[selinux-policy: 1277/3172] additional mls interfaces from chad hanson.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:55:28 UTC 2010 

commit 405efe16370c6fe848c11f584992c1daba7405ae
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Mar 15 16:27:39 2006 +0000

    additional mls interfaces from chad hanson.

 refpolicy/Changelog                    |    1 +
 refpolicy/policy/modules/kernel/mls.if |  211 ++++++++++++++++++++++++++++++--
 2 files changed, 203 insertions(+), 9 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7566bba..5f21f0f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Additional MLS interfaces from Chad Hanson.
 - Move some rules out of domain_type() and domain_base_type()
   to the TE file, to use the domain attribute to take advantage
   of space savings from attribute use.
diff --git a/refpolicy/policy/modules/kernel/mls.if b/refpolicy/policy/modules/kernel/mls.if
index 850ae8e..3b38c83 100644
--- a/refpolicy/policy/modules/kernel/mls.if
+++ b/refpolicy/policy/modules/kernel/mls.if
@@ -18,7 +18,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -37,7 +37,7 @@ interface(`mls_file_read_up',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -56,7 +56,7 @@ interface(`mls_file_write_down',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -75,7 +75,7 @@ interface(`mls_file_upgrade',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -89,13 +89,131 @@ interface(`mls_file_downgrade',`
 
 ########################################
 ## <summary>
+##	Make specified domain MLS trusted
+##	for reading from sockets at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_socket_read_all_levels',`
+	gen_require(`
+		attribute mlsnetread;
+	')
+
+	typeattribute $1 mlsnetread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from sockets at any level
+##	that is dominated by the process clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_socket_read_to_clearance',`
+	gen_require(`
+		attribute mlsnetreadtoclr;
+	')
+
+	typeattribute $1 mlsnetreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to sockets at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_socket_write_all_levels',`
+	gen_require(`
+		attribute mlsnetwrite;
+	')
+
+	typeattribute $1 mlsnetwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for receiving network data from 
+##	network interfaces or hosts at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_net_receive_all_levels',`
+	gen_require(`
+		attribute mlsnetrecvall;
+	')
+
+	typeattribute $1 mlsnetrecvall;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from System V IPC objects
+##	at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_sysvipc_read_all_levels',`
+	gen_require(`
+		attribute mlsipcread;
+	')
+
+	typeattribute $1 mlsipcread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to System V IPC objects
+##	at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_sysvipc_write_all_levels',`
+	gen_require(`
+		attribute mlsipcwrite;
+	')
+
+	typeattribute $1 mlsipcwrite;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to do a MLS
 ##	range transition that changes
 ##	the current level.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -115,7 +233,7 @@ interface(`mls_rangetrans_source',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -134,7 +252,7 @@ interface(`mls_rangetrans_target',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -153,7 +271,7 @@ interface(`mls_process_read_up',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -173,7 +291,7 @@ interface(`mls_process_write_down',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -185,6 +303,81 @@ interface(`mls_process_set_level',`
 	typeattribute $1 mlsprocsetsl;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from X objects at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_xwin_read_all_levels',`
+	gen_require(`
+		attribute mlsxwinread;
+	')
+
+	typeattribute $1 mlsxwinread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to X objects at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_xwin_write_all_levels',`
+	gen_require(`
+		attribute mlsxwinwrite;
+	')
+
+	typeattribute $1 mlsxwinwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from X colormaps at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_colormap_read_all_levels',`
+	gen_require(`
+		attribute mlsxwinreadcolormap;
+	')
+
+	typeattribute $1 mlsxwinreadcolormap;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to X colormaps at any level.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_colormap_write_all_levels',`
+	gen_require(`
+		attribute mlsxwinwritecolormap;
+	')
+
+	typeattribute $1 mlsxwinwritecolormap;
+')
 
 ########################################
 ## <summary>

More information about the scm-commits mailing list