[selinux-policy: 1681/3172] It was just pointed out to me that the raw IP socket class is missing from the recvfrom MLS constrai
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:30:20 UTC 2010
commit b50f2ee48db7a35aee614ef3102b18d4ae06533e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Mar 9 14:45:19 2007 +0000
It was just pointed out to me that the raw IP socket class is missing from the
recvfrom MLS constraint.
Signed-off-by: Paul Moore
Changelog | 1 +
policy/mls | 2 +-
2 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 4fea4ca..3af8457 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
- Patch for handling restart of nscd when ran from useradd, groupadd, and
admin passwd, from Dan Walsh.
- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
diff --git a/policy/mls b/policy/mls
index 859ebaa..16fbfcb 100644
--- a/policy/mls
+++ b/policy/mls
@@ -183,7 +183,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
( t1 == mlsnetwrite ));
# used by netlabel to restrict normal domains to same level connections
-mlsconstrain { tcp_socket udp_socket } recvfrom
+mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
More information about the scm-commits
mailing list