policy_module(mls,1.1.2) ######################################## # # Declarations # attribute mlsfileread; attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; attribute mlsfileupgrade; attribute mlsfiledowngrade; attribute mlsnetread; attribute mlsnetreadtoclr; attribute mlsnetwrite; attribute mlsnetwritetoclr; attribute mlsnetupgrade; attribute mlsnetdowngrade; attribute mlsnetrecvall; attribute mlsipcread; attribute mlsipcreadtoclr; attribute mlsipcwrite; attribute mlsipcwritetoclr; attribute mlsprocread; attribute mlsprocreadtoclr; attribute mlsprocwrite; attribute mlsprocwritetoclr; attribute mlsprocsetsl; attribute mlsxwinread; attribute mlsxwinreadtoclr; attribute mlsxwinwrite; attribute mlsxwinwritetoclr; attribute mlsxwinreadproperty; attribute mlsxwinwriteproperty; attribute mlsxwinreadcolormap; attribute mlsxwinwritecolormap; attribute mlsxwinwritexinput; attribute mlstrustedobject; attribute privrangetrans; attribute mlsrangetrans; ######################################## # # THIS IS A HACK # # Only the base module can have range_transitions, so we # temporarily have to break encapsulation to work around this. # type crond_exec_t; type cupsd_exec_t; type getty_t; type init_t; type init_exec_t; type initrc_t; type initrc_exec_t; type login_exec_t; type sshd_exec_t; type su_exec_t; type udev_exec_t; type unconfined_t; type xdm_exec_t; ifdef(`enable_mcs',` range_transition getty_t login_exec_t s0 - s0:c0.c255; range_transition init_t xdm_exec_t s0 - s0:c0.c255; range_transition initrc_t crond_exec_t s0 - s0:c0.c255; range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255; range_transition initrc_t sshd_exec_t s0 - s0:c0.c255; range_transition initrc_t udev_exec_t s0 - s0:c0.c255; range_transition initrc_t xdm_exec_t s0 - s0:c0.c255; range_transition kernel_t udev_exec_t s0 - s0:c0.c255; # these might be targeted_policy only range_transition unconfined_t su_exec_t s0 - s0:c0.c255; range_transition unconfined_t initrc_exec_t s0; ') ifdef(`enable_mls',` # run init with maximum MLS range range_transition kernel_t init_exec_t s0 - s15:c0.c255; ')