commit 60e4f114acb237bdd195d9cc433a754d0471005a
author Stephen Smalley <sds@tycho.nsa.gov> Thu Jun 28 14:28:24 2012 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Thu Jun 28 14:28:24 2012 -0400
tree e53c6c8703b13229868855a88e3e4be4cd130a5e
parent 965f2ff1b4804a91b3537a3799814dc54ed478f8

Add key_socket class to socket_class_set macro.  Allow system to trigger module auto-loading and to write to sockets created under /dev.

global_macros

diff --git a/global_macros b/global_macros
index 15e09ed..6d71c0c 100644
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@
 define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')
 
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

system.te

diff --git a/system.te b/system.te
index 1457c79..2030af4 100644
--- a/system.te
+++ b/system.te
@@ -72,6 +72,9 @@
 # XXX See if we can remove some of these.
 allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };
 
+# Trigger module auto-load.
+allow system kernel:system module_request;
+
 # Use netlink uevent sockets.
 allow system self:netlink_kobject_uevent_socket *;
 
@@ -133,6 +136,7 @@
 # Access devices.
 allow system device:dir r_dir_perms;
 allow system device:chr_file rw_file_perms;
+allow system device:sock_file rw_file_perms;
 allow system akm_device:chr_file rw_file_perms;
 allow system accelerometer_device:chr_file rw_file_perms;
 allow system alarm_device:chr_file rw_file_perms;