From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 04 Nov 2010 09:19:34 -0400 Subject: [refpolicy] MLS unix socket sendto/connectto Message-ID: <4CD2B2E6.4040501@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The current MLS constraints for unix socket sendto/connectto are: # UNIX domain socket ops mlsconstrain unix_stream_socket connectto (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsnetwrite ) or ( t2 == mlstrustedobject )); mlsconstrain unix_dgram_socket sendto (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsnetwrite ) or ( t2 == mlstrustedobject )); These were added earlier this year (except the last t2 exception which was added more recently). My concern is with the mlstrustedobject part. We need an exception like this to handle domains such as syslog, so they can receive messages from any level. But I think we need a different attribute since domain types are used for the process itself and also it's /proc/pid files, so by making the domain a trusted object, the /proc/pid become trusted objects too. Opinions? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com