[refpolicy] [PATCH 3/3] Use create_netlink_socket_perms when allowing netlink socket creation

Christopher J. PeBenito cpebenito at tresys.com
Thu Oct 23 12:13:25 UTC 2014


On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> create_netlink_socket_perms is defined as:
> 
>     { create_socket_perms nlmsg_read nlmsg_write }
> 
> This means that it is redundant to allow create_socket_perms and
> nlmsg_read/nlmsg_write.
> 
> Clean up things without allowing anything new.

Merged.


> ---
>  policy/modules/system/ipsec.te      | 2 +-
>  policy/modules/system/sysnetwork.te | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 312cd0417c98..9e73de78e09e 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
>  allow ipsec_t self:udp_socket create_socket_perms;
>  allow ipsec_t self:key_socket create_socket_perms;
>  allow ipsec_t self:fifo_file read_fifo_file_perms;
> -allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
> +allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>  
>  allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>  
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index bcba404cd38e..162be5d44318 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
>  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
>  allow dhcpc_t self:udp_socket create_socket_perms;
>  allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
>  
>  allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
>  read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -276,7 +276,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
>  allow ifconfig_t self:packet_socket create_socket_perms;
>  allow ifconfig_t self:netlink_socket create_socket_perms;
>  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> -allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
> +allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
>  allow ifconfig_t self:tcp_socket { create ioctl };
>  
>  kernel_use_fds(ifconfig_t)
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list