From: paul.moore@hp.com (Paul Moore) Date: Thu, 04 Nov 2010 10:46:49 -0400 Subject: [refpolicy] MLS unix socket sendto/connectto In-Reply-To: <4CD2B2E6.4040501@tresys.com> References: <4CD2B2E6.4040501@tresys.com> Message-ID: <1288882009.5067.4.camel@sifl> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2010-11-04 at 09:19 -0400, Christopher J. PeBenito wrote: > The current MLS constraints for unix socket sendto/connectto are: > > # UNIX domain socket ops > mlsconstrain unix_stream_socket connectto > (( l1 eq l2 ) or > (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby > h2 )) or > (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 > )) or > ( t1 == mlsnetwrite ) or > ( t2 == mlstrustedobject )); > > mlsconstrain unix_dgram_socket sendto > (( l1 eq l2 ) or > (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby > h2 )) or > (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 > )) or > ( t1 == mlsnetwrite ) or > ( t2 == mlstrustedobject )); > > These were added earlier this year (except the last t2 exception which > was added more recently). My concern is with the mlstrustedobject part. > We need an exception like this to handle domains such as syslog, so > they can receive messages from any level. But I think we need a > different attribute since domain types are used for the process itself > and also it's /proc/pid files, so by making the domain a trusted object, > the /proc/pid become trusted objects too. Opinions? Is there a reason why we don't have transition rules for things like sockets? Granted, they are probably only useful for unix sockets, but I think they could come in handy for things like this where we don't want to start messing around with adding setsockcreatecon() calls to the code. -- paul moore linux @ hp