Tighten up handling of new classes 1b1d133be5350989cbd6c09e4f000e146f9ab7ae added the process2 class but forgot to suppress SELinux denials associated with these permissions for the su domain. Suppress them. Ensure xdp_socket is in socket_class_set, so the existing dontaudit rule in su.te is relevant. Inspired by https://github.com/SELinuxProject/refpolicy/commit/66a337eec6d7244e44e51936835b4e904f275a02 Add xdp_socket to various other neverallow rules. Test: policy compiles. Change-Id: If5422ecfa0cc864a51dd69559a51d759e078c8e7

commit: a194d3757aae59ac59ee62a3b2a6d60be48b4cbb [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Nov 16 02:48:03 2018 -0800
committer: Nick Kralevich <nnk@google.com> Fri Nov 16 03:10:14 2018 -0800
tree: ae2fc546cba36029173cb604acf253c96835cc45
parent: e00ca14cbbf3256f36d145bf219879833ddccf9b [diff] [blame]
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 1b56c5c..3759488 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -133,5 +133,5 @@
   rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
   ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
-  qipcrtr_socket smc_socket
+  qipcrtr_socket smc_socket xdp_socket
 } create;
commit	a194d3757aae59ac59ee62a3b2a6d60be48b4cbb	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Nov 16 02:48:03 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Fri Nov 16 03:10:14 2018 -0800
tree	ae2fc546cba36029173cb604acf253c96835cc45
parent	e00ca14cbbf3256f36d145bf219879833ddccf9b [diff] [blame]