[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security context of tcp_socket

To: selinux@xxxxxxxxxxxxx
Subject: Security context of tcp_socket
From: Gaurav Poothia <gpoothia@xxxxxxxxxxxxx>
Date: Sat, 22 Oct 2005 15:51:54 -0400 (EDT)
Sender: owner-selinux@xxxxxxxxxxxxx

I have a fundamental doubt regarding SELinux security contexts associated
with objects in the system.

Lets take the following rules for example:
1.allow dhcpd_t self : tcp_socket { create ioctl read  getattr write
setattr append bind connect getopt  setopt shutdown listen accept };

2.allow dhcpd_t node_type : { tcp_socket udp_socket } node_bind ;

3.allow dhcpd_t port_type : { tcp_socket udp_socket } { send_msg recv_msg
};


According to the first rule dhcpd can create a tcp_socket and then
perform various operations on it. I assume that the object thus created of
the tcp_socket class will inherit the type dhcp_t (since there is no
parent directory for a socket)

Now rules 2 and 3 allow dhcpd to have permissions node_bind and send/rcv
message over a tcp_socket object provided it has the a type with
attribute node_type or port_type respectively.

The object in question of class tcp_socket has type dhcpd_t (assumed
above) which has neither attribute port_type or node_type.

How do rules 2 and 3 then take effect (these are taken from the targeted
policy)?

Thanks and regards,
Gaurav


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Prev by Date: lyris test
Next by Date: Re: [ SEMANAGE ] Resync to sepol changes
Previous by thread: Re: [ SEMANAGE ] Resync to sepol changes
Next by thread: pegasus
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.