From: ewalsh@tycho.nsa.gov (Eamon Walsh) Date: Fri, 26 Sep 2008 11:26:58 -0400 Subject: [refpolicy] mls.patch In-Reply-To: <74E521B7-FA12-4326-9D7C-43B0BC0FCD02@nall.com> References: <48DBDC51.8000206@redhat.com> <74E521B7-FA12-4326-9D7C-43B0BC0FCD02@nall.com> Message-ID: <48DCFF42.6020407@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Joe Nall wrote: > On Sep 25, 2008, at 1:45 PM, Daniel J Walsh wrote: > > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch >> >> Joe this is the patch I have off of current reference policy. Is >> this >> correct or should I use reference policy mls? >> > > It was my transcription of Eamon's verbal how-to and it works so far. > It may not be the final word on the topic as we are just starting to > test X in mls enforcing. Eamon might be able to loosen it up some > safely. > > joe > > Also, here is a combined version of the range transition patches I sent earlier. These were in response to the socket level and root window level issued raised by Ted. Index: policy/modules/services/xserver.if =================================================================== --- policy/modules/services/xserver.if (revision 2819) +++ policy/modules/services/xserver.if (working copy) @@ -77,6 +77,9 @@ files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file }) filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file) + ifdef(`enable_mls',` + range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh; + ') manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t) @@ -95,6 +98,9 @@ # Labeling rules for default windows and colormaps type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t; + ifdef(`enable_mls',` + range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh; + ') kernel_read_system_state($1_xserver_t) kernel_read_device_sysctls($1_xserver_t) -- Eamon Walsh National Security Agency