commit: 25635ce6697a48861fa0f3021f79261f760b4d99
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Oct 18 13:30:22 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:27 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25635ce6
Use create_netlink_socket_perms when allowing netlink socket creation
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
---
policy/modules/system/ipsec.te | 2 +-
policy/modules/system/sysnetwork.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index db6d1c6..15d7caf 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
-allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms
nlmsg_write };
+allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index b95de37..f7dbde0 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read
nlmsg_write };
+allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -278,7 +278,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms
nlmsg_read };
+allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
kernel_use_fds(ifconfig_t)
