selinux/libsepol/include/sepol
Joshua Brindle 9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
..
policydb Add default_range glblub support 2019-09-10 12:30:29 -04:00
boolean_record.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
booleans.h selinux: Remove legacy local boolean and user code 2019-07-29 23:46:24 +02:00
context_record.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
context.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
debug.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
errcodes.h whitespace and spelling cleanup 2018-09-25 08:05:41 -07:00
handle.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
ibendport_record.h libsepol: replace non-standard use of __BEGIN_DECLS 2017-06-20 11:03:12 -04:00
ibendports.h libsepol: replace non-standard use of __BEGIN_DECLS 2017-06-20 11:03:12 -04:00
ibpkey_record.h libsepol: replace non-standard use of __BEGIN_DECLS 2017-06-20 11:03:12 -04:00
ibpkeys.h libsepol: replace non-standard use of __BEGIN_DECLS 2017-06-20 11:03:12 -04:00
iface_record.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
interfaces.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
kernel_to_cil.h libsepol: Add ability to convert binary policy to CIL 2017-04-05 12:23:05 -04:00
kernel_to_conf.h libsepol: Add ability to convert binary policy to policy.conf file 2017-04-05 12:23:25 -04:00
module_to_cil.h libsepol: add function to generate CIL from a module policydb 2015-04-01 13:09:21 -04:00
module.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
node_record.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
nodes.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
policydb.h libsepol: add a function to optimize kernel policy 2019-06-25 10:11:00 -04:00
port_record.h selinux: Add support for the SCTP portcon keyword 2018-03-19 12:34:29 -04:00
ports.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
roles.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
sepol.h semanage: Update semanage to allow runtime labeling of ibendports 2017-05-23 16:20:55 -04:00
user_record.h libsepol: do not #include <sys/cdefs.h> 2016-11-29 11:03:17 -05:00
users.h selinux: Remove legacy local boolean and user code 2019-07-29 23:46:24 +02:00