Re: [PATCH] SELinux: open perms on sockets, AF_UNIX

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Wed, 10 Dec 2008 11:10:34 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> On Wed, 2008-12-10 at 08:33 -0500, Stephen Smalley wrote:
> 
>>> diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
>>> index c0c8854..31df1d7 100644
>>> --- a/security/selinux/include/av_perm_to_string.h
>>> +++ b/security/selinux/include/av_perm_to_string.h
>>> @@ -24,6 +24,7 @@
>>>     S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
>>>     S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
>>>     S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
>>> +   S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
>>>     S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
>>>     S_(SECCLASS_FD, FD__USE, "use")
>>>     S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
>>> @@ -152,6 +153,7 @@
>>>     S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
>>>     S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
>>>     S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
>>> +   S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
>> Unrelated diff?  Defined in refpolicy yet?
> 
> Defined in policy, I'll run down if it is in refpolicy or only in the
> fedora policy (diff was created using fedora's latest policy).  Either
> way I think I need to get it fixed in refpolicy (and make use of it in
> upstream kernel but obviously that's another patch.)
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.

You mean this patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk/6foACgkQrlYvE4MpobOS4gCfToVdCVOeOol52v46C4kOyCDx
CDgAoJ9Za1wHSEq6dvn46IggC1ZIARwN
=PcJV
-----END PGP SIGNATURE-----

--- nsaserefpolicy/policy/flask/access_vectors	2008-10-17 08:49:14.000000000 -0400
+++ serefpolicy-3.5.13/policy/flask/access_vectors	2008-11-24 10:49:49.000000000 -0500
@@ -616,6 +616,7 @@
 	nlmsg_write
 	nlmsg_relay
 	nlmsg_readpriv
+	nlmsg_tty_audit
 }
 
 class netlink_ip6fw_socket
Attachment:
flask_access_vectors.patch.sig

Description: Binary data




