On Wed, Dec 24, 2008 at 10:23 AM, Xavier Toth <txtoth@xxxxxxxxx> wrote: > On Thu, Dec 11, 2008 at 3:35 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote: >> Xavier Toth wrote: >>> >>> Sorry to be pedantic but is there a reference implementation or will >>> the mcstrans developer (Joe) have to develop it? >>> >>> Ted >>> >> >> Also here is a preliminary libselinux patch. >> >> >> -- >> Eamon Walsh <ewalsh@xxxxxxxxxxxxx> >> National Security Agency >> >> > > This patch could be upstreamed now because even if the installed > mcstrand doesn't support color a call to selinux_raw_context_to_color > will simply retrun an error, right? > > Ted > In anticipation of the addition of SELinux color mapping support to libselinux and mcstransd I wrote this policy patch : ------------------------------------------------------------------------------------------------------------------------------ Allow mcstransd to uses the CONTEXT__CONTAINS permission check to check dominance when determining the colors to return for calls to selinux_raw_context_to_color. --- serefpolicy-3.5.13/policy/modules/system/setrans.te.orig 2008-12-30 08:43:31.000000000 -0600 +++ serefpolicy-3.5.13/policy/modules/system/setrans.te 2008-12-30 08:46:26.000000000 -0600 @@ -35,6 +35,11 @@ allow setrans_t self:unix_stream_socket create_stream_socket_perms; allow setrans_t self:unix_dgram_socket create_socket_perms; allow setrans_t self:netlink_selinux_socket create_socket_perms; +gen_require(` + class context contains; +') + +allow setrans_t self:context contains; can_exec(setrans_t, setrans_exec_t) corecmd_search_bin(setrans_t) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
