[selinux-policy: 2642/3172] Add trusted object condition to unix socket connectto/sendto, to fix label translation.

[Daniel J Walsh]

commit 3b72786090864870e3ddae25d98e8f15ac2836a5
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Apr 29 11:29:39 2010 -0400

    Add trusted object condition to unix socket connectto/sendto, to fix label translation.

 policy/mls |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)
---
diff --git a/policy/mls b/policy/mls
index 4c8a421..b9f0a3e 100644
--- a/policy/mls
+++ b/policy/mls
@@ -208,13 +208,15 @@ mlsconstrain unix_stream_socket connectto
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
 
 mlsconstrain unix_dgram_socket sendto
 	(( l1 eq l2 ) or 
 	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-	 ( t1 == mlsnetwrite ));
+	 ( t1 == mlsnetwrite ) or
+	 ( t2 == mlstrustedobject ));
 
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }