[refpolicy] [PATCH 3/3] Use create_netlink_socket_perms when allowing netlink socket creation

Nicolas Iooss nicolas.iooss at m4x.org
Sat Oct 18 13:30:22 UTC 2014


create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.
---
 policy/modules/system/ipsec.te      | 2 +-
 policy/modules/system/sysnetwork.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd0417c98..9e73de78e09e 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file read_fifo_file_perms;
-allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index bcba404cd38e..162be5d44318 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -276,7 +276,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
 allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 
 kernel_use_fds(ifconfig_t)
-- 
2.1.2



More information about the refpolicy mailing list