On Wed, Dec 24, 2008 at 10:23 AM, Xavier Toth <[email protected]> wrote:
> On Thu, Dec 11, 2008 at 3:35 PM, Eamon Walsh <[email protected]> wrote:
>> Xavier Toth wrote:
>>>
>>> Sorry to be pedantic but is there a reference implementation or will
>>> the mcstrans developer (Joe) have to develop it?
>>>
>>> Ted
>>>
>>
>> Also here is a preliminary libselinux patch.
>>
>>
>> --
>> Eamon Walsh <[email protected]>
>> National Security Agency
>>
>>
>
> This patch could be upstreamed now because even if the installed
> mcstrand doesn't support color a call to selinux_raw_context_to_color
> will simply retrun an error, right?
>
> Ted
>
In anticipation of the addition of SELinux color mapping support to
libselinux and mcstransd I wrote this policy patch :
------------------------------------------------------------------------------------------------------------------------------
Allow mcstransd to uses the CONTEXT__CONTAINS permission check to check
dominance when determining the colors to return for calls to
selinux_raw_context_to_color.
--- serefpolicy-3.5.13/policy/modules/system/setrans.te.orig 2008-12-30
08:43:31.000000000 -0600
+++ serefpolicy-3.5.13/policy/modules/system/setrans.te 2008-12-30
08:46:26.000000000 -0600
@@ -35,6 +35,11 @@
allow setrans_t self:unix_stream_socket create_stream_socket_perms;
allow setrans_t self:unix_dgram_socket create_socket_perms;
allow setrans_t self:netlink_selinux_socket create_socket_perms;
+gen_require(`
+ class context contains;
+')
+
+allow setrans_t self:context contains;
can_exec(setrans_t, setrans_exec_t)
corecmd_search_bin(setrans_t)