Hello.
I would like to modify the policy/mls file to change the "write equal" to
"no write down". However, despite several attempts, I don't.
Is it possible to get help? I work under CentOS 6.4.
I have three users with three different /home each has a different level of
confidentiality (s0,s1,s2) and i'd get "no read up, no write down". "no
read up" is ok by default but not "no write down".
Logically, I will edit this part :
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file
} { write create setattr relabelfrom append unlink link rename mounton
}
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# Directory "write" ops
mlsconstrain dir { add_name remove_name reparent rmdir }
(( l1 eq l2 ) or
(( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
Thank you in advance.
Cordially.
--
Cl?ment Parard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130424/511e7abc/attachment.html
Hi,
What you are asking for is actually already in this this policy.
You should change
On Wed, Apr 24, 2013 at 12:33 PM, Cl?ment Parard
<[email protected]>wrote:
> Hello.
>
> I would like to modify the policy/mls file to change the "write equal" to
> "no write down". However, despite several attempts, I don't.
> Is it possible to get help? I work under CentOS 6.4.
> I have three users with three different /home each has a different level
> of confidentiality (s0,s1,s2) and i'd get "no read up, no write down". "no
> read up" is ok by default but not "no write down".
>
> Logically, I will edit this part :
>
> # the "single level" file "write" ops
> mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
> (( l1 eq l2 ) or
> (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
> ( t1 == mlsfilewrite ) or
> ( t2 == mlstrustedobject ));
>
> # Directory "write" ops
> mlsconstrain dir { add_name remove_name reparent rmdir }
> (( l1 eq l2 ) or
> (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> ( t1 == mlsfilewrite ) or
> ( t2 == mlstrustedobject ));
>
>
> Thank you in advance.
> Cordially.
>
> --
> Cl?ment Parard
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130424/deda8cad/attachment.html
Hi,
What you are asking for is in this this policy in a slightly different form.
You should change
( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
to
(( h1 dom l2 ) and ( l1 domby l2 )) or
to allow a process of s0-s1 to write to files of s0 or s1, but not s2.
The attribute mlsfilewritetoclr stands for the privilege to write to
the process clearance. If you want unrestricted write up, you do the
the following rule:
(l1 domby l2) or
On Wed, Apr 24, 2013 at 12:33 PM, Cl?ment Parard
<[email protected]> wrote:
> Hello.
>
> I would like to modify the policy/mls file to change the "write equal" to
> "no write down". However, despite several attempts, I don't.
> Is it possible to get help? I work under CentOS 6.4.
> I have three users with three different /home each has a different level of
> confidentiality (s0,s1,s2) and i'd get "no read up, no write down". "no read
> up" is ok by default but not "no write down".
>
> Logically, I will edit this part :
>
> # the "single level" file "write" ops
> mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } {
> write create setattr relabelfrom append unlink link rename mounton }
> (( l1 eq l2 ) or
> (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
> ( t1 == mlsfilewrite ) or
> ( t2 == mlstrustedobject ));
>
> # Directory "write" ops
> mlsconstrain dir { add_name remove_name reparent rmdir }
> (( l1 eq l2 ) or
> (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> ( t1 == mlsfilewrite ) or
> ( t2 == mlstrustedobject ));
>
>
> Thank you in advance.
> Cordially.
>
> --
> Cl?ment Parard
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>