On Tue, May 6, 2008 at 9:27 AM, Christopher J. PeBenito
<cpebenito@xxxxxxxxxx> wrote:
> On Wed, 2008-04-30 at 19:29 -0400, Eamon Walsh wrote:
>> Xavier Toth wrote:
>> > Seems to me that paste mlsconstrain should be (l1 eq l2) and should be
>> > a mlsconstrain for paste_after_confirm which is (l1 domby l2).
>>
>> Revised patch attached.
>
> Merged.
>
>> Signed-off-by: Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
>> ---
>>
>> Index: policy/flask/security_classes
>> ===================================================================
>> --- policy/flask/security_classes (revision 2669)
>> +++ policy/flask/security_classes (working copy)
>> @@ -114,5 +114,6 @@
>> class x_resource # userspace
>> class x_event # userspace
>> class x_synthetic_event # userspace
>> +class x_application_data # userspace
>>
>> # FLASK
>> Index: policy/flask/access_vectors
>> ===================================================================
>> --- policy/flask/access_vectors (revision 2669)
>> +++ policy/flask/access_vectors (working copy)
>> @@ -775,3 +775,10 @@
>> {
>> recv
>> }
>> +
>> +class x_application_data
>> +{
>> + paste
>> + paste_after_confirm
>> + copy
>> +}
>> Index: policy/mls
>> ===================================================================
>> --- policy/mls (revision 2669)
>> +++ policy/mls (working copy)
>> @@ -568,7 +568,19 @@
>> ( t1 == mlsxwinwrite ));
>>
>>
>> +#
>> +# MLS policy for the x_application_data class
>> +#
>>
>> +# the x_application_data "paste" ops (explicit single level)
>> +mlsconstrain x_application_data { paste }
>> + ( l1 eq l2 );
>> +
>> +# the x_application_data "paste_after_confirm" ops (downgrade permitted)
>> +mlsconstrain x_application_data { paste_after_confirm }
>> + ( l1 domby l2 );
>> +
>> +
>> #
>> # MLS policy for the pax class
>> #
>>
>>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
Here's what I've actually ended up using to allow pasting equal or up
without requiring confirmation and to require confirmation when
attempting to paste down:
Index: policy/mls
===================================================================
--- policy/mls (revision 2704)
+++ policy/mls (working copy)
@@ -574,11 +574,11 @@
# the x_application_data "paste" ops (explicit single level)
mlsconstrain x_application_data { paste }
- ( l1 eq l2 );
+ (( l1 eq l2 ) or ( l1 domby l2 ));
# the x_application_data "paste_after_confirm" ops (downgrade permitted)
mlsconstrain x_application_data { paste_after_confirm }
- ( l1 domby l2 );
+ ( l1 dom l2 );
#
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
