[selinux-policy: 1634/3172] Christopher J. PeBenito wrote: > We could add another 'or' on the above constraint: > > or ( (t2 ==

Thu Oct 7 21:26:21 UTC 2010

commit f497b8df50e903a88fd42deb18784ee82eb3728d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Nov 1 15:42:22 2006 +0000

    Christopher J. PeBenito wrote:
    > We could add another 'or' on the above constraint:
    >
    > or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) )
    >
    > I believe that would be the constraint you were looking for.  I don't
    > like the name of that attribute, but I couldn't come up with a better
    > one off the top of my head. :)
    >
    
    Attached is a patch which I've tested against selinux-policy-2.4.2-1
    that implements this additional constraint.  The name is still a bit
    forced, but it works.
    
    -matt <mra at hp dot com>

 Changelog                        |    3 +++
 policy/mls                       |    1 +
 policy/modules/kernel/devices.te |    3 ++-
 policy/modules/kernel/mls.if     |   21 +++++++++++++++++++++
 policy/modules/kernel/mls.te     |    3 ++-
 5 files changed, 29 insertions(+), 2 deletions(-)
---

diff --git a/Changelog b/Changelog
index 9552a2a..d363eac 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+- Patch from Matt Anderson for a MLS constraint exemption on a
+  file that can be written to from a subject whose range is
+  within the object's range.
 - Enhanced setransd support from Darrel Goeddel.
 - Patches from Dan Walsh:
 	Tue, 24 Oct 2006
diff --git a/policy/mls b/policy/mls
index 021a4ff..8ab1332 100644
--- a/policy/mls
+++ b/policy/mls
@@ -89,6 +89,7 @@ mlsconstrain dir search
 mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
 
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 693ae0e..d669577 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices,1.2.1)
+policy_module(devices,1.2.2)
 
 ########################################
 #
@@ -119,6 +119,7 @@ dev_node(power_device_t)
 
 type printer_device_t;
 dev_node(printer_device_t)
+mls_file_write_within_range(printer_device_t)
 
 #
 # random_device_t is the type of /dev/random
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index d8de57e..769ef1f 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -93,6 +93,27 @@ interface(`mls_file_downgrade',`
 
 ########################################
 ## <summary>
+##	Make specified domain trusted to
+##	be written to within its MLS range.
+##	The subject's MLS range must be a
+##	proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_file_write_within_range',`
+	gen_require(`
+		attribute mlsfilewriteinrange;
+	')
+
+	typeattribute $1 mlsfilewriteinrange;
+')
+
+########################################
+## <summary>
 ##	Make specified domain MLS trusted
 ##	for reading from sockets at any level.
 ## </summary>
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 5254f32..01c6740 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.4.1)
+policy_module(mls,1.4.2)
 
 ########################################
 #
@@ -10,6 +10,7 @@ attribute mlsfileread;
 attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
+attribute mlsfilewriteinrange;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
 
