* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/flask/, policy/, policy/support/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/support/, policy/flask/ Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 2+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: 09879cfc8abb8884cd11fe9ee3125e866190e207
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed May 17 15:31:48 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09879cfc
refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/flask/access_vectors | 3 +++
policy/flask/security_classes | 1 +
policy/policy_capabilities | 1 +
policy/support/obj_perm_sets.spt | 2 +-
4 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6204e687..7652a313 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1059,3 +1059,6 @@ inherits socket
class qipcrtr_socket
inherits socket
+
+class smc_socket
+inherits socket
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18f18fd8..18c4f974 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -182,5 +182,6 @@ class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
+class smc_socket
# FLASK
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 39e39301..e0ff6e30 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -77,6 +77,7 @@ policycap open_perms;
# vsock_socket
# kcm_socket
# qipcrtr_socket
+# smc_socket
#
# Available in kernel 4.11+.
# Requires libsepol 2.7+ to build policy with this enabled.
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 5eb74cd8..938a6cd7 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
#
# Datagram socket classes.
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/support/, policy/flask/
@ 2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/flask/, policy/, policy/support/ Sven Vermeulen
0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 09879cfc8abb8884cd11fe9ee3125e866190e207
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov>
AuthorDate: Wed May 17 15:31:48 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:01:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09879cfc
refpolicy: Define smc_socket security class
Linux kernel commit da69a5306ab9 ("selinux: support distinctions among all
network address families") triggers a build error if a new address family
is added without defining a corresponding SELinux security class. As a
result, the smc_socket class was added to the kernel to resolve a build
failure as part of merge commit 3051bf36c25d that introduced AF_SMC circa
Linux 4.11. Define this security class and its access vector, note that it
is enabled as part of the extended_socket_class policy capability, and add
it to the socket_class_set macro.
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov>
policy/flask/access_vectors | 3 +++
policy/flask/security_classes | 1 +
policy/policy_capabilities | 1 +
policy/support/obj_perm_sets.spt | 2 +-
4 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6204e687..7652a313 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1059,3 +1059,6 @@ inherits socket
class qipcrtr_socket
inherits socket
+
+class smc_socket
+inherits socket
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18f18fd8..18c4f974 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -182,5 +182,6 @@ class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
+class smc_socket
# FLASK
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 39e39301..e0ff6e30 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -77,6 +77,7 @@ policycap open_perms;
# vsock_socket
# kcm_socket
# qipcrtr_socket
+# smc_socket
#
# Available in kernel 4.11+.
# Requires libsepol 2.7+ to build policy with this enabled.
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 5eb74cd8..938a6cd7 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }')
#
# All socket classes.
#
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}')
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
#
# Datagram socket classes.
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-18 17:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/support/, policy/flask/ Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/flask/, policy/, policy/support/ Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox