Re: mls policy dbus patch

"Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> · Thu, 03 Jan 2008 15:28:22 -0500

On Fri, 2007-12-28 at 15:28 -0600, Xavier Toth wrote:
> --- serefpolicy-3.0.8/policy/mls        2007-11-27 14:43:26.000000000 -0600
> +++ serefpolicy-3.0.8.new/policy/mls    2007-12-21 14:38:52.000000000 -0600
> @@ -584,7 +584,11 @@
>  #
> 
>  # these access vectors have no MLS restrictions
> -# dbus { acquire_svc send_msg }
> +# dbus { acquire_svc }
> +mlsconstrain dbus { send_msg }
> +        (( l1 eq l2 ) or
> +         ( t1 == mlsdbussend ) or
> +         ( t2 == mlsdbusrecv ));
> 
> 
> 
> --- serefpolicy-3.0.8/policy/modules/kernel/mls.te      2007-11-27
> 14:43:26.000000000 -0600
> +++ serefpolicy-3.0.8.new/policy/modules/kernel/mls.te  2007-12-21
> 14:35:30.000000000 -0600
> @@ -61,3 +61,6 @@
>  attribute mlsfdshare;
> 
>  attribute mlstranslate;
> +
> +attribute mlsdbusrecv;
> +attribute mlsdbussend;
> --- serefpolicy-3.0.8/policy/modules/kernel/mls.if      2007-11-27
> 14:43:26.000000000 -0600
> +++ serefpolicy-3.0.8.new/policy/modules/kernel/mls.if  2007-12-21
> 14:37:31.000000000 -0600
> @@ -859,3 +859,42 @@
> 
>         typeattribute $1 mlsdbdowngrade;
>  ')
> +########################################
> +## <summary>
> +##      Make specified domain MLS trusted
> +##      for send to dbus.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_dbus_send',`
> +       gen_require(`
> +               attribute mlsdbussend;
> +       ')
> +
> +       typeattribute $1 mlsdbussend;
> +')
> +
> +########################################
> +## <summary>
> +##      Make specified domain MLS trusted
> +##      for receiving from dbus.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_dbus_recv',`
> +       gen_require(`
> +               attribute mlsdbusrecv;
> +       ')
> +
> +       typeattribute $1 mlsdbusrecv;
> +')

Merged, with a few adjustments to the interface names.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.