add mls fd constraints

This commit is contained in:
Chris PeBenito 2006-09-15 19:05:03 +00:00
parent 2b571d6880
commit cf7af137c0
3 changed files with 53 additions and 6 deletions

View File

@ -344,11 +344,15 @@ mlsconstrain msg send
# MLS policy for the fd class
#
# these access vectors have no MLS restrictions
# fd use
# No sharing of open file descriptors between levels unless
# the process type is authorized to use fds created by
# other levels (mlsfduse) or the fd type is authorized to
# shared among levels (mlsfdshare).
mlsconstrain fd use (
l1 eq l2
or t1 == mlsfduse
or t2 == mlsfdshare
);
#
# MLS policy for the network object classes

View File

@ -411,3 +411,43 @@ interface(`mls_trusted_object',`
typeattribute $1 mlstrustedobject;
')
########################################
## <summary>
## Make the specified domain trusted
## to inherit and use file descriptors
## from all levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_fd_use_all_levels',`
gen_require(`
attribute mlsfduse;
')
typeattribute $1 mlsfduse;
')
########################################
## <summary>
## Make the file descriptors from the
## specifed domain inheritable by
## all levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_fd_share_all_levels',`
gen_require(`
attribute mlsfdshare;
')
typeattribute $1 mlsfdshare;
')

View File

@ -1,5 +1,5 @@
policy_module(mls,1.3.1)
policy_module(mls,1.3.2)
########################################
#
@ -47,6 +47,9 @@ attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
attribute mlsfduse;
attribute mlsfdshare;
########################################
#
# THIS IS A HACK