[refpolicy] [PATCH] Update socket_class_set according to flask/access_vectors

[refpolicy] [PATCH] Update socket_class_set according to flask/access_vectors

[Nicolas Iooss]

File policy/flask/access_vectors defines access vectors for several
socket classes which all inherit from socket class.  All of these
classes belong to socket_class_set but three: socket, dccp_socket and
key_socket.

socket class is a fallback the kernel uses for sockets with no defined
SELinux object class and should not be used in the policy without a good
reason.

dccp_socket is not fully implemented in the policy (e.g. it is not
present in constraints in policy/mls where all other socket classes are)
but there is no reason not to add it to socket_class_set.

For key_socket, I do not know whether it should belong to
socket_class_set or not.  Therefore I document this lack without giving
any argument.

Add dccp_socket to socket_class_set and add a comment about socket and
key_socket.

While at it, rearrange the socket classes to have the same order as in
policy/flask/access_vectors (appletalk_socket moves).

Initial discussion about socket class:
http://oss.tresys.com/pipermail/refpolicy/2014-August/007374.html
---
 policy/support/obj_perm_sets.spt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 27294ea220e8..e61591b58639 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -26,10 +26,10 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')
 
 #
-# All socket classes.
+# All socket classes but "socket" and "key_socket".
+# "socket" is the fallback the kernel uses for socket with no defined SELinux object class.
 #
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
-
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket appletalk_socket dccp_socket tun_socket }')
 
 #
 # Datagram socket classes.
-- 
2.0.4

[refpolicy] [PATCH] Update socket_class_set according to flask/access_vectors

[Christopher J. PeBenito]

On 8/29/2014 4:25 PM, Nicolas Iooss wrote:
> File policy/flask/access_vectors defines access vectors for several
> socket classes which all inherit from socket class.  All of these
> classes belong to socket_class_set but three: socket, dccp_socket and
> key_socket.
> 
> socket class is a fallback the kernel uses for sockets with no defined
> SELinux object class and should not be used in the policy without a good
> reason.
> 
> dccp_socket is not fully implemented in the policy (e.g. it is not
> present in constraints in policy/mls where all other socket classes are)

Thanks for noting this.  This class needs to be added into the MLS
constraints.


> but there is no reason not to add it to socket_class_set.
> 
> For key_socket, I do not know whether it should belong to
> socket_class_set or not.  Therefore I document this lack without giving
> any argument.

I think socket is the only class we want to exclude from this set.


> Add dccp_socket to socket_class_set and add a comment about socket and
> key_socket.
> 
> While at it, rearrange the socket classes to have the same order as in
> policy/flask/access_vectors (appletalk_socket moves).
> 
> Initial discussion about socket class:
> http://oss.tresys.com/pipermail/refpolicy/2014-August/007374.html
> ---
>  policy/support/obj_perm_sets.spt | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 27294ea220e8..e61591b58639 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -26,10 +26,10 @@ define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
>  define(`devfile_class_set', `{ chr_file blk_file }')
>  
>  #
> -# All socket classes.
> +# All socket classes but "socket" and "key_socket".
> +# "socket" is the fallback the kernel uses for socket with no defined SELinux object class.
>  #
> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
> -
> +define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket appletalk_socket dccp_socket tun_socket }')
>  
>  #
>  # Datagram socket classes.
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com