Fwd: [rhel5-cc-external-list] SELinux: refpolicy-2.20091117

All of lore.kernel.org
 help / color / mirror / Atom feed

* Fwd: [rhel5-cc-external-list] SELinux: refpolicy-2.20091117
@ 2010-12-14 15:42 ` Daniel J Walsh
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2010-12-14 15:42 UTC (permalink / raw)
  To: SELinux, tresys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I got asked this question, by someone.  I am asking on both lists in
case the mls guys don't pay attention to the refpolicy list.
> 
> 
> Looking into the mls file, I find two rules for the accept syscall and the 
> same objects where one rule is read-like and the other is write like:
> 
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket 
> packet_socket key_socket unix_stream_socket unix_dgram_socket 
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket 
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket 
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept 
> connect }
>         (( l1 eq l2 ) or
>          (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>            ( t1 == mlsnetread )) and
>           ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) 
> or
>            (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) 
> or
>            ( t1 == mlsnetwrite ))));
> 
> 
> # the socket "read" ops (note the check is dominance of the low level)
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket 
> packet_socket key_socket unix_stream_socket unix_dgram_socket 
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket 
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket 
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr 
> listen accept getopt recv_msg }
>         (( l1 dom l2 ) or
>          (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>          ( t1 == mlsnetread ));

Isn't the second accept covered by the first?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0HkGYACgkQrlYvE4MpobOuDQCgmzdkQ6ZMjvitsbv4+m46uYZl
HA8AnRdXoZdYIu+Yxv0BHj3SpeCkPPbZ
=NfK7
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [refpolicy] Fwd: [rhel5-cc-external-list] SELinux: refpolicy-2.20091117
@ 2010-12-14 15:42 ` Daniel J Walsh
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2010-12-14 15:42 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I got asked this question, by someone.  I am asking on both lists in
case the mls guys don't pay attention to the refpolicy list.
> 
> 
> Looking into the mls file, I find two rules for the accept syscall and the 
> same objects where one rule is read-like and the other is write like:
> 
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket 
> packet_socket key_socket unix_stream_socket unix_dgram_socket 
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket 
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket 
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept 
> connect }
>         (( l1 eq l2 ) or
>          (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>            ( t1 == mlsnetread )) and
>           ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) 
> or
>            (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) 
> or
>            ( t1 == mlsnetwrite ))));
> 
> 
> # the socket "read" ops (note the check is dominance of the low level)
> mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket 
> packet_socket key_socket unix_stream_socket unix_dgram_socket 
> netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket 
> netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket 
> netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr 
> listen accept getopt recv_msg }
>         (( l1 dom l2 ) or
>          (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
>          ( t1 == mlsnetread ));

Isn't the second accept covered by the first?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0HkGYACgkQrlYvE4MpobOuDQCgmzdkQ6ZMjvitsbv4+m46uYZl
HA8AnRdXoZdYIu+Yxv0BHj3SpeCkPPbZ
=NfK7
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-12-14 15:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-14 15:42 Fwd: [rhel5-cc-external-list] SELinux: refpolicy-2.20091117 Daniel J Walsh
2010-12-14 15:42 ` [refpolicy] " Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.