From 3b72786090864870e3ddae25d98e8f15ac2836a5 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 29 Apr 2010 11:29:39 -0400
Subject: [PATCH] Add trusted object condition to unix socket connectto/sendto,
 to fix label translation.

---
 policy/mls | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/mls b/policy/mls
index 4c8a421e..b9f0a3e3 100644
--- a/policy/mls
+++ b/policy/mls
@@ -208,13 +208,15 @@ mlsconstrain unix_stream_socket connectto
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
 
 mlsconstrain unix_dgram_socket sendto
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
 
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }