selinux/checkpolicy
Joshua Brindle 9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
..
ru Update man pages translation by Olesya Gerasimenko 2019-05-28 07:50:34 -04:00
test libsepol: add ebitmap_for_each_set_bit macro 2019-05-20 14:00:32 -04:00
.gitignore Repo: update .gitignore 2011-08-02 13:31:51 -04:00
checkmodule.8 checkmodule: add support for specifying module policy version 2019-04-19 13:10:44 -04:00
checkmodule.c checkmodule: add support for specifying module policy version 2019-04-19 13:10:44 -04:00
checkpolicy.8 checkpolicy: add flag to enable policy optimization 2019-06-25 10:11:00 -04:00
checkpolicy.c checkpolicy: add flag to enable policy optimization 2019-06-25 10:11:00 -04:00
checkpolicy.h initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00
COPYING initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00
Makefile Allow installing translated man pages 2019-01-28 12:03:57 +01:00
module_compiler.c checkpolicy: destroy the class datum if it fails to initialize 2018-05-30 22:00:13 +02:00
module_compiler.h checkpolicy: Separate tunable from boolean during compile. 2011-09-16 11:54:01 -04:00
parse_util.c Remove redundant if-clause 2019-06-19 09:03:12 -07:00
parse_util.h initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00
policy_define.c libsepol: add ebitmap_for_each_set_bit macro 2019-05-20 14:00:32 -04:00
policy_define.h checkpolicy: Add support for ibendportcon labels 2017-05-23 16:20:55 -04:00
policy_parse.y Add default_range glblub support 2019-09-10 12:30:29 -04:00
policy_scan.l Add default_range glblub support 2019-09-10 12:30:29 -04:00
queue.c checkpolicy,libselinux,libsepol,policycoreutils: Update my email address 2017-08-17 14:17:12 -04:00
queue.h checkpolicy,libselinux,libsepol,policycoreutils: Update my email address 2017-08-17 14:17:12 -04:00
VERSION Update VERSIONs to 2.9 for release. 2019-03-15 11:32:30 +01:00