On Mon, 2006-10-30 at 15:03 -0500, James Antill wrote: > On Fri, 2006-10-27 at 14:38 -0400, Stephen Smalley wrote: > > > Look at Darrel's patch for mcstransd to apply a permission check between > > the level of the caller and the level being translated for context > > translations. > > Thanks to much discussion with Dan and Stephen, I'm pretty sure I have > this correct now.
Here is the reference policy part of the patches (libselinux came previously and PAM is next). -- James Antill - <[EMAIL PROTECTED]> setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors (revision 2065)
+++ policy/flask/access_vectors (working copy)
@@ -635,4 +635,5 @@
class context
{
translate
+ transition
}
Index: policy/modules/system/authlogin.if
===================================================================
--- policy/modules/system/authlogin.if (revision 2065)
+++ policy/modules/system/authlogin.if (working copy)
@@ -278,6 +278,9 @@
allow $2 $1:fd use;
allow $2 $1:fifo_file rw_file_perms;
allow $2 $1:process sigchld;
+
+ # Check MLS Range
+ allow $1 domain:context transition;
')
########################################
Index: policy/mls
===================================================================
--- policy/mls (revision 2065)
+++ policy/mls (working copy)
@@ -596,4 +596,7 @@
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
+mlsconstrain context transition
+ ( h1 dom h2 );
+
') dnl end enable_mls
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
