mcstransd never implemented this permission. To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below.
Signed-off-by: Chad Hanson <dahchanson@gmail.com>
Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls. Based on
the following post to the SELinux Reference Policy mailing list:
* http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
> We could add another 'or' on the above constraint:
>
> or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) )
>
> I believe that would be the constraint you were looking for. I don't
> like the name of that attribute, but I couldn't come up with a better
> one off the top of my head. :)
>
Attached is a patch which I've tested against selinux-policy-2.4.2-1
that implements this additional constraint. The name is still a bit
forced, but it works.
-matt <mra at hp dot com>
Chris PeBenito
Chad Hanson
Jason Zaman
cgzones
Lukas Vrabec
qqo
Chris PeBenito