Add trusted object condition to unix socket connectto/sendto, to fix label translation.
This commit is contained in:
parent
87a9469fc9
commit
3b72786090
@ -208,13 +208,15 @@ mlsconstrain unix_stream_socket connectto
|
|||||||
(( l1 eq l2 ) or
|
(( l1 eq l2 ) or
|
||||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||||
( t1 == mlsnetwrite ));
|
( t1 == mlsnetwrite ) or
|
||||||
|
( t2 == mlstrustedobject ));
|
||||||
|
|
||||||
mlsconstrain unix_dgram_socket sendto
|
mlsconstrain unix_dgram_socket sendto
|
||||||
(( l1 eq l2 ) or
|
(( l1 eq l2 ) or
|
||||||
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||||
( t1 == mlsnetwrite ));
|
( t1 == mlsnetwrite ) or
|
||||||
|
( t2 == mlstrustedobject ));
|
||||||
|
|
||||||
# these access vectors have no MLS restrictions
|
# these access vectors have no MLS restrictions
|
||||||
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
|
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
|
||||||
|
Loading…
Reference in New Issue
Block a user