Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp505939pxb; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx9cayqzjlGxRzVIQWbMiV/pMOcP5uT01v1l5AWKlKYbqb4DRB5gwMMrEDFj//knGGLkFIL X-Received: by 2002:a17:906:950e:: with SMTP id u14mr5627106ejx.380.1635542003613; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542003; cv=none; d=google.com; s=arc-20160816; b=RS/uViZ/zw9MV+lJaSUkUgDxOfzGsfz+S4X+iT2jBr+0diG8zU1Ve83E0AA4dmGZZT zfOy0H8mdexrtrJjUQiSNMfaNHXF09+vpGYzXj73A+kn2rk5ohvG+8LS5OAcu6KYK5ge 7oZAzF5BLUXwO1lPGgHvHWivRqE/3aeNkgUzcw8R0QJS/m9rmQ4z5kuwlCQp/m1NvOrv 5POKn76n32G4VrjY3hms0UmKLpITm4m2tRwIA43zm5qI2Mv/ASd6ehJjRz2u3ko57r3M T8/45/KyrODn7lzoZ7XiIeMaTLgVwxmwTbQzFhg97C7lfvmRYcLUEdZmoUlQc3XcTAQ1 eOnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=x1RU0JK4vHFi3xELQWQmCah/tB9ePB5HEaMKEziwD20=; b=Bmvm1kf6ipLOp/qR7j6Wxjbe4XhI9UbE4CArrX4GLSUfAZls1YO6Frc4ns/R7xxjxW vYXb3EZzE5P8M5cPyY00Z0yAV3g4kgIyNAPQU/1c807a0S8sSKQcqTrqNU5h7VqXbQNO VNUQraKjCfCy9ZmmKiN0Nuw96WR+03tSNHH6IPQnOR2pNN4cHJfcZmnRmuofbcY1wyGD OAeMoaCgVwmSgH86w7SmjoOSUrpGyD0Dr/kRnoOCOMfE5b+AxsWfYGh/fvhp05JNs12l LBZf/wP22O1U5LrczCEhiKpTPWNA5puHJmH6cLtVmR9jiTd45vKRXVS/gIgKyWtG7d/z ZnHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=REq4VhVN; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r5si10085258edb.130.2021.10.29.14.13.17; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=REq4VhVN; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231562AbhJ2VPk (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231270AbhJ2VPj (ORCPT ); Fri, 29 Oct 2021 17:15:39 -0400 Received: from yunyun.fuwafuwatime.moe (yunyun.fuwafuwatime.moe [IPv6:2604:180:2:42f::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DFA68C061714 for ; Fri, 29 Oct 2021 14:13:10 -0700 (PDT) Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id 66C3FC3AC6 for ; Fri, 29 Oct 2021 17:04:56 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 041388EF49; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541495; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x1RU0JK4vHFi3xELQWQmCah/tB9ePB5HEaMKEziwD20=; b=REq4VhVNIJpIT6h6HXfQIQb61WzRzHLJSM1jakIHyXszVF/ENkrmXkiS24PSeY0TCmS9Ft js++irdeFP+bc2Jngkw5szC3Q/Gj3sPgMVTSEXaZ51OLGRBvDxykE2U5MBKTFLtHclef1K r90ECWRcVAyqlSxzkEJjQgyVKkT9Gub6gX3MJyJM+cmOZ4tI6Tw2+C02YpMEg11hzDVjUN eoIA+EGTvSaCpoQke0cVSzu6AWA/4HBm6JwqKPahMPimiKR0jtR8dc7ycnnkC8YQ8bt6sc /f/CTAGPKey5KK+THzuiE4x1zMjIvGuDYLgg12jBCxT73ojN4JoHhMWJIaVAww== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 5/7] mcs: combine single-level object creation constraints Date: Fri, 29 Oct 2021 17:04:41 -0400 Message-Id: <20211029210443.17461-6-me@concord.sh> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211029210443.17461-1-me@concord.sh> References: <20211029210443.17461-1-me@concord.sh> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-2.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Kenton Groombridge --- policy/mcs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/policy/mcs b/policy/mcs index 6207b2734..54d06f292 100644 --- a/policy/mcs +++ b/policy/mcs @@ -91,7 +91,7 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. -mlsconstrain file { create relabelto } +mlsconstrain { file lnk_file fifo_file } { create relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); @@ -99,9 +99,6 @@ mlsconstrain file { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain { file lnk_file fifo_file } { create relabelto } - (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -- 2.33.1