
||||
init_script_file(syslogd_initrc_exec_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue