Skip to content
Snippets Groups Projects
Commit 39fd7818 authored by Stephen Smalley's avatar Stephen Smalley Committed by Nick Kralevich
Browse files

Remove domain init:unix_stream_socket connectto permission. 


We do not want to permit connecting to arbitrary unconfined services
left running in the init domain.  I do not know how this was originally
triggered and thus cannot test that it is fixed.  Possible causes:
- another service was left running in init domain, e.g. dumpstate,
- there was a socket entry for the service in the init.rc file
and the service was launched via logwrapper and therefore init did
not know how to label the socket.

The former should be fixed.  The latter can be solved either by
removing use of logwrapper or by specifying the socket context
explicitly in the init.rc file now.

Change-Id: I09ececaaaea2ccafb7637ca08707566c1155a298
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent aef4a469
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 3 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment