From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 04 Nov 2010 09:19:34 -0400
Subject: [refpolicy] MLS unix socket sendto/connectto
Message-ID: <4CD2B2E6.4040501@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The current MLS constraints for unix socket sendto/connectto are:

# UNIX domain socket ops
mlsconstrain unix_stream_socket connectto
        (( l1 eq l2 ) or
         (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby
h2 )) or
         (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2
)) or
         ( t1 == mlsnetwrite ) or
         ( t2 == mlstrustedobject ));

mlsconstrain unix_dgram_socket sendto
        (( l1 eq l2 ) or
         (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby
h2 )) or
         (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2
)) or
         ( t1 == mlsnetwrite ) or
         ( t2 == mlstrustedobject ));

These were added earlier this year (except the last t2 exception which
was added more recently).  My concern is with the mlstrustedobject part.
 We need an exception like this to handle domains such as syslog, so
they can receive messages from any level.  But I think we need a
different attribute since domain types are used for the process itself
and also it's /proc/pid files, so by making the domain a trusted object,
the /proc/pid become trusted objects too.  Opinions?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com