From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 12 Sep 2014 14:18:59 -0400 Subject: [refpolicy] [PATCH] Update socket_class_set according to flask/access_vectors In-Reply-To: <1409343937-23601-1-git-send-email-nicolas.iooss@m4x.org> References: <1409343937-23601-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <54133913.6000102@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/29/2014 4:25 PM, Nicolas Iooss wrote: > File policy/flask/access_vectors defines access vectors for several > socket classes which all inherit from socket class. All of these > classes belong to socket_class_set but three: socket, dccp_socket and > key_socket. > > socket class is a fallback the kernel uses for sockets with no defined > SELinux object class and should not be used in the policy without a good > reason. > > dccp_socket is not fully implemented in the policy (e.g. it is not > present in constraints in policy/mls where all other socket classes are) Thanks for noting this. This class needs to be added into the MLS constraints. > but there is no reason not to add it to socket_class_set. > > For key_socket, I do not know whether it should belong to > socket_class_set or not. Therefore I document this lack without giving > any argument. I think socket is the only class we want to exclude from this set. > Add dccp_socket to socket_class_set and add a comment about socket and > key_socket. > > While at it, rearrange the socket classes to have the same order as in > policy/flask/access_vectors (appletalk_socket moves). > > Initial discussion about socket class: > http://oss.tresys.com/pipermail/refpolicy/2014-August/007374.html > --- > policy/support/obj_perm_sets.spt | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt > index 27294ea220e8..e61591b58639 100644 > --- a/policy/support/obj_perm_sets.spt > +++ b/policy/support/obj_perm_sets.spt > @@ -26,10 +26,10 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }') > define(`devfile_class_set', `{ chr_file blk_file }') > > # > -# All socket classes. > +# All socket classes but "socket" and "key_socket". > +# "socket" is the fallback the kernel uses for socket with no defined SELinux object class. > # > -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }') > - > +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket appletalk_socket dccp_socket tun_socket }') > > # > # Datagram socket classes. > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com