From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 25 Aug 2014 11:07:56 -0400
Subject: [refpolicy] [PATCH 5/7] Add socket and dccp_socket to
	socket_class_set
In-Reply-To: <1408793751-11289-6-git-send-email-nicolas.iooss@m4x.org>
References: <1408793751-11289-1-git-send-email-nicolas.iooss@m4x.org>
	<1408793751-11289-6-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <53FB514C.6090405@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
> ---
>  policy/support/obj_perm_sets.spt | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 6e9131723cf4..5e8718a8be67 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
>  #
>  # All socket classes.
>  #
> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
> -
> +define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')

I don't think we want to add socket to this set.  We need to be able to
detect when there is generic socket class usage, as that means we need a
kernel change and a corresponding new object class.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com