diff --git a/policy/constraints b/policy/constraints index fe7cf0f7..155883b1 100644 --- a/policy/constraints +++ b/policy/constraints @@ -91,7 +91,7 @@ constrain process { transition noatsecure siginh rlimitinh } ( u1 == u2 or ( t1 == can_change_process_identity and t2 == process_user_target ) - or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) + or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) ) or ( t1 == can_system_change and u2 == system_u ) or ( t1 == process_uncond_exempt ) ); @@ -100,7 +100,7 @@ constrain process { transition noatsecure siginh rlimitinh } ( r1 == r2 or ( t1 == can_change_process_role and t2 == process_user_target ) - or ( t1 == cron_source_domain and t2 == cron_job_domain ) + or ( t1 == cron_source_domain and t2 == cron_job_domain ) or ( t1 == can_system_change and r2 == system_r ) or ( t1 == process_uncond_exempt ) ); @@ -173,7 +173,7 @@ exempted_ubac_constraint(ipc, ubacipc) ######################################## # -# X Windows rules +# SE-X Windows rules # exempted_ubac_constraint(x_drawable, ubacxwin) @@ -219,21 +219,26 @@ exempted_ubac_constraint(db_column, ubacdb) exempted_ubac_constraint(db_tuple, ubacdb) exempted_ubac_constraint(db_blob, ubacdb) + + basic_ubac_constraint(association) basic_ubac_constraint(peer) -# These classes have no UBAC restrictions -# class security -# class system -# class capability -# class memprotect -# class passwd -# class node -# class netif -# class packet -# class capability2 -# class nscd -# class context + +# these classes have no UBAC restrictions +#class security +#class system +#class capability +#class memprotect +#class passwd # userspace +#class node +#class netif +#class packet +#class capability2 +#class nscd # userspace +#class context # userspace + + undefine(`basic_ubac_constraint') undefine(`basic_ubac_conditions')