policy_module(mls,1.0)

########################################
#
# Declarations
#

attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;

attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;

attribute mlsipcread;
attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;

attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
attribute mlsprocwritetoclr;
attribute mlsprocsetsl;

attribute mlsxwinread;
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
attribute mlsxwinwritetoclr;
attribute mlsxwinupgrade;
attribute mlsxwindowngrade;

attribute mlstrustedobject;

attribute privrangetrans;
attribute mlsrangetrans;

########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
#

type getty_t;
type login_exec_t;
type init_exec_t;
type initrc_t;
type su_exec_t;
type udev_exec_t;
type unconfined_t;

ifdef(`enable_mcs', `
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
')

ifdef(`enable_mls', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
')