f497b8df50
> We could add another 'or' on the above constraint: > > or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) ) > > I believe that would be the constraint you were looking for. I don't > like the name of that attribute, but I couldn't come up with a better > one off the top of my head. :) > Attached is a patch which I've tested against selinux-policy-2.4.2-1 that implements this additional constraint. The name is still a bit forced, but it works. -matt <mra at hp dot com>
55 lines
1.1 KiB
Plaintext
55 lines
1.1 KiB
Plaintext
|
|
policy_module(mls,1.4.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute mlsfileread;
|
|
attribute mlsfilereadtoclr;
|
|
attribute mlsfilewrite;
|
|
attribute mlsfilewritetoclr;
|
|
attribute mlsfilewriteinrange;
|
|
attribute mlsfileupgrade;
|
|
attribute mlsfiledowngrade;
|
|
|
|
attribute mlsnetread;
|
|
attribute mlsnetreadtoclr;
|
|
attribute mlsnetwrite;
|
|
attribute mlsnetwritetoclr;
|
|
attribute mlsnetupgrade;
|
|
attribute mlsnetdowngrade;
|
|
attribute mlsnetrecvall;
|
|
|
|
attribute mlsipcread;
|
|
attribute mlsipcreadtoclr;
|
|
attribute mlsipcwrite;
|
|
attribute mlsipcwritetoclr;
|
|
|
|
attribute mlsprocread;
|
|
attribute mlsprocreadtoclr;
|
|
attribute mlsprocwrite;
|
|
attribute mlsprocwritetoclr;
|
|
attribute mlsprocsetsl;
|
|
|
|
attribute mlsxwinread;
|
|
attribute mlsxwinreadtoclr;
|
|
attribute mlsxwinwrite;
|
|
attribute mlsxwinwritetoclr;
|
|
attribute mlsxwinreadproperty;
|
|
attribute mlsxwinwriteproperty;
|
|
attribute mlsxwinreadcolormap;
|
|
attribute mlsxwinwritecolormap;
|
|
attribute mlsxwinwritexinput;
|
|
|
|
attribute mlstrustedobject;
|
|
|
|
attribute privrangetrans;
|
|
attribute mlsrangetrans;
|
|
|
|
attribute mlsfduse;
|
|
attribute mlsfdshare;
|
|
|
|
attribute mlstranslate;
|