This modifies the mls constraint for polmatch in the association class.

Specifically:

- polmatch need no longer make an exception for unlabeled_t
  since a flow will now always match SPD rules with no contexts (per
  the IPSec leak fix patch upstreamed a few weeks back), as
  opposed to needing polmatch access to unlabeled_t.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
This commit is contained in:
Chris PeBenito 2006-11-16 13:38:14 +00:00
parent c6a60bb28d
commit d31d3c159e
2 changed files with 3 additions and 2 deletions

View File

@ -1,3 +1,5 @@
- Association polmatch MLS constraint making unlabeled_t an exception
is no longer needed, patch from Venkat Yekkirala.
- Context contains checking for PAM and cron from James Antill. - Context contains checking for PAM and cron from James Antill.
- Add a reload target to Modules.devel and change the load - Add a reload target to Modules.devel and change the load
target to only insert modules that were changed. target to only insert modules that were changed.

View File

@ -585,8 +585,7 @@ mlsconstrain association { sendto }
( t2 == unlabeled_t )); ( t2 == unlabeled_t ));
mlsconstrain association { polmatch } mlsconstrain association { polmatch }
((( l1 dom l2 ) and ( h1 domby h2 )) or (( l1 dom l2 ) and ( h1 domby h2 ));
( t2 == unlabeled_t ));