add mls fd constraints

policy/mls

@@ -344,11 +344,15 @@ mlsconstrain msg send
 # MLS policy for the fd class
 #
 
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
+# No sharing of open file descriptors between levels unless
+# the process type is authorized to use fds created by 
+# other levels (mlsfduse) or the fd type is authorized to
+# shared among levels (mlsfdshare). 
+mlsconstrain fd use (
+	l1 eq l2
+	or t1 == mlsfduse
+	or t2 == mlsfdshare
+);
 
 #
 # MLS policy for the network object classes

policy/modules/kernel/mls.if

@@ -411,3 +411,43 @@ interface(`mls_trusted_object',`
 
 	typeattribute $1 mlstrustedobject;
 ')
+
+########################################
+## <summary>
+##	Make the specified domain trusted
+##	to inherit and use file descriptors
+##	from all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_fd_use_all_levels',`
+	gen_require(`
+		attribute mlsfduse;
+	')
+
+	typeattribute $1 mlsfduse;
+')
+
+########################################
+## <summary>
+##	Make the file descriptors from the
+##	specifed domain inheritable by
+##	all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_fd_share_all_levels',`
+	gen_require(`
+		attribute mlsfdshare;
+	')
+
+	typeattribute $1 mlsfdshare;
+')

policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.3.1)
+policy_module(mls,1.3.2)
 
 ########################################
 #
@@ -47,6 +47,9 @@ attribute mlstrustedobject;
 attribute privrangetrans;
 attribute mlsrangetrans;
 
+attribute mlsfduse; 
+attribute mlsfdshare;
+
 ########################################
 #
 # THIS IS A HACK