Clean up socket rules.

Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.

Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.

For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table.   Clarification:  read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.

Delete legacy rule for b/12061011.

This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC).  We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.

Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 0 insertions, 3 deletions

diff --git a/mtp.te b/mtp.te
index 9681daf..320f4af 100644
--- a/mtp.te
+++ b/mtp.te
@@ -7,10 +7,7 @@ init_daemon_domain(mtp)
 net_domain(mtp)
 
 # pptp policy
-allow mtp self:tcp_socket create_socket_perms;
 allow mtp self:socket create_socket_perms;
-allow mtp self:rawip_socket create_socket_perms;
 allow mtp self:capability net_raw;
 allow mtp ppp:process signal;
-allow mtp port:tcp_socket name_connect;
 allow mtp vpn_data_file:dir search;