From a8671ae5b25b52d9015cb02067faf7ca0aa8387f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Oct 20 2006 14:44:23 +0000 Subject: enhanced setransd support from darrel goeddel --- diff --git a/Changelog b/Changelog index a60226a..59d75cc 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Enhanced setransd support from Darrel Goeddel. + * Wed Oct 18 2006 Chris PeBenito - 20061018 - Patch from Russell Coker Thu, 5 Oct 2006 - Move range transitions to modules. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 0ad632b..641dcd2 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -253,6 +253,7 @@ class process execstack execheap setkeycreate + setsockcreate } @@ -630,3 +631,8 @@ class key setattr create } + +class context +{ + translate +} diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 57f49bc..53c0cf1 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -93,4 +93,6 @@ class packet # Kernel access key retention class key +class context # userspace + # FLASK diff --git a/policy/mls b/policy/mls index 26b3ef0..021a4ff 100644 --- a/policy/mls +++ b/policy/mls @@ -587,4 +587,13 @@ mlsconstrain association { polmatch } ((( l1 dom l2 ) and ( h1 domby h2 )) or ( t2 == unlabeled_t )); + + +# +# MLS policy for the context class +# + +mlsconstrain context translate + (( h1 dom h2 ) or ( t1 == mlstranslate )); + ') dnl end enable_mls diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index 5ca509e..d8de57e 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -451,3 +451,22 @@ interface(`mls_fd_share_all_levels',` typeattribute $1 mlsfdshare; ') + +######################################## +## +## Make specified domain MLS trusted +## for translating contexts at all levels. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_context_translate_all_levels',` + gen_require(` + attribute mlstranslate; + ') + + typeattribute $1 mlstranslate; +') diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 591247e..5254f32 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.4.0) +policy_module(mls,1.4.1) ######################################## # @@ -49,3 +49,5 @@ attribute mlsrangetrans; attribute mlsfduse; attribute mlsfdshare; + +attribute mlstranslate; diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 8cb0707..abd65da 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -7,10 +7,11 @@ /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh) +/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) /etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) -/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) -/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) -/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) +/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) /etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh) # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index ceeaec7..99ab117 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.3.0) +policy_module(selinuxutil,1.3.1) ifdef(`strict_policy',` gen_require(` diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index 9547503..8c1c7ce 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -17,6 +17,7 @@ interface(`setrans_translate_context',` allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 setrans_t:context translate; allow $1 setrans_t:unix_stream_socket connectto; allow $1 setrans_var_run_t:unix_stream_socket rw_socket_perms; allow $1 setrans_var_run_t:sock_file rw_file_perms; diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 7f5f701..49da6d2 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.1.0) +policy_module(setrans,1.1.1) ######################################## # @@ -57,6 +57,7 @@ mls_file_read_up(setrans_t) mls_file_write_down(setrans_t) mls_net_receive_all_levels(setrans_t) mls_rangetrans_target(setrans_t) +mls_socket_write_all_levels(setrans_t) selinux_compute_access_vector(setrans_t)