1 |
commit: 25635ce6697a48861fa0f3021f79261f760b4d99 |
2 |
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> |
3 |
AuthorDate: Sat Oct 18 13:30:22 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Oct 31 15:26:27 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25635ce6 |
7 |
|
8 |
Use create_netlink_socket_perms when allowing netlink socket creation |
9 |
|
10 |
create_netlink_socket_perms is defined as: |
11 |
|
12 |
{ create_socket_perms nlmsg_read nlmsg_write } |
13 |
|
14 |
This means that it is redundant to allow create_socket_perms and |
15 |
nlmsg_read/nlmsg_write. |
16 |
|
17 |
Clean up things without allowing anything new. |
18 |
|
19 |
--- |
20 |
policy/modules/system/ipsec.te | 2 +- |
21 |
policy/modules/system/sysnetwork.te | 4 ++-- |
22 |
2 files changed, 3 insertions(+), 3 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te |
25 |
index db6d1c6..15d7caf 100644 |
26 |
--- a/policy/modules/system/ipsec.te |
27 |
+++ b/policy/modules/system/ipsec.te |
28 |
@@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms; |
29 |
allow ipsec_t self:udp_socket create_socket_perms; |
30 |
allow ipsec_t self:key_socket create_socket_perms; |
31 |
allow ipsec_t self:fifo_file read_fifo_file_perms; |
32 |
-allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; |
33 |
+allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms; |
34 |
|
35 |
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; |
36 |
|
37 |
|
38 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
39 |
index b95de37..f7dbde0 100644 |
40 |
--- a/policy/modules/system/sysnetwork.te |
41 |
+++ b/policy/modules/system/sysnetwork.te |
42 |
@@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms; |
43 |
allow dhcpc_t self:tcp_socket create_stream_socket_perms; |
44 |
allow dhcpc_t self:udp_socket create_socket_perms; |
45 |
allow dhcpc_t self:packet_socket create_socket_perms; |
46 |
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; |
47 |
+allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms; |
48 |
|
49 |
allow dhcpc_t dhcp_etc_t:dir list_dir_perms; |
50 |
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) |
51 |
@@ -278,7 +278,7 @@ allow ifconfig_t self:udp_socket create_socket_perms; |
52 |
allow ifconfig_t self:packet_socket create_socket_perms; |
53 |
allow ifconfig_t self:netlink_socket create_socket_perms; |
54 |
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; |
55 |
-allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; |
56 |
+allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms; |
57 |
allow ifconfig_t self:tcp_socket { create ioctl }; |
58 |
|
59 |
kernel_use_fds(ifconfig_t) |