It was just pointed out to me that the raw IP socket class is missing from the

recvfrom MLS constraint. Signed-off-by: Paul Moore
2007-03-09 14:45:19 +00:00 · 2007-03-09 14:45:19 +00:00 · b50f2ee48d
parent 0cca516db7
commit b50f2ee48d
2 changed files with 2 additions and 1 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
 - Patch for handling restart of nscd when ran from useradd, groupadd, and
  admin passwd, from Dan Walsh.
 - Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
--- a/policy/mls
+++ b/policy/mls
@ -183,7 +183,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	 ( t1 == mlsnetwrite ));

 # used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
 	 ( t1 == mlsnetread ));