From b50f2ee48db7a35aee614ef3102b18d4ae06533e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 09 2007 14:45:19 +0000 Subject: It was just pointed out to me that the raw IP socket class is missing from the recvfrom MLS constraint. Signed-off-by: Paul Moore --- diff --git a/Changelog b/Changelog index 4fea4ca..3af8457 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Patch to fix netlabel recvfrom MLS constraint from Paul Moore. - Patch for handling restart of nscd when ran from useradd, groupadd, and admin passwd, from Dan Walsh. - Patch for procmail, spamassassin, and pyzor updates from Dan Walsh. diff --git a/policy/mls b/policy/mls index 859ebaa..16fbfcb 100644 --- a/policy/mls +++ b/policy/mls @@ -183,7 +183,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s ( t1 == mlsnetwrite )); # used by netlabel to restrict normal domains to same level connections -mlsconstrain { tcp_socket udp_socket } recvfrom +mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom (( l1 eq l2 ) or (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsnetread ));