Christopher J. PeBenito wrote:
> We could add another 'or' on the above constraint: > > or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) ) > > I believe that would be the constraint you were looking for. I don't > like the name of that attribute, but I couldn't come up with a better > one off the top of my head. :) > Attached is a patch which I've tested against selinux-policy-2.4.2-1 that implements this additional constraint. The name is still a bit forced, but it works. -matt <mra at hp dot com>
This commit is contained in:
parent
d9845ae92a
commit
f497b8df50
@ -1,3 +1,6 @@
|
||||
- Patch from Matt Anderson for a MLS constraint exemption on a
|
||||
file that can be written to from a subject whose range is
|
||||
within the object's range.
|
||||
- Enhanced setransd support from Darrel Goeddel.
|
||||
- Patches from Dan Walsh:
|
||||
Tue, 24 Oct 2006
|
||||
|
@ -89,6 +89,7 @@ mlsconstrain dir search
|
||||
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
(( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
|
||||
( t1 == mlsfilewrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(devices,1.2.1)
|
||||
policy_module(devices,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -119,6 +119,7 @@ dev_node(power_device_t)
|
||||
|
||||
type printer_device_t;
|
||||
dev_node(printer_device_t)
|
||||
mls_file_write_within_range(printer_device_t)
|
||||
|
||||
#
|
||||
# random_device_t is the type of /dev/random
|
||||
|
@ -91,6 +91,27 @@ interface(`mls_file_downgrade',`
|
||||
typeattribute $1 mlsfiledowngrade;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain trusted to
|
||||
## be written to within its MLS range.
|
||||
## The subject's MLS range must be a
|
||||
## proper subset of the object's MLS range.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mls_file_write_within_range',`
|
||||
gen_require(`
|
||||
attribute mlsfilewriteinrange;
|
||||
')
|
||||
|
||||
typeattribute $1 mlsfilewriteinrange;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain MLS trusted
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mls,1.4.1)
|
||||
policy_module(mls,1.4.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,6 +10,7 @@ attribute mlsfileread;
|
||||
attribute mlsfilereadtoclr;
|
||||
attribute mlsfilewrite;
|
||||
attribute mlsfilewritetoclr;
|
||||
attribute mlsfilewriteinrange;
|
||||
attribute mlsfileupgrade;
|
||||
attribute mlsfiledowngrade;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user