nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mcs: deprecate mcs overrides

Browse Source 
Deprecate mcs overrides in favor of using mcs_constrained_type.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-10-13 11:26:23 -04:00
parent e49243a08f
commit 8d83b25353
1 changed files with 14 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
policy/mcs
View File

@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain file { write setattr append unlink link rename }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { search read ioctl lock }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain fifo_file { open }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and ( t2 == domain )));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
(( h1 dom h2 ) or ( t1 == mcswriteall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
((( h1 dom h2 ) and ( l2 eq h2 )) or
( t1 != mcs_constrained_type ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
( h1 dom h2 );
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { ptrace }
(( h1 dom h2) or ( t1 == mcsptraceall ));
(( h1 dom h2) or ( t1 != mcs_constrained_type ));
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));