nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master

This commit is contained in:
Chris PeBenito 2016-05-31 09:04:38 -04:00
parent ffc9a79525 aedd5c314d
commit 203d4a70db
4 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/mls
View File

@ -209,14 +209,16 @@ mlsconstrain unix_stream_socket connectto
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or ( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject )); ( t2 == mlstrustedobject ) or
( t2 == mlstrustedsocket ));
mlsconstrain unix_dgram_socket sendto mlsconstrain unix_dgram_socket sendto
(( l1 eq l2 ) or (( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ) or ( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject )); ( t2 == mlstrustedobject ) or
( t2 == mlstrustedsocket ));
# these access vectors have no MLS restrictions # these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }

27
policy/modules/kernel/mls.if
View File

@ -800,6 +800,33 @@ interface(`mls_trusted_object',`
typeattribute $1 mlstrustedobject; typeattribute $1 mlstrustedobject;
') ')
########################################
## <summary>
## Make specified socket MLS trusted.
## </summary>
## <desc>
## <p>
## Make specified socket MLS trusted. For sockets
## marked as such, this allows all levels to:
## * sendto to unix_dgram_sockets
## * connectto to unix_stream_sockets
## respectively.
## </p>
## </desc>
## <param name="domain">
## <summary>
## The type of the object.
## </summary>
## </param>
#
interface(`mls_trusted_socket',`
gen_require(`
attribute mlstrustedsocket;
')
typeattribute $1 mlstrustedsocket;
')
######################################## ########################################
## <summary> ## <summary>
## Make the specified domain trusted ## Make the specified domain trusted

1
policy/modules/kernel/mls.te
View File

@ -56,6 +56,7 @@ attribute mlsdbupgrade;
attribute mlsdbdowngrade; attribute mlsdbdowngrade;
attribute mlstrustedobject; attribute mlstrustedobject;
attribute mlstrustedsocket;
attribute privrangetrans; attribute privrangetrans;
attribute mlsrangetrans; attribute mlsrangetrans;

1
policy/modules/system/logging.te
View File

@ -68,6 +68,7 @@ type syslogd_t;
type syslogd_exec_t; type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t) init_daemon_domain(syslogd_t, syslogd_exec_t)
init_named_socket_activation(syslogd_t, syslogd_var_run_t) init_named_socket_activation(syslogd_t, syslogd_var_run_t)
mls_trusted_socket(syslogd_t)
type syslogd_initrc_exec_t; type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t) init_script_file(syslogd_initrc_exec_t)