[selinux-policy: 1629/3172] enhanced setransd support from darrel goeddel
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:25:56 UTC 2010
commit a8671ae5b25b52d9015cb02067faf7ca0aa8387f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Oct 20 14:44:23 2006 +0000
enhanced setransd support from darrel goeddel
Changelog | 2 ++
policy/flask/access_vectors | 6 ++++++
policy/flask/security_classes | 2 ++
policy/mls | 9 +++++++++
policy/modules/kernel/mls.if | 19 +++++++++++++++++++
policy/modules/kernel/mls.te | 4 +++-
policy/modules/system/selinuxutil.fc | 7 ++++---
policy/modules/system/selinuxutil.te | 2 +-
policy/modules/system/setrans.if | 1 +
policy/modules/system/setrans.te | 3 ++-
10 files changed, 49 insertions(+), 6 deletions(-)
---
diff --git a/Changelog b/Changelog
index a60226a..59d75cc 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Enhanced setransd support from Darrel Goeddel.
+
* Wed Oct 18 2006 Chris PeBenito <selinux at tresys.com> - 20061018
- Patch from Russell Coker Thu, 5 Oct 2006
- Move range transitions to modules.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0ad632b..641dcd2 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -253,6 +253,7 @@ class process
execstack
execheap
setkeycreate
+ setsockcreate
}
@@ -630,3 +631,8 @@ class key
setattr
create
}
+
+class context
+{
+ translate
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 57f49bc..53c0cf1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -93,4 +93,6 @@ class packet
# Kernel access key retention
class key
+class context # userspace
+
# FLASK
diff --git a/policy/mls b/policy/mls
index 26b3ef0..021a4ff 100644
--- a/policy/mls
+++ b/policy/mls
@@ -587,4 +587,13 @@ mlsconstrain association { polmatch }
((( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == unlabeled_t ));
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+ (( h1 dom h2 ) or ( t1 == mlstranslate ));
+
') dnl end enable_mls
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 5ca509e..d8de57e 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -451,3 +451,22 @@ interface(`mls_fd_share_all_levels',`
typeattribute $1 mlsfdshare;
')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_context_translate_all_levels',`
+ gen_require(`
+ attribute mlstranslate;
+ ')
+
+ typeattribute $1 mlstranslate;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 591247e..5254f32 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.4.0)
+policy_module(mls,1.4.1)
########################################
#
@@ -49,3 +49,5 @@ attribute mlsrangetrans;
attribute mlsfduse;
attribute mlsfdshare;
+
+attribute mlstranslate;
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 8cb0707..abd65da 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -7,10 +7,11 @@
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ceeaec7..99ab117 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.3.0)
+policy_module(selinuxutil,1.3.1)
ifdef(`strict_policy',`
gen_require(`
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 9547503..8c1c7ce 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -17,6 +17,7 @@ interface(`setrans_translate_context',`
allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 setrans_t:context translate;
allow $1 setrans_t:unix_stream_socket connectto;
allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
allow $1 setrans_var_run_t:sock_file rw_file_perms;
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 7f5f701..49da6d2 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
-policy_module(setrans,1.1.0)
+policy_module(setrans,1.1.1)
########################################
#
@@ -57,6 +57,7 @@ mls_file_read_up(setrans_t)
mls_file_write_down(setrans_t)
mls_net_receive_all_levels(setrans_t)
mls_rangetrans_target(setrans_t)
+mls_socket_write_all_levels(setrans_t)
selinux_compute_access_vector(setrans_t)
More information about the scm-commits
mailing list