Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E713AC43387 for ; Thu, 10 Jan 2019 10:51:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B7D71206B6 for ; Thu, 10 Jan 2019 10:51:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="npS8rlCI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727623AbfAJKv3 (ORCPT ); Thu, 10 Jan 2019 05:51:29 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:36244 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726255AbfAJKv3 (ORCPT ); Thu, 10 Jan 2019 05:51:29 -0500 Received: from liv.localnet (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id EAE33EFE9 for ; Thu, 10 Jan 2019 21:51:25 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1547117486; bh=kvfPsatAuoeB5L1ZReLgoA5JLGcd5SSXGgibwbDgUSg=; l=1055; h=From:To:Subject:Date:From; b=npS8rlCIWyYuvIhxd/glpVTNiF3VTVp0C18sziFVHgSKoi2j6AglKP8TAKXJ57h5g Bo7A66hnnrKd434k6mKRoiYevu8pPDQpvDfKH93wNXFP7ESlyVbsrhcXm5iRGyGxLw DMc57nvT9mmwtDOs+IeOFzwIYAK06+N60nu8KiHE= From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: connected_stream_socket_perms Date: Thu, 10 Jan 2019 21:51:20 +1100 Message-ID: <1657648.nfkMHCI95s@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }') define(`connected_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }') The difference between these 2 is that connected_socket_perms includes create while rw_socket_perms has connect. Why doesn't rw_socket_perms have create? Or if we are saying "rw_socket_perms only means reading and writing" then why does it have connect? Does this all make sense? I expect that a lot of policy has been written based on using whichever of those macros seems to match an audit2allow rule and vaguely match the concept of what someone imagines the program in question is doing. Would it make sense to have another macro defined to { ioctl read getattr write setattr append bind getopt setopt shutdown } so that there can be a more obvious progression of which macro is a superset of which other macro? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/