Return-Path: <SRS0=Kdev=PS=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E713AC43387
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 10 Jan 2019 10:51:29 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id B7D71206B6
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 10 Jan 2019 10:51:29 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="npS8rlCI"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727623AbfAJKv3 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 10 Jan 2019 05:51:29 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:36244 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726255AbfAJKv3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 10 Jan 2019 05:51:29 -0500
Received: from liv.localnet (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id EAE33EFE9
        for <selinux-refpolicy@vger.kernel.org>; Thu, 10 Jan 2019 21:51:25 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1547117486;
        bh=kvfPsatAuoeB5L1ZReLgoA5JLGcd5SSXGgibwbDgUSg=; l=1055;
        h=From:To:Subject:Date:From;
        b=npS8rlCIWyYuvIhxd/glpVTNiF3VTVp0C18sziFVHgSKoi2j6AglKP8TAKXJ57h5g
         Bo7A66hnnrKd434k6mKRoiYevu8pPDQpvDfKH93wNXFP7ESlyVbsrhcXm5iRGyGxLw
         DMc57nvT9mmwtDOs+IeOFzwIYAK06+N60nu8KiHE=
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: connected_stream_socket_perms
Date:   Thu, 10 Jan 2019 21:51:20 +1100
Message-ID: <1657648.nfkMHCI95s@liv>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

define(`rw_socket_perms', `{ ioctl read getattr write setattr append bind 
connect getopt setopt shutdown }')

define(`connected_socket_perms', `{ create ioctl read getattr write setattr 
append bind getopt setopt shutdown }')

The difference between these 2 is that connected_socket_perms includes create 
while rw_socket_perms has connect.  Why doesn't rw_socket_perms have create?  
Or if we are saying "rw_socket_perms only means reading and writing" then why 
does it have connect?

Does this all make sense?

I expect that a lot of policy has been written based on using whichever of 
those macros seems to match an audit2allow rule and vaguely match the concept 
of what someone imagines the program in question is doing.

Would it make sense to have another macro defined to { ioctl read getattr write 
setattr append bind getopt setopt shutdown } so that there can be a more 
obvious progression of which macro is a superset of which other macro?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/