[selinux-policy: 1885/3172] trunk: add mls constraints to dbus.

Thu Oct 7 21:47:58 UTC 2010

commit 936f286c16888c91619a58229d3fbf44fd12e23b
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 3 20:37:25 2008 +0000

    trunk: add mls constraints to dbus.

 policy/mls                   |    7 ++++++-
 policy/modules/kernel/mls.if |   41 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |    5 ++++-
 3 files changed, 51 insertions(+), 2 deletions(-)
---

diff --git a/policy/mls b/policy/mls
index 3dbbaaf..5105b17 100644
--- a/policy/mls
+++ b/policy/mls
@@ -570,8 +570,13 @@ mlsconstrain xinput { setattr relabelinput }
 # MLS policy for the dbus class
 #
 
+mlsconstrain dbus { send_msg }
+	(( l1 eq l2 ) or
+	 ( t1 == mlsdbussend ) or
+	 ( t2 == mlsdbusrecv ));
+
 # these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
+# dbus { acquire_svc }
 
 
 
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index eb1945e..a24f121 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -859,3 +859,44 @@ interface(`mls_db_downgrade',`
 
 	typeattribute $1 mlsdbdowngrade;
 ')
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for sending dbus messages to 
+##	all levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_send_all_levels',`
+       gen_require(`
+               attribute mlsdbussend;
+       ')
+
+       typeattribute $1 mlsdbussend;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for receiving dbus messages from 
+##	all levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_recv_all_levels',`
+       gen_require(`
+               attribute mlsdbusrecv;
+       ')
+
+       typeattribute $1 mlsdbusrecv;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index a6e5958..b03867c 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.6.0)
+policy_module(mls,1.6.1)
 
 ########################################
 #
@@ -61,3 +61,6 @@ attribute mlsfduse;
 attribute mlsfdshare;
 
 attribute mlstranslate;
+
+attribute mlsdbusrecv;
+attribute mlsdbussend;
