nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b7b44d80e
selinux-refpolicy/policy
History
Chris PeBenito 2b7b44d80e Remove general unlabeled packet usage. 
Back when the SECMARK implementation was new, the packet class was always
checked.  Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules.  Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules.  Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.

To have partial SECMARK confinement, the following rule applies:

allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };

It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:

allow * unlabeled_t:packet { send recv };

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
2013-05-14 10:15:34 -04:00
..
flask flask: add the attach_queue permission to the tun_socket object class 2013-01-22 12:46:06 -05:00
modules Remove general unlabeled packet usage. 2013-05-14 10:15:34 -04:00
support Add optional file name to filetrans_pattern. 2011-11-02 08:48:25 -04:00
constraints Allow user and role changes on dynamic transitions with the same constraints as regular transitions. 2011-09-02 09:59:26 -04:00
global_booleans Move secure_mode_policyload into selinux module as that is the only place it is used. 2011-09-26 09:53:23 -04:00
global_tunables
mcs Implement mcs_constrained_type 2012-11-28 16:12:25 -05:00
mls SEPostgresql changes from Kohei KaiGai. 2012-05-18 09:28:18 -04:00
policy_capabilities
users