commit: 240ae057dc8144fe1d97cdb21a37d12358c046b9
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Oct 14 14:21:48 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=240ae057
mcs: combine single-level object creation constraints
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/mcs | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index 1f24fd8a..cc922a02 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -91,7 +91,7 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write
setattr }
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
((( h1 dom h2 ) and ( l2 eq h2 )) or
( t1 != mcs_constrained_type ));
@@ -99,9 +99,6 @@ mlsconstrain file { create relabelto }
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } {
relabelfrom }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
- (( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
-
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } {
create relabelto }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
