From ef424c14d42f6536eac7e3c9f668e4eef0fa7b8c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 20 Jul 2005 17:10:07 +0000 Subject: [PATCH] name_connect only on tcp_sockets --- refpolicy/policy/modules/kernel/corenetwork.if.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 25ea9d6c3..e9416e60c 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -984,13 +984,14 @@ interface(`corenet_unconfined',` gen_require(` attribute node_type, netif_type, port_type; class tcp_socket { send_msg recv_msg node_bind name_bind name_connect }; - class udp_socket { send_msg recv_msg node_bind name_bind name_connect }; + class udp_socket { send_msg recv_msg node_bind name_bind }; class rawip_socket node_bind; ') allow $1 node_type:node *; allow $1 netif_type:netif *; - allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg name_connect }; + allow $1 port_type:tcp_socket { send_msg recv_msg name_connect }; + allow $1 port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. # cjp: rawip_socket doesnt make any sense