Allow user and role changes on dynamic transitions with the same constraints as regular transitions.

2011-09-02 09:59:26 -04:00 · 2011-09-02 09:59:26 -04:00 · 8ee51235f6
parent 74aaedde68
commit 8ee51235f6
2 changed files with 4 additions and 7 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Allow user and role changes on dynamic transitions with the same
+  constraints as regular transitions.
 - New git service features from Dominick Grift.
 - Corenetwork policy size optimization from Dan Walsh.
 - Silence spurious udp_socket listen denials.
--- a/policy/constraints
+++ b/policy/constraints
@ -87,7 +87,7 @@ ifdef(`enable_ubac',`
 	);
 ')

-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	u1 == u2
 	or ( t1 == can_change_process_identity and t2 == process_user_target )
@ -96,7 +96,7 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );

-constrain process { transition noatsecure siginh rlimitinh }
+constrain process { transition dyntransition noatsecure siginh rlimitinh }
 (
 	r1 == r2 
 	or ( t1 == can_change_process_role and t2 == process_user_target )
@ -105,11 +105,6 @@ constrain process { transition noatsecure siginh rlimitinh }
 	or ( t1 == process_uncond_exempt )
 );

-constrain process dyntransition
-(
-	u1 == u2 and r1 == r2
-);
-
 # These permissions do not have ubac constraints:
 # fork
 # setexec