[selinux-policy: 1277/3172] additional mls interfaces from chad hanson.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:55:28 UTC 2010
commit 405efe16370c6fe848c11f584992c1daba7405ae
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Mar 15 16:27:39 2006 +0000
additional mls interfaces from chad hanson.
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/mls.if | 211 ++++++++++++++++++++++++++++++--
2 files changed, 203 insertions(+), 9 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7566bba..5f21f0f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Additional MLS interfaces from Chad Hanson.
- Move some rules out of domain_type() and domain_base_type()
to the TE file, to use the domain attribute to take advantage
of space savings from attribute use.
diff --git a/refpolicy/policy/modules/kernel/mls.if b/refpolicy/policy/modules/kernel/mls.if
index 850ae8e..3b38c83 100644
--- a/refpolicy/policy/modules/kernel/mls.if
+++ b/refpolicy/policy/modules/kernel/mls.if
@@ -18,7 +18,7 @@
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -37,7 +37,7 @@ interface(`mls_file_read_up',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -56,7 +56,7 @@ interface(`mls_file_write_down',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -75,7 +75,7 @@ interface(`mls_file_upgrade',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -89,13 +89,131 @@ interface(`mls_file_downgrade',`
########################################
## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_read_all_levels',`
+ gen_require(`
+ attribute mlsnetread;
+ ')
+
+ typeattribute $1 mlsnetread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from sockets at any level
+## that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_read_to_clearance',`
+ gen_require(`
+ attribute mlsnetreadtoclr;
+ ')
+
+ typeattribute $1 mlsnetreadtoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_socket_write_all_levels',`
+ gen_require(`
+ attribute mlsnetwrite;
+ ')
+
+ typeattribute $1 mlsnetwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for receiving network data from
+## network interfaces or hosts at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_net_receive_all_levels',`
+ gen_require(`
+ attribute mlsnetrecvall;
+ ')
+
+ typeattribute $1 mlsnetrecvall;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_sysvipc_read_all_levels',`
+ gen_require(`
+ attribute mlsipcread;
+ ')
+
+ typeattribute $1 mlsipcread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to System V IPC objects
+## at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_sysvipc_write_all_levels',`
+ gen_require(`
+ attribute mlsipcwrite;
+ ')
+
+ typeattribute $1 mlsipcwrite;
+')
+
+########################################
+## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -115,7 +233,7 @@ interface(`mls_rangetrans_source',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -134,7 +252,7 @@ interface(`mls_rangetrans_target',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -153,7 +271,7 @@ interface(`mls_process_read_up',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -173,7 +291,7 @@ interface(`mls_process_write_down',`
## </summary>
## <param name="domain">
## <summary>
-## The type of the process performing this action.
+## Domain allowed access.
## </summary>
## </param>
#
@@ -185,6 +303,81 @@ interface(`mls_process_set_level',`
typeattribute $1 mlsprocsetsl;
')
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_xwin_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinread;
+ ')
+
+ typeattribute $1 mlsxwinread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X objects at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_xwin_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwrite;
+ ')
+
+ typeattribute $1 mlsxwinwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_colormap_read_all_levels',`
+ gen_require(`
+ attribute mlsxwinreadcolormap;
+ ')
+
+ typeattribute $1 mlsxwinreadcolormap;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to X colormaps at any level.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_colormap_write_all_levels',`
+ gen_require(`
+ attribute mlsxwinwritecolormap;
+ ')
+
+ typeattribute $1 mlsxwinwritecolormap;
+')
########################################
## <summary>
More information about the scm-commits
mailing list