trunk: MLS constraints for the x_selection class, from Eamon Walsh.

Changelog

@@ -1,3 +1,4 @@
+- MLS constraints for the x_selection class, from Eamon Walsh.
 - Postgresql updates from KaiGai Kohei.
 - Milter state directory patch from Paul Howarth.
 - Add MLS constrains for ingress/egress and secmark from Paul Moore.

policy/mls

@@ -515,6 +515,25 @@ mlsconstrain x_property { create destroy write append setattr }
 	 ( t1 == mlsxwinwrite ));
 
 
+#
+# MLS policy for the x_selection class
+#
+
+# the x_selection "read" ops (implicit single level)
+mlsconstrain x_selection { read getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinreadselection ) or
+	 ( t1 == mlsxwinread ));
+
+# the x_selection "write" ops (implicit single level)
+mlsconstrain x_selection { write setattr }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwriteselection ) or
+	 ( t1 == mlsxwinwrite ));
+
+
 #
 # MLS policy for the x_cursor class
 #

policy/modules/kernel/mls.te

@@ -42,6 +42,8 @@ attribute mlsxwinwrite;
 attribute mlsxwinwritetoclr;
 attribute mlsxwinreadproperty;
 attribute mlsxwinwriteproperty;
+attribute mlsxwinreadselection;
+attribute mlsxwinwriteselection;
 attribute mlsxwinreadcolormap;
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;