On Tue, Sep 10, 2019 at 1:27 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote: > On 9/9/19 2:05 PM, Joshua Brindle wrote: > > Policy developers can set a default_range default to glblub and > > computed contexts will be the intersection of the ranges of the > > source and target contexts. This can be used by MLS userspace > > object managers to find the range of clearances that two contexts > > have in common. An example usage is computing a transition between > > the network context and the context of a user logging into an MLS > > application. > > > > For example, one can add a default with > > this cil: > > > > (defaultrange db_table glblub) > > > > or in te (base module only): > > > > default_range db_table glblub; > > > > and then test using the compute_create utility: > > > > $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table > > system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 > > > > Some example range transitions are: > > > > User Permitted Range | Network Device Label | Computed Label > > ---------------------|----------------------|---------------- > > s0-s1:c0.c12 | s0 | s0 > > s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12 > > s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512 > > s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2 > > s0-s4 | s2-s6 | s2-s4 > > s0-s4 | s5-s8 | INVALID > > s5-s8 | s0-s4 | INVALID > > > > Signed-off-by: Joshua Brindle <joshua.brindle@xxxxxxxxxxxxxxx> > > Merged. > Thanks, > Jim Thanks guys. We're at -rc8 for the kernel right now so it's a little late to pull the corresponding kernel patch, but I'll do that after the merge window closes. -- paul moore www.paul-moore.com
