Deprecate mcs overrides in favor of using mcs_constrained_type.
Signed-off-by: Kenton Groombridge <[email protected]>
---
policy/mcs | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index c0d424a97..44b57e594 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain fifo_file { open }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and ( t2 == domain )));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or
+ ( t1 != mcs_constrained_type ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { ptrace }
- (( h1 dom h2) or ( t1 == mcsptraceall ));
+ (( h1 dom h2) or ( t1 != mcs_constrained_type ));
mlsconstrain process { sigkill sigstop }
- (( h1 dom h2 ) or ( t1 == mcskillall ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
--
2.33.1