trunk: MLS constraints for the x_selection class, from Eamon Walsh.

2009-06-05 13:36:19 +00:00 · 2009-06-05 13:36:19 +00:00 · 16fd1fd814
parent cca4a215fe
commit 16fd1fd814
3 changed files with 22 additions and 0 deletions
--- a/1
+++ b/1
@ -1,3 +1,4 @@
+- MLS constraints for the x_selection class, from Eamon Walsh.
 - Postgresql updates from KaiGai Kohei.
 - Milter state directory patch from Paul Howarth.
 - Add MLS constrains for ingress/egress and secmark from Paul Moore.
--- a/policy/mls
+++ b/policy/mls
@ -515,6 +515,25 @@ mlsconstrain x_property { create destroy write append setattr }
 	 ( t1 == mlsxwinwrite ));


+#
+# MLS policy for the x_selection class
+#
+
+# the x_selection "read" ops (implicit single level)
+mlsconstrain x_selection { read getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinreadselection ) or
+	 ( t1 == mlsxwinread ));
+
+# the x_selection "write" ops (implicit single level)
+mlsconstrain x_selection { write setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwriteselection ) or
+	 ( t1 == mlsxwinwrite ));
+
+
 #
 # MLS policy for the x_cursor class
 #
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@ -42,6 +42,8 @@ attribute mlsxwinwrite;
 attribute mlsxwinwritetoclr;
 attribute mlsxwinreadproperty;
 attribute mlsxwinwriteproperty;
+attribute mlsxwinreadselection;
+attribute mlsxwinwriteselection;
 attribute mlsxwinreadcolormap;
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;