From 4c365f4a6a6f933dd13b0127e03f832c6a6cf8fc Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Tue, 15 Feb 2011 10:16:32 +0800
Subject: [PATCH] l1 domby l2 for contains MLS constraint

As identified by Stephan Smalley, the current MLS constraint for the
contains permission of the context class should consider the current
level of a user along with the clearance level so that mls_systemlow
is no longer considered contained in mls_systemhigh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 policy/mls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/mls b/policy/mls
index 13151ad8c..0e8474b9d 100644
--- a/policy/mls
+++ b/policy/mls
@@ -720,7 +720,7 @@ mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
 mlsconstrain context contains
-	( h1 dom h2 );
+	(( h1 dom h2 ) and ( l1 domby l2));
 
 #
 # MLS policy for database classes