From 16fd1fd814b0a69b0127ab44a1a738fa015aaded Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 5 Jun 2009 13:36:19 +0000 Subject: [PATCH] trunk: MLS constraints for the x_selection class, from Eamon Walsh. --- Changelog | 1 + policy/mls | 19 +++++++++++++++++++ policy/modules/kernel/mls.te | 2 ++ 3 files changed, 22 insertions(+) diff --git a/Changelog b/Changelog index 48f96f8a..fb931d7e 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- MLS constraints for the x_selection class, from Eamon Walsh. - Postgresql updates from KaiGai Kohei. - Milter state directory patch from Paul Howarth. - Add MLS constrains for ingress/egress and secmark from Paul Moore. diff --git a/policy/mls b/policy/mls index 44101098..1e87ce2b 100644 --- a/policy/mls +++ b/policy/mls @@ -515,6 +515,25 @@ mlsconstrain x_property { create destroy write append setattr } ( t1 == mlsxwinwrite )); +# +# MLS policy for the x_selection class +# + +# the x_selection "read" ops (implicit single level) +mlsconstrain x_selection { read getattr } + (( l1 dom l2 ) or + (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsxwinreadselection ) or + ( t1 == mlsxwinread )); + +# the x_selection "write" ops (implicit single level) +mlsconstrain x_selection { write setattr } + (( l1 eq l2 ) or + (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsxwinwriteselection ) or + ( t1 == mlsxwinwrite )); + + # # MLS policy for the x_cursor class # diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 252deef1..290fda7c 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -42,6 +42,8 @@ attribute mlsxwinwrite; attribute mlsxwinwritetoclr; attribute mlsxwinreadproperty; attribute mlsxwinwriteproperty; +attribute mlsxwinreadselection; +attribute mlsxwinwriteselection; attribute mlsxwinreadcolormap; attribute mlsxwinwritecolormap; attribute mlsxwinwritexinput;