+- Enhanced setransd support from Darrel Goeddel.
+
* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
- Patch from Russell Coker Thu, 5 Oct 2006
- Move range transitions to modules.
execstack
execheap
setkeycreate
+ setsockcreate
}
setattr
create
}
+
+class context
+{
+ translate
+}
# Kernel access key retention
class key
+class context # userspace
+
# FLASK
((( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == unlabeled_t ));
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+ (( h1 dom h2 ) or ( t1 == mlstranslate ));
+
') dnl end enable_mls
typeattribute $1 mlsfdshare;
')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_context_translate_all_levels',`
+ gen_require(`
+ attribute mlstranslate;
+ ')
+
+ typeattribute $1 mlstranslate;
+')
-policy_module(mls,1.4.0)
+policy_module(mls,1.4.1)
########################################
#
attribute mlsfduse;
attribute mlsfdshare;
+
+attribute mlstranslate;
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
#
-policy_module(selinuxutil,1.3.0)
+policy_module(selinuxutil,1.3.1)
ifdef(`strict_policy',`
gen_require(`
allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 setrans_t:context translate;
allow $1 setrans_t:unix_stream_socket connectto;
allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
allow $1 setrans_var_run_t:sock_file rw_file_perms;
-policy_module(setrans,1.1.0)
+policy_module(setrans,1.1.1)
########################################
#
mls_file_write_down(setrans_t)
mls_net_receive_all_levels(setrans_t)
mls_rangetrans_target(setrans_t)
+mls_socket_write_all_levels(setrans_t)
selinux_compute_access_vector(setrans_t)