[PATCH 3/4] REFPOL: Remove the unlabeled_t SECMARK policy in kernel_sendrecv_unlabeled_association

[paul.moore@xxxxxx]

There is really no need for the SECMARK policy hack in the
kernel_sendrecv_unlabeled_association() interface since we already have an
interface call, kernel_sendrecv_unlabeled_packets(), which handles the
unlabeled SECMARK case.  Remove the hack and use the
kernel_sendrecv_unlabeled_packets() where appropriate.

Signed-off-by: Paul Moore <paul.moore@xxxxxx>
---
 policy/modules/kernel/corenetwork.if.in |    4 ++++
 policy/modules/kernel/kernel.if         |    3 ---
 2 files changed, 4 insertions(+), 3 deletions(-)

Index: refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/corenetwork.if.in
+++ refpolicy_svn_repo/policy/modules/kernel/corenetwork.if.in
@@ -1752,6 +1752,7 @@ interface(`corenet_tcp_recvfrom_netlabel
 #
 interface(`corenet_tcp_recvfrom_unlabeled',`
 	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_sendrecv_unlabeled_packets($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1859,6 +1860,7 @@ interface(`corenet_udp_recvfrom_netlabel
 #
 interface(`corenet_udp_recvfrom_unlabeled',`
 	kernel_udp_recvfrom_unlabeled($1)
+	kernel_sendrecv_unlabeled_packets($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -1966,6 +1968,7 @@ interface(`corenet_raw_recvfrom_netlabel
 #
 interface(`corenet_raw_recvfrom_unlabeled',`
 	kernel_raw_recvfrom_unlabeled($1)
+	kernel_sendrecv_unlabeled_packets($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
@@ -2042,6 +2045,7 @@ interface(`corenet_all_recvfrom_unlabele
 	kernel_tcp_recvfrom_unlabeled($1)
 	kernel_udp_recvfrom_unlabeled($1)
 	kernel_raw_recvfrom_unlabeled($1)
+	kernel_sendrecv_unlabeled_packets($1)
 
 	# XXX - at some point the oubound/send access check will be removed
 	# but for right now we need to keep this in place so as not to break
Index: refpolicy_svn_repo/policy/modules/kernel/kernel.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/kernel/kernel.if
+++ refpolicy_svn_repo/policy/modules/kernel/kernel.if
@@ -2255,9 +2255,6 @@ interface(`kernel_sendrecv_unlabeled_ass
 	')
 
 	allow $1 unlabeled_t:association { sendto recvfrom };
-
-	# temporary hack until labeling on packets is supported
-	allow $1 unlabeled_t:packet { send recv };
 ')
 
 ########################################

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.