Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.
Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.
Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed. Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes. For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.
Signed-off-by: Stephen Smalley <[email protected]>
---
policy/constraints | 8 ++++++++
policy/flask/access_vectors | 24 ++++++++++++++++++++++++
policy/flask/security_classes | 10 ++++++++++
policy/mls | 6 +++---
policy/modules/admin/netutils.te | 2 ++
policy/modules/system/iptables.te | 1 +
policy/modules/system/netlabel.te | 1 +
policy/modules/system/sysnetwork.te | 1 +
policy/modules/system/udev.te | 1 +
policy/support/obj_perm_sets.spt | 2 +-
10 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 3a45f23..f7a40cc 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
exempted_ubac_constraint(appletalk_socket, ubacsock)
exempted_ubac_constraint(dccp_socket, ubacsock)
exempted_ubac_constraint(tun_socket, ubacsock)
+exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
+exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
+exempted_ubac_constraint(netlink_connector_socket, ubacsock)
+exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
+exempted_ubac_constraint(netlink_generic_socket, ubacsock)
+exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
+exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
+exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
constrain socket_class_set { create relabelto relabelfrom }
(
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 2b20aa0..056cdd7 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -852,6 +852,30 @@ class binder
transfer
}
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
class x_pointer
inherits x_device
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 653d347..8bc5d4e 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -125,6 +125,16 @@ class tun_socket
class binder
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
diff --git a/policy/mls b/policy/mls
index f11e5e2..06e5106 100644
--- a/policy/mls
+++ b/policy/mls
@@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
#
# new socket labels must be dominated by the relabeling subjects clearance
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
( h1 dom h2 );
# the socket "read+write" ops
@@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
( t1 == mlsnetread ));
# the socket "write" ops
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 4ab5cd9..1c64781 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
+# For tcpdump.
+allow netutils_t self:netlink_netfilter_socket create_socket_perms;
allow netutils_t self:packet_socket create_socket_perms;
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 2c52a41..1ad1046 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
+allow iptables_t self:netlink_netfilter_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index cbbda4a..f6d14b1 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
# modify the network subsystem configuration
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
kernel_read_network_state(netlabel_mgmt_t)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 262c686..c9c3151 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
# generic netlink socket for iw
# socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
allow ifconfig_t self:netlink_socket create_socket_perms;
+allow ifconfig_t self:netlink_generic_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f6c43bf..f68d31d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udev_t self:netlink_generic_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
allow udev_t udev_exec_t:file write;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 27294ea..99c7fb0 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
#
--
2.1.0
On 5/21/2015 1:38 PM, Stephen Smalley wrote:
> Define new netlink socket security classes introduced by kernel commit
> 223ae516404a7a65f09e79a1c0291521c233336e.
>
> Note that this does not remove the long-since obsolete
> netlink_firewall_socket and netlink_ip6_fw_socket classes
> from refpolicy in case they are still needed for legacy
> distribution policies.
>
> Add the new socket classes to socket_class_set.
> Update ubac and mls constraints for the new socket classes.
> Add allow rules for a few specific known cases (netutils, iptables,
> netlabel, ifconfig, udev) in core policy that require access.
> Further refinement for the contrib tree will be needed. Any allow
> rule previously written on :netlink_socket may need to be rewritten or
> duplicated for one of the more specific classes. For now, we retain the
> existing :netlink_socket rules for compatibility on older kernels.
Thanks, merged.
> Signed-off-by: Stephen Smalley <[email protected]>
> ---
> policy/constraints | 8 ++++++++
> policy/flask/access_vectors | 24 ++++++++++++++++++++++++
> policy/flask/security_classes | 10 ++++++++++
> policy/mls | 6 +++---
> policy/modules/admin/netutils.te | 2 ++
> policy/modules/system/iptables.te | 1 +
> policy/modules/system/netlabel.te | 1 +
> policy/modules/system/sysnetwork.te | 1 +
> policy/modules/system/udev.te | 1 +
> policy/support/obj_perm_sets.spt | 2 +-
> 10 files changed, 52 insertions(+), 4 deletions(-)
>
> diff --git a/policy/constraints b/policy/constraints
> index 3a45f23..f7a40cc 100644
> --- a/policy/constraints
> +++ b/policy/constraints
> @@ -150,6 +150,14 @@ exempted_ubac_constraint(netlink_kobject_uevent_socket, ubacsock)
> exempted_ubac_constraint(appletalk_socket, ubacsock)
> exempted_ubac_constraint(dccp_socket, ubacsock)
> exempted_ubac_constraint(tun_socket, ubacsock)
> +exempted_ubac_constraint(netlink_iscsi_socket, ubacsock)
> +exempted_ubac_constraint(netlink_fib_lookup_socket, ubacsock)
> +exempted_ubac_constraint(netlink_connector_socket, ubacsock)
> +exempted_ubac_constraint(netlink_netfilter_socket, ubacsock)
> +exempted_ubac_constraint(netlink_generic_socket, ubacsock)
> +exempted_ubac_constraint(netlink_scsitransport_socket, ubacsock)
> +exempted_ubac_constraint(netlink_rdma_socket, ubacsock)
> +exempted_ubac_constraint(netlink_crypto_socket, ubacsock)
>
> constrain socket_class_set { create relabelto relabelfrom }
> (
> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
> index 2b20aa0..056cdd7 100644
> --- a/policy/flask/access_vectors
> +++ b/policy/flask/access_vectors
> @@ -852,6 +852,30 @@ class binder
> transfer
> }
>
> +class netlink_iscsi_socket
> +inherits socket
> +
> +class netlink_fib_lookup_socket
> +inherits socket
> +
> +class netlink_connector_socket
> +inherits socket
> +
> +class netlink_netfilter_socket
> +inherits socket
> +
> +class netlink_generic_socket
> +inherits socket
> +
> +class netlink_scsitransport_socket
> +inherits socket
> +
> +class netlink_rdma_socket
> +inherits socket
> +
> +class netlink_crypto_socket
> +inherits socket
> +
> class x_pointer
> inherits x_device
>
> diff --git a/policy/flask/security_classes b/policy/flask/security_classes
> index 653d347..8bc5d4e 100644
> --- a/policy/flask/security_classes
> +++ b/policy/flask/security_classes
> @@ -125,6 +125,16 @@ class tun_socket
>
> class binder
>
> +# Updated netlink classes for more recent netlink protocols.
> +class netlink_iscsi_socket
> +class netlink_fib_lookup_socket
> +class netlink_connector_socket
> +class netlink_netfilter_socket
> +class netlink_generic_socket
> +class netlink_scsitransport_socket
> +class netlink_rdma_socket
> +class netlink_crypto_socket
> +
> # Still More SE-X Windows stuff
> class x_pointer # userspace
> class x_keyboard # userspace
> diff --git a/policy/mls b/policy/mls
> index f11e5e2..06e5106 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -164,7 +164,7 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
> #
>
> # new socket labels must be dominated by the relabeling subjects clearance
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } relabelto
> ( h1 dom h2 );
>
> # the socket "read+write" ops
> @@ -180,7 +180,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
>
>
> # the socket "read" ops (note the check is dominance of the low level)
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { read getattr listen accept getopt recv_msg }
> (( l1 dom l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
> @@ -191,7 +191,7 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
> ( t1 == mlsnetread ));
>
> # the socket "write" ops
> -mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
> +mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket } { write setattr relabelfrom connect setopt shutdown }
> (( l1 eq l2 ) or
> (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
> index 4ab5cd9..1c64781 100644
> --- a/policy/modules/admin/netutils.te
> +++ b/policy/modules/admin/netutils.te
> @@ -38,6 +38,8 @@ dontaudit netutils_t self:capability { dac_override sys_tty_config };
> allow netutils_t self:process { setcap signal_perms };
> allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
> allow netutils_t self:netlink_socket create_socket_perms;
> +# For tcpdump.
> +allow netutils_t self:netlink_netfilter_socket create_socket_perms;
> allow netutils_t self:packet_socket create_socket_perms;
> allow netutils_t self:udp_socket create_socket_perms;
> allow netutils_t self:tcp_socket create_stream_socket_perms;
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 2c52a41..1ad1046 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -35,6 +35,7 @@ dontaudit iptables_t self:capability sys_tty_config;
> allow iptables_t self:fifo_file rw_fifo_file_perms;
> allow iptables_t self:process { sigchld sigkill sigstop signull signal };
> allow iptables_t self:netlink_socket create_socket_perms;
> +allow iptables_t self:netlink_netfilter_socket create_socket_perms;
> allow iptables_t self:rawip_socket create_socket_perms;
>
> manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
> index cbbda4a..f6d14b1 100644
> --- a/policy/modules/system/netlabel.te
> +++ b/policy/modules/system/netlabel.te
> @@ -18,6 +18,7 @@ role system_r types netlabel_mgmt_t;
> # modify the network subsystem configuration
> allow netlabel_mgmt_t self:capability net_admin;
> allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
> +allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
>
> kernel_read_network_state(netlabel_mgmt_t)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 262c686..c9c3151 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:packet_socket create_socket_perms;
> # generic netlink socket for iw
> # socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
> allow ifconfig_t self:netlink_socket create_socket_perms;
> +allow ifconfig_t self:netlink_generic_socket create_socket_perms;
> allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
> allow ifconfig_t self:tcp_socket { create ioctl };
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index f6c43bf..f68d31d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -53,6 +53,7 @@ allow udev_t self:unix_stream_socket { listen accept };
> allow udev_t self:unix_dgram_socket sendto;
> allow udev_t self:unix_stream_socket connectto;
> allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow udev_t self:netlink_generic_socket create_socket_perms;
> allow udev_t self:rawip_socket create_socket_perms;
>
> allow udev_t udev_exec_t:file write;
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 27294ea..99c7fb0 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -28,7 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
> #
> # All socket classes.
> #
> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
> +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket }')
>
>
> #
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com