[selinux-policy: 1639/3172] This modifies the mls constraint for polmatch in the association class. Specifically:
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:26:47 UTC 2010
commit d31d3c159e33505345ba4c52b6c182e35133c477
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Nov 16 13:38:14 2006 +0000
This modifies the mls constraint for polmatch in the association class.
Specifically:
- polmatch need no longer make an exception for unlabeled_t
since a flow will now always match SPD rules with no contexts (per
the IPSec leak fix patch upstreamed a few weeks back), as
opposed to needing polmatch access to unlabeled_t.
Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
Changelog | 2 ++
policy/mls | 3 +--
2 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/Changelog b/Changelog
index 1bdd76e..5aea1d9 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Association polmatch MLS constraint making unlabeled_t an exception
+ is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load
target to only insert modules that were changed.
diff --git a/policy/mls b/policy/mls
index bdca162..859ebaa 100644
--- a/policy/mls
+++ b/policy/mls
@@ -585,8 +585,7 @@ mlsconstrain association { sendto }
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
- ((( l1 dom l2 ) and ( h1 domby h2 )) or
- ( t2 == unlabeled_t ));
+ (( l1 dom l2 ) and ( h1 domby h2 ));
More information about the scm-commits
mailing list