Xavier Toth wrote:
Seems to me that paste mlsconstrain should be (l1 eq l2) and should be
a mlsconstrain for paste_after_confirm which is (l1 domby l2).
Revised patch attached.
Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
---
Index: policy/flask/security_classes
===================================================================
--- policy/flask/security_classes (revision 2669)
+++ policy/flask/security_classes (working copy)
@@ -114,5 +114,6 @@
class x_resource # userspace
class x_event # userspace
class x_synthetic_event # userspace
+class x_application_data # userspace
# FLASK
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors (revision 2669)
+++ policy/flask/access_vectors (working copy)
@@ -775,3 +775,10 @@
{
recv
}
+
+class x_application_data
+{
+ paste
+ paste_after_confirm
+ copy
+}
Index: policy/mls
===================================================================
--- policy/mls (revision 2669)
+++ policy/mls (working copy)
@@ -568,7 +568,19 @@
( t1 == mlsxwinwrite ));
+#
+# MLS policy for the x_application_data class
+#
+# the x_application_data "paste" ops (explicit single level)
+mlsconstrain x_application_data { paste }
+ ( l1 eq l2 );
+
+# the x_application_data "paste_after_confirm" ops (downgrade permitted)
+mlsconstrain x_application_data { paste_after_confirm }
+ ( l1 domby l2 );
+
+
#
# MLS policy for the pax class
#
--
Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
