selinux-policy/refpolicy/policy/modules/kernel/mls.te

75 lines
1.6 KiB
Plaintext

policy_module(mls,1.0)
########################################
#
# Declarations
#
attribute mlsfileread;
attribute mlsfilereadtoclr;
attribute mlsfilewrite;
attribute mlsfilewritetoclr;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
attribute mlsprocwritetoclr;
attribute mlsprocsetsl;
attribute mlsxwinread;
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
attribute mlsxwinwritetoclr;
attribute mlsxwinupgrade;
attribute mlsxwindowngrade;
attribute mlstrustedobject;
attribute privrangetrans;
attribute mlsrangetrans;
########################################
#
# THIS IS A HACK
#
# Only the base module can have range_transitions, so we
# temporarily have to break encapsulation to work around this.
#
type getty_t;
type login_exec_t;
type init_exec_t;
type initrc_t;
type su_exec_t;
type udev_exec_t;
type unconfined_t;
ifdef(`enable_mcs', `
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
')
ifdef(`enable_mls', `
# run init with maximum MLS range
range_transition kernel_t init_exec_t s0 - s9:c0.c255;
')