2005-09-26 20:26:32 +00:00
|
|
|
|
2006-01-06 22:51:40 +00:00
|
|
|
policy_module(mls,1.1.2)
|
2005-09-26 20:26:32 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
attribute mlsfileread;
|
|
|
|
attribute mlsfilereadtoclr;
|
|
|
|
attribute mlsfilewrite;
|
|
|
|
attribute mlsfilewritetoclr;
|
|
|
|
attribute mlsfileupgrade;
|
|
|
|
attribute mlsfiledowngrade;
|
|
|
|
|
|
|
|
attribute mlsnetread;
|
|
|
|
attribute mlsnetreadtoclr;
|
|
|
|
attribute mlsnetwrite;
|
|
|
|
attribute mlsnetwritetoclr;
|
|
|
|
attribute mlsnetupgrade;
|
|
|
|
attribute mlsnetdowngrade;
|
|
|
|
attribute mlsnetrecvall;
|
|
|
|
|
|
|
|
attribute mlsipcread;
|
|
|
|
attribute mlsipcreadtoclr;
|
|
|
|
attribute mlsipcwrite;
|
|
|
|
attribute mlsipcwritetoclr;
|
|
|
|
|
|
|
|
attribute mlsprocread;
|
|
|
|
attribute mlsprocreadtoclr;
|
|
|
|
attribute mlsprocwrite;
|
|
|
|
attribute mlsprocwritetoclr;
|
|
|
|
attribute mlsprocsetsl;
|
|
|
|
|
|
|
|
attribute mlsxwinread;
|
|
|
|
attribute mlsxwinreadtoclr;
|
|
|
|
attribute mlsxwinwrite;
|
|
|
|
attribute mlsxwinwritetoclr;
|
2006-01-06 22:51:40 +00:00
|
|
|
attribute mlsxwinreadproperty;
|
|
|
|
attribute mlsxwinwriteproperty;
|
|
|
|
attribute mlsxwinreadcolormap;
|
|
|
|
attribute mlsxwinwritecolormap;
|
|
|
|
attribute mlsxwinwritexinput;
|
2005-09-26 20:26:32 +00:00
|
|
|
|
|
|
|
attribute mlstrustedobject;
|
|
|
|
|
|
|
|
attribute privrangetrans;
|
|
|
|
attribute mlsrangetrans;
|
2005-10-13 20:59:36 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# THIS IS A HACK
|
|
|
|
#
|
|
|
|
# Only the base module can have range_transitions, so we
|
|
|
|
# temporarily have to break encapsulation to work around this.
|
|
|
|
#
|
|
|
|
|
2005-12-13 20:38:19 +00:00
|
|
|
type crond_exec_t;
|
2005-10-23 22:10:59 +00:00
|
|
|
type cupsd_exec_t;
|
2005-10-13 20:59:36 +00:00
|
|
|
type getty_t;
|
2005-10-21 17:55:15 +00:00
|
|
|
type init_t;
|
2005-10-13 20:59:36 +00:00
|
|
|
type init_exec_t;
|
|
|
|
type initrc_t;
|
2005-12-02 22:06:05 +00:00
|
|
|
type initrc_exec_t;
|
2005-12-13 20:38:19 +00:00
|
|
|
type login_exec_t;
|
2005-10-18 15:07:11 +00:00
|
|
|
type sshd_exec_t;
|
2005-10-13 20:59:36 +00:00
|
|
|
type su_exec_t;
|
|
|
|
type udev_exec_t;
|
|
|
|
type unconfined_t;
|
2005-10-21 17:55:15 +00:00
|
|
|
type xdm_exec_t;
|
2005-10-13 20:59:36 +00:00
|
|
|
|
2005-10-21 17:55:15 +00:00
|
|
|
ifdef(`enable_mcs',`
|
2005-10-13 20:59:36 +00:00
|
|
|
range_transition getty_t login_exec_t s0 - s0:c0.c255;
|
2005-10-21 17:55:15 +00:00
|
|
|
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
|
2005-12-13 20:38:19 +00:00
|
|
|
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
|
2005-10-23 22:10:59 +00:00
|
|
|
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
|
2005-10-13 20:59:36 +00:00
|
|
|
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
|
|
|
|
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
|
2005-10-21 17:55:15 +00:00
|
|
|
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
|
|
|
|
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
|
2005-10-28 15:09:03 +00:00
|
|
|
|
|
|
|
# these might be targeted_policy only
|
2005-10-21 17:55:15 +00:00
|
|
|
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
|
2005-10-28 15:12:23 +00:00
|
|
|
range_transition unconfined_t initrc_exec_t s0;
|
2005-10-13 20:59:36 +00:00
|
|
|
')
|
|
|
|
|
2005-10-21 17:55:15 +00:00
|
|
|
ifdef(`enable_mls',`
|
2005-10-13 20:59:36 +00:00
|
|
|
# run init with maximum MLS range
|
2005-10-24 14:22:13 +00:00
|
|
|
range_transition kernel_t init_exec_t s0 - s15:c0.c255;
|
2005-10-13 20:59:36 +00:00
|
|
|
')
|