On Wed, 2008-04-30 at 19:29 -0400, Eamon Walsh wrote:
> Xavier Toth wrote:
> > Seems to me that paste mlsconstrain should be (l1 eq l2) and should be
> > a mlsconstrain for paste_after_confirm which is (l1 domby l2).
>
> Revised patch attached.
Merged.
> Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> ---
>
> Index: policy/flask/security_classes
> ===================================================================
> --- policy/flask/security_classes (revision 2669)
> +++ policy/flask/security_classes (working copy)
> @@ -114,5 +114,6 @@
> class x_resource # userspace
> class x_event # userspace
> class x_synthetic_event # userspace
> +class x_application_data # userspace
>
> # FLASK
> Index: policy/flask/access_vectors
> ===================================================================
> --- policy/flask/access_vectors (revision 2669)
> +++ policy/flask/access_vectors (working copy)
> @@ -775,3 +775,10 @@
> {
> recv
> }
> +
> +class x_application_data
> +{
> + paste
> + paste_after_confirm
> + copy
> +}
> Index: policy/mls
> ===================================================================
> --- policy/mls (revision 2669)
> +++ policy/mls (working copy)
> @@ -568,7 +568,19 @@
> ( t1 == mlsxwinwrite ));
>
>
> +#
> +# MLS policy for the x_application_data class
> +#
>
> +# the x_application_data "paste" ops (explicit single level)
> +mlsconstrain x_application_data { paste }
> + ( l1 eq l2 );
> +
> +# the x_application_data "paste_after_confirm" ops (downgrade permitted)
> +mlsconstrain x_application_data { paste_after_confirm }
> + ( l1 domby l2 );
> +
> +
> #
> # MLS policy for the pax class
> #
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
