enhanced setransd support from darrel goeddel

Changelog

@@ -1,3 +1,5 @@
+- Enhanced setransd support from Darrel Goeddel.
+
 * Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
 - Patch from Russell Coker Thu, 5 Oct 2006
 - Move range transitions to modules.

policy/flask/access_vectors

@@ -253,6 +253,7 @@ class process
 	execstack
 	execheap
 	setkeycreate
+	setsockcreate
 }
 
 
@@ -630,3 +631,8 @@ class key
 	setattr
 	create
 }
+
+class context
+{
+	translate
+}

policy/flask/security_classes

@@ -93,4 +93,6 @@ class packet
 # Kernel access key retention
 class key
 
+class context			# userspace
+
 # FLASK

policy/mls

@@ -587,4 +587,13 @@ mlsconstrain association { polmatch }
 	((( l1 dom l2 ) and ( h1 domby h2 )) or
 	 ( t2 == unlabeled_t ));
 
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+	(( h1 dom h2 ) or ( t1 == mlstranslate ));
+
 ') dnl end enable_mls

policy/modules/kernel/mls.if

@@ -451,3 +451,22 @@ interface(`mls_fd_share_all_levels',`
 
 	typeattribute $1 mlsfdshare;
 ')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_context_translate_all_levels',`
+	gen_require(`
+		attribute mlstranslate;
+	')
+
+	typeattribute $1 mlstranslate;
+')

policy/modules/kernel/mls.te

@@ -1,5 +1,5 @@
 
-policy_module(mls,1.4.0)
+policy_module(mls,1.4.1)
 
 ########################################
 #
@@ -49,3 +49,5 @@ attribute mlsrangetrans;
 
 attribute mlsfduse; 
 attribute mlsfdshare;
+
+attribute mlstranslate;

policy/modules/system/selinuxutil.fc

@@ -7,10 +7,11 @@
 /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
 /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?     gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK    --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK   --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 
 #

policy/modules/system/selinuxutil.te

@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.3.0)
+policy_module(selinuxutil,1.3.1)
 
 ifdef(`strict_policy',`
 	gen_require(`

policy/modules/system/setrans.if

@@ -17,6 +17,7 @@ interface(`setrans_translate_context',`
 
 	allow $1 self:unix_stream_socket create_stream_socket_perms;
 
+	allow $1 setrans_t:context translate;
 	allow $1 setrans_t:unix_stream_socket connectto;
 	allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms;
 	allow $1 setrans_var_run_t:sock_file rw_file_perms;

policy/modules/system/setrans.te

@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.1.0)
+policy_module(setrans,1.1.1)
 
 ########################################
 #
@@ -57,6 +57,7 @@ mls_file_read_up(setrans_t)
 mls_file_write_down(setrans_t)
 mls_net_receive_all_levels(setrans_t)
 mls_rangetrans_target(setrans_t)
+mls_socket_write_all_levels(setrans_t)
 
 selinux_compute_access_vector(setrans_t)