diff --git a/Changelog b/Changelog
index 9552a2a1..d363eac5 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,6 @@
+- Patch from Matt Anderson for a MLS constraint exemption on a
+ file that can be written to from a subject whose range is
+ within the object's range.
- Enhanced setransd support from Darrel Goeddel.
- Patches from Dan Walsh:
Tue, 24 Oct 2006
diff --git a/policy/mls b/policy/mls
index 021a4ff3..8ab1332f 100644
--- a/policy/mls
+++ b/policy/mls
@@ -89,6 +89,7 @@ mlsconstrain dir search
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 693ae0eb..d6695771 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.2.1)
+policy_module(devices,1.2.2)
########################################
#
@@ -119,6 +119,7 @@ dev_node(power_device_t)
type printer_device_t;
dev_node(printer_device_t)
+mls_file_write_within_range(printer_device_t)
#
# random_device_t is the type of /dev/random
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index d8de57eb..769ef1fa 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -91,6 +91,27 @@ interface(`mls_file_downgrade',`
typeattribute $1 mlsfiledowngrade;
')
+########################################
+##
+## Make specified domain trusted to
+## be written to within its MLS range.
+## The subject's MLS range must be a
+## proper subset of the object's MLS range.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mls_file_write_within_range',`
+ gen_require(`
+ attribute mlsfilewriteinrange;
+ ')
+
+ typeattribute $1 mlsfilewriteinrange;
+')
+
########################################
##
## Make specified domain MLS trusted
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 5254f325..01c67405 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.4.1)
+policy_module(mls,1.4.2)
########################################
#
@@ -10,6 +10,7 @@ attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
+attribute mlsfilewriteinrange;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;