From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 23 Oct 2014 08:13:25 -0400
Subject: [refpolicy] [PATCH 3/3] Use create_netlink_socket_perms when
 allowing netlink socket creation
In-Reply-To: <1413639022-27375-3-git-send-email-nicolas.iooss@m4x.org>
References: <1413639022-27375-1-git-send-email-nicolas.iooss@m4x.org>
	<1413639022-27375-3-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <5448F0E5.8060501@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> create_netlink_socket_perms is defined as:
> 
>     { create_socket_perms nlmsg_read nlmsg_write }
> 
> This means that it is redundant to allow create_socket_perms and
> nlmsg_read/nlmsg_write.
> 
> Clean up things without allowing anything new.

Merged.


> ---
>  policy/modules/system/ipsec.te      | 2 +-
>  policy/modules/system/sysnetwork.te | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 312cd0417c98..9e73de78e09e 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
>  allow ipsec_t self:udp_socket create_socket_perms;
>  allow ipsec_t self:key_socket create_socket_perms;
>  allow ipsec_t self:fifo_file read_fifo_file_perms;
> -allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
> +allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>  
>  allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>  
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index bcba404cd38e..162be5d44318 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>  allow dhcpc_t self:udp_socket create_socket_perms;
>  allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
>  
>  allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>  read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -276,7 +276,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
>  allow ifconfig_t self:packet_socket create_socket_perms;
>  allow ifconfig_t self:netlink_socket create_socket_perms;
>  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> -allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
> +allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
>  allow ifconfig_t self:tcp_socket { create ioctl };
>  
>  kernel_use_fds(ifconfig_t)
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com