From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Mar 2011 09:29:29 -0400
Subject: [refpolicy] Socket labeling support for syslogd_t and setrans_t
In-Reply-To: <SNT139-w415B0444A08203C2854B7DABB50@phx.gbl>
References: <SNT139-w415B0444A08203C2854B7DABB50@phx.gbl>
Message-ID: <4D89F5B9.7090009@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/21/11 02:48, HarryCiao wrote:
> Now that the patches for socket-labeling support have been merged into
> Linus kernel tree, I think it's time to submit the attached patches to
> have the socket created by syslogd_t and setrans_t domains have a
> separate type than the creator, so that we won't have to add syslogd_t
> or setrans_t domains into mlstrustedobject attribute in order to have
> domains at mls_systemlow to communicate with their sockets at
> mls_systemhigh.

I guess I misunderstood what you intended with that kernel support.  I
think the policy patches add unnecessary complexity.  It makes more
sense to adjust the MLS contstraint for unix_stream_socket connectto and
unix_dgram_socket sendto to change the t2=mlstrustedobject exemption to
something else.  In this case it makes more sense to make a new
attribute, e.g.

mlsconstrain unix_stream_socket connectto
(( l1 eq l2 ) or
 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 ( t1 == mlsnetwrite ) or
 ( t2 == mlstrustedreceiver ));

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com