[selinux-policy: 1484/3172] more packets

Thu Oct 7 21:13:37 UTC 2010

commit 72fcec8c66b7ba3ed0ffbb7f1071653ef0652fab
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri May 26 19:04:18 2006 +0000

    more packets

 refpolicy/policy/modules/kernel/kernel.te  |   21 +++++++++++----------
 refpolicy/policy/modules/services/samba.te |    7 +++----
 2 files changed, 14 insertions(+), 14 deletions(-)
---

diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 04de822..0ec50e2 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -161,13 +161,7 @@ sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 # kernel local policy
 #
 
-# Use capabilities. need to investigate which capabilities are actually used
 allow kernel_t self:capability *;
-
-# Other possible mount points for the root fs are in files
-allow kernel_t unlabeled_t:dir mounton;
-
-# old general_domain_access()
 allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow kernel_t self:shm create_shm_perms;
 allow kernel_t self:sem create_sem_perms;
@@ -181,20 +175,27 @@ allow kernel_t self:fifo_file rw_file_perms;
 allow kernel_t self:sock_file r_file_perms;
 allow kernel_t self:fd use;
 
-# old general_proc_read_access():
 allow kernel_t proc_t:dir r_dir_perms;
 allow kernel_t proc_t:{ lnk_file file } r_file_perms;
+
 allow kernel_t proc_net_t:dir r_dir_perms;
 allow kernel_t proc_net_t:file r_file_perms;
+
 allow kernel_t proc_mdstat_t:file r_file_perms;
+
 allow kernel_t proc_kcore_t:file getattr;
+
 allow kernel_t proc_kmsg_t:file getattr;
-allow kernel_t sysctl_t:dir r_dir_perms;
+
 allow kernel_t sysctl_kernel_t:dir r_dir_perms;
 allow kernel_t sysctl_kernel_t:file r_file_perms;
+allow kernel_t sysctl_t:dir r_dir_perms;
 
-# cjp: this seems questionable
-allow kernel_t unlabeled_t:fifo_file rw_file_perms;
+# Other possible mount points for the root fs are in files
+allow kernel_t unlabeled_t:dir mounton;
+# Kernel-generated traffic e.g., TCP resets on
+# connections with invalidated labels:
+allow kernel_t unlabeled_t:packet send;
 
 corenet_non_ipsec_sendrecv(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 3f59ac4..256153b 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -376,18 +376,17 @@ kernel_read_network_state(nmbd_t)
 kernel_read_software_raid_state(nmbd_t)
 kernel_read_system_state(nmbd_t)
 
+corenet_non_ipsec_sendrecv(nmbd_t)
 corenet_tcp_sendrecv_all_if(nmbd_t)
 corenet_udp_sendrecv_all_if(nmbd_t)
-corenet_raw_sendrecv_all_if(nmbd_t)
 corenet_tcp_sendrecv_all_nodes(nmbd_t)
 corenet_udp_sendrecv_all_nodes(nmbd_t)
-corenet_raw_sendrecv_all_nodes(nmbd_t)
 corenet_tcp_sendrecv_all_ports(nmbd_t)
 corenet_udp_sendrecv_all_ports(nmbd_t)
-corenet_non_ipsec_sendrecv(nmbd_t)
-corenet_tcp_bind_all_nodes(nmbd_t)
 corenet_udp_bind_all_nodes(nmbd_t)
 corenet_udp_bind_nmbd_port(nmbd_t)
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
 
 dev_read_sysfs(nmbd_t)
 dev_getattr_mtrr_dev(nmbd_t)
