--- serefpolicy-3.0.8/policy/mls 2007-11-27 14:43:26.000000000 -0600
+++ serefpolicy-3.0.8.new/policy/mls 2007-12-21 14:38:52.000000000 -0600
@@ -584,7 +584,11 @@
#
# these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
+# dbus { acquire_svc }
+mlsconstrain dbus { send_msg }
+ (( l1 eq l2 ) or
+ ( t1 == mlsdbussend ) or
+ ( t2 == mlsdbusrecv ));
--- serefpolicy-3.0.8/policy/modules/kernel/mls.te 2007-11-27
14:43:26.000000000 -0600
+++ serefpolicy-3.0.8.new/policy/modules/kernel/mls.te 2007-12-21
14:35:30.000000000 -0600
@@ -61,3 +61,6 @@
attribute mlsfdshare;
attribute mlstranslate;
+
+attribute mlsdbusrecv;
+attribute mlsdbussend;
--- serefpolicy-3.0.8/policy/modules/kernel/mls.if 2007-11-27
14:43:26.000000000 -0600
+++ serefpolicy-3.0.8.new/policy/modules/kernel/mls.if 2007-12-21
14:37:31.000000000 -0600
@@ -859,3 +859,42 @@
typeattribute $1 mlsdbdowngrade;
')
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for send to dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_send',`
+ gen_require(`
+ attribute mlsdbussend;
+ ')
+
+ typeattribute $1 mlsdbussend;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for receiving from dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_dbus_recv',`
+ gen_require(`
+ attribute mlsdbusrecv;
+ ')
+
+ typeattribute $1 mlsdbusrecv;
+')
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
