From 936f286c16888c91619a58229d3fbf44fd12e23b Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 3 Jan 2008 20:37:25 +0000
Subject: [PATCH] trunk: add mls constraints to dbus.

---
 policy/mls                   |  7 +++++-
 policy/modules/kernel/mls.if | 41 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |  5 ++++-
 3 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/policy/mls b/policy/mls
index 3dbbaaf1..5105b174 100644
--- a/policy/mls
+++ b/policy/mls
@@ -570,8 +570,13 @@ mlsconstrain xinput { setattr relabelinput }
 # MLS policy for the dbus class
 #
 
+mlsconstrain dbus { send_msg }
+	(( l1 eq l2 ) or
+	 ( t1 == mlsdbussend ) or
+	 ( t2 == mlsdbusrecv ));
+
 # these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
+# dbus { acquire_svc }
 
 
 
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index eb1945e5..a24f121d 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -859,3 +859,44 @@ interface(`mls_db_downgrade',`
 
 	typeattribute $1 mlsdbdowngrade;
 ')
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for sending dbus messages to 
+##	all levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_send_all_levels',`
+       gen_require(`
+               attribute mlsdbussend;
+       ')
+
+       typeattribute $1 mlsdbussend;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for receiving dbus messages from 
+##	all levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_recv_all_levels',`
+       gen_require(`
+               attribute mlsdbusrecv;
+       ')
+
+       typeattribute $1 mlsdbusrecv;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index a6e59587..b03867c0 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.6.0)
+policy_module(mls,1.6.1)
 
 ########################################
 #
@@ -61,3 +61,6 @@ attribute mlsfduse;
 attribute mlsfdshare;
 
 attribute mlstranslate;
+
+attribute mlsdbusrecv;
+attribute mlsdbussend;