[selinux-policy: 1931/3172] trunk: X application data class from Eamon Walsh and Ted Toth.

[Daniel J Walsh]

commit d923d54c08e7c211e8cac90c12cfed871c15a7c9
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue May 6 14:37:05 2008 +0000

    trunk: X application data class from Eamon Walsh and Ted Toth.

 Changelog                     |    1 +
 policy/flask/access_vectors   |    7 +++++++
 policy/flask/security_classes |    1 +
 policy/mls                    |   12 ++++++++++++
 4 files changed, 21 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 17d4d04..0bf0f0d 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- X application data class from Eamon Walsh and Ted Toth.
 - Move user roles into individual modules.
 - Make hald_log_t a log file.
 - Cryptsetup runs shell scripts.  Patch from Martin Orr.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index b5631e9..2ba6fa5 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -775,3 +775,10 @@ class peer
 {
 	recv
 }
+
+class x_application_data
+{
+	paste
+	paste_after_confirm
+	copy
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 5b758d9..2a03e65 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -114,5 +114,6 @@ class capability2
 class x_resource		# userspace
 class x_event			# userspace
 class x_synthetic_event		# userspace
+class x_application_data	# userspace
 
 # FLASK
diff --git a/policy/mls b/policy/mls
index beed2f8..665c1c6 100644
--- a/policy/mls
+++ b/policy/mls
@@ -568,6 +568,18 @@ mlsconstrain x_event { send }
 	 ( t1 == mlsxwinwrite ));
 
 
+#
+# MLS policy for the x_application_data class
+#
+
+# the x_application_data "paste" ops (explicit single level)
+mlsconstrain x_application_data { paste }
+	( l1 eq l2 );
+
+# the x_application_data "paste_after_confirm" ops (downgrade permitted)
+mlsconstrain x_application_data { paste_after_confirm }
+	( l1 domby l2 );
+
 
 #
 # MLS policy for the pax class