rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
21d173a460
selinux-policy/mls/constraints
Chris PeBenito 31b7c0551d add fc mls policy
2005-11-22 19:28:03 +00:00

84 lines
2.1 KiB
Plaintext
Raw Blame History

#
# Define m4 macros for the constraints
#
#
# Define the constraints
#
# constrain class_set perm_set expression ;
#
# validatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for validatetrans)
# | r3 op names (NOTE: this is only available for validatetrans)
# | t3 op names (NOTE: this is only available for validatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name#
#
#
# Restrict the ability to transition to other users
# or roles to a few privileged types.
#
constrain process transition
( u1 == u2 or ( t1 == privuser and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
or (t1 == priv_system_role and u2 == system_u )
);
constrain process transition
( r1 == r2 or ( t1 == privrole and t2 == userdomain )
ifdef(`crond.te', `
or (t1 == crond_t and t2 == user_crond_domain)
')
ifdef(`userhelper.te',
`or (t1 == userhelperdomain)')
ifdef(`postfix.te', `
ifdef(`direct_sysadm_daemon',
`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
')
or (t1 == priv_system_role and r2 == system_r )
);
constrain process dyntransition
( u1 == u2 and r1 == r2);
#
# Restrict the ability to label objects with other
# user identities to a few privileged types.
#
constrain dir_file_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
Reference in New Issue View Git Blame Copy Permalink