diff options
| author |   Chris PeBenito <chpebeni@linux.microsoft.com> | 2022-06-20 14:50:20 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-09-03 11:41:55 -0700 |
| commit | 712733031648611660a45cf614edc3c5e1253c0a (patch) | |
| tree | 0dd84f14883ff3ad5fc8b4ca6691c01c11fe70a9 | |
| parent | mcs: Collapse constraints. (diff) | |
| download | hardened-refpolicy-712733031648611660a45cf614edc3c5e1253c0a.tar.gz hardened-refpolicy-712733031648611660a45cf614edc3c5e1253c0a.tar.bz2 hardened-refpolicy-712733031648611660a45cf614edc3c5e1253c0a.zip | |
mcs: Add additional socket constraints.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/mcs | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/policy/mcs b/policy/mcs index af880058c..039ed224b 100644 --- a/policy/mcs +++ b/policy/mcs @@ -86,9 +86,21 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain stream_socket_class_set { listen accept } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain unix_stream_socket connectto + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain unix_dgram_socket sendto + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + mlsconstrain key { create link read search setattr view write } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |