-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I got asked this question, by someone. I am asking on both lists in
case the mls guys don't pay attention to the refpolicy list.
>
>
> Looking into the mls file, I find two rules for the accept syscall and the
> same objects where one rule is read-like and the other is write like:
>
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
> packet_socket key_socket unix_stream_socket unix_dgram_socket
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept
> connect }
> (( l1 eq l2 ) or
> (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread )) and
> ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 ))
> or
> (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> ( t1 == mlsnetwrite ))));
>
>
> # the socket "read" ops (note the check is dominance of the low level)
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket
> packet_socket key_socket unix_stream_socket unix_dgram_socket
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr
> listen accept getopt recv_msg }
> (( l1 dom l2 ) or
> (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
> ( t1 == mlsnetread ));
Isn't the second accept covered by the first?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0HkGYACgkQrlYvE4MpobOuDQCgmzdkQ6ZMjvitsbv4+m46uYZl
HA8AnRdXoZdYIu+Yxv0BHj3SpeCkPPbZ
=NfK7
-----END PGP SIGNATURE-----