enhanced setransd support from darrel goeddel

author Chris PeBenito <cpebenito@tresys.com>

Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)

committer Chris PeBenito <cpebenito@tresys.com>

Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)
author Chris PeBenito <cpebenito@tresys.com>
Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)
committer Chris PeBenito <cpebenito@tresys.com>
Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)
diff --git a/Changelog b/Changelog

index a60226a7022941d8c1da6c1de3ce822999e15e63..59d75cc44c7a116e25e1748769733979106ac405 100644 (file)
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Enhanced setransd support from Darrel Goeddel.
+
  * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
  - Patch from Russell Coker Thu, 5 Oct 2006
  - Move range transitions to modules.
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors

index 0ad632be8b5ea3271a2ee5d05059ed7f69872b8b..641dcd23d17b4d0d6b8b5fab7bba41b0df10dab0 100644 (file)
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -253,6 +253,7 @@ class process
         execstack
         execheap
         setkeycreate
+       setsockcreate
  }
  
  
@@ -630,3 +631,8 @@ class key
         setattr
         create
  }
+
+class context
+{
+       translate
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes

index 57f49bce1b062d5ef0204716de65bdcff1c6f614..53c0cf1544b161cefb5ed7c6be3a2cdb02840dd5 100644 (file)
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -93,4 +93,6 @@ class packet
  # Kernel access key retention
  class key
  
+class context                  # userspace
+
  # FLASK
diff --git a/policy/mls b/policy/mls

index 26b3ef0ab3021cac3992e747cf848b7066f4a8cd..021a4ff3bfaf22d71416c9ced8eda61ebfb31c8b 100644 (file)
--- a/policy/mls
+++ b/policy/mls
@@ -587,4 +587,13 @@ mlsconstrain association { polmatch }
         ((( l1 dom l2 ) and ( h1 domby h2 )) or
          ( t2 == unlabeled_t ));
  
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+       (( h1 dom h2 ) or ( t1 == mlstranslate ));
+
  ') dnl end enable_mls
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if

index 5ca509e2ddcc65393dda68cd1af8f3349fe3a299..d8de57eb764a7c94ebde8065c48213b8fe228360 100644 (file)
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -451,3 +451,22 @@ interface(`mls_fd_share_all_levels',`
  
         typeattribute $1 mlsfdshare;
  ')
+
+########################################
+## <summary>
+##     Make specified domain MLS trusted
+##     for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mls_context_translate_all_levels',`
+       gen_require(`
+               attribute mlstranslate;
+       ')
+
+       typeattribute $1 mlstranslate;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te

index 591247e627803cc9ab904738f1ec764c01fe3c63..5254f32554d580c38df0e146ef080e891b572440 100644 (file)
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
  
-policy_module(mls,1.4.0)
+policy_module(mls,1.4.1)
  
  ########################################
  #
@@ -49,3 +49,5 @@ attribute mlsrangetrans;
  
  attribute mlsfduse; 
  attribute mlsfdshare;
+
+attribute mlstranslate;
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc

index 8cb0707dbd0bc0a174a57a2daeeeec9d7ec84ce6..abd65dae941257af8813c62fc39d7153d2f2d6c0 100644 (file)
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -7,10 +7,11 @@
  /etc/selinux/([^/]*/)?contexts(/.*)?   gen_context(system_u:object_r:default_context_t,s0)
  /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
  /etc/selinux/([^/]*/)?policy(/.*)?     gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
  /etc/selinux/([^/]*/)?seusers  --      gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?     gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK    --       gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK   --       gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
  /etc/selinux/([^/]*/)?users(/.*)? --   gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
  
  #
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te

index ceeaec77537d2f6d1ee21963a80319739357e85d..99ab117c7587c7d8595cdc4e7e8f084889e9c9e6 100644 (file)
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
  
-policy_module(selinuxutil,1.3.0)
+policy_module(selinuxutil,1.3.1)
  
  ifdef(`strict_policy',`
         gen_require(`
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if

index 954750369ee9027b81eeb928608e54281d3cd319..8c1c7ce053ad477eb39b8e9e5b8642fff68a9df0 100644 (file)
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -17,6 +17,7 @@ interface(`setrans_translate_context',`
  
         allow $1 self:unix_stream_socket create_stream_socket_perms;
  
+       allow $1 setrans_t:context translate;
         allow $1 setrans_t:unix_stream_socket connectto;
         allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
         allow $1 setrans_var_run_t:sock_file rw_file_perms;
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te

index 7f5f701c72204da9652d52391d6ded31665703f9..49da6d28c74e3faec0397c35fab32833be5883de 100644 (file)
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
  
-policy_module(setrans,1.1.0)
+policy_module(setrans,1.1.1)
  
  ########################################
  #
@@ -57,6 +57,7 @@ mls_file_read_up(setrans_t)
  mls_file_write_down(setrans_t)
  mls_net_receive_all_levels(setrans_t)
  mls_rangetrans_target(setrans_t)
+mls_socket_write_all_levels(setrans_t)
  
  selinux_compute_access_vector(setrans_t)
author	Chris PeBenito <cpebenito@tresys.com>
	Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)
committer	Chris PeBenito <cpebenito@tresys.com>
	Fri, 20 Oct 2006 14:44:23 +0000 (14:44 +0000)
Changelog		patch \| blob \| blame \| history
policy/flask/access_vectors		patch \| blob \| blame \| history
policy/flask/security_classes		patch \| blob \| blame \| history
policy/mls		patch \| blob \| blame \| history
policy/modules/kernel/mls.if		patch \| blob \| blame \| history
policy/modules/kernel/mls.te		patch \| blob \| blame \| history
policy/modules/system/selinuxutil.fc		patch \| blob \| blame \| history
policy/modules/system/selinuxutil.te		patch \| blob \| blame \| history
policy/modules/system/setrans.if		patch \| blob \| blame \| history
policy/modules/system/setrans.te		patch \| blob \| blame \| history