rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

clean up constraints

Browse Source
This commit is contained in:
Chris PeBenito 2006-08-15 15:30:08 +00:00
parent cfd5c5e157
commit bd56da4aa5
1 changed files with 52 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
policy/constraints
View File

@ -28,65 +28,79 @@
# #
# SELinux process identity change constraint: # SELinux process identity change constraint:
# #
constrain process transition ifdef(`strict_policy',`
( u1 == u2 constrain process transition
(
u1 == u2
or ( t1 == can_change_process_identity and t2 == process_user_target )
or ( t1 == cron_source_domain and ( t2 == cron_job_domain or u2 == system_u ) )
or ( t1 == can_system_change and u2 == system_u )
or ( t1 == process_uncond_exempt )
);
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
or t1 == can_change_process_identity constrain process transition
',` (
or ( t1 == can_change_process_identity and t2 == process_user_target ) u1 == u2
or ( t1 == cron_source_domain or t1 == can_change_process_identity
and ( t2 == cron_job_domain or u2 == system_u ) );
)
or (t1 == process_uncond_exempt)
or (t1 == can_system_change and u2 == system_u )
') ')
);
# #
# SELinux process role change constraint: # SELinux process role change constraint:
# #
constrain process transition
( r1 == r2 ifdef(`strict_policy',`
constrain process transition
(
r1 == r2
or ( t1 == can_change_process_role and t2 == process_user_target )
or ( t1 == cron_source_domain and t2 == cron_job_domain )
or ( t1 == can_system_change and r2 == system_r )
or ( t1 == process_uncond_exempt )
);
')
ifdef(`targeted_policy',` ifdef(`targeted_policy',`
or t1 == can_change_process_role constrain process transition
',` (
or ( t1 == can_change_process_role and t2 == process_user_target ) r1 == r2
or ( t1 == cron_source_domain and t2 == cron_job_domain ) or t1 == can_change_process_role
);
or ( t1 == process_uncond_exempt )
# FIXME:
ifdef(`postfix.te',`
ifdef(`direct_sysadm_daemon',`
or (
t1 == sysadm_mail_t
and t2 == system_mail_t
and r2 == system_r
)
')
')
or (t1 == can_system_change and r2 == system_r )
') ')
);
# #
# SELinux dynamic transition constraint: # SELinux dynamic transition constraint:
# #
constrain process dyntransition constrain process dyntransition
( u1 == u2 and r1 == r2 ); (
u1 == u2 and r1 == r2
);
# #
# SElinux object identity change constraint: # SElinux object identity change constraint:
# #
constrain dir_file_class_set { create relabelto relabelfrom } constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity ); (
u1 == u2
or t1 == can_change_object_identity
);
constrain socket_class_set { create relabelto relabelfrom } constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == can_change_object_identity ); (
u1 == u2
or t1 == can_change_object_identity
);