From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 06 Oct 2008 13:31:09 -0400
Subject: [refpolicy] mls.patch
In-Reply-To: <48DCFF42.6020407@tycho.nsa.gov>
References: <48DBDC51.8000206@redhat.com>
	<74E521B7-FA12-4326-9D7C-43B0BC0FCD02@nall.com>
	<48DCFF42.6020407@tycho.nsa.gov>
Message-ID: <1223314269.2165.20.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2008-09-26 at 11:26 -0400, Eamon Walsh wrote:
> Joe Nall wrote:
> > On Sep 25, 2008, at 1:45 PM, Daniel J Walsh wrote:
> >
> >   
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
> >>
> >> Joe this is the patch I have off of current reference policy.   Is  
> >> this
> >> correct or should I use reference policy mls?
> >>     
> >
> > It was my transcription of Eamon's verbal how-to and it works so far.  
> > It may not be the final word on the topic as we are just starting to  
> > test X in mls enforcing. Eamon might be able to loosen it up some  
> > safely.
> >
> > joe
> >
> >   
> 
> Also, here is a combined version of the range transition patches I sent
> earlier.  These were in response to the socket level and root window
> level issued raised by Ted.

Merged.

> Index: policy/modules/services/xserver.if
> ===================================================================
> --- policy/modules/services/xserver.if	(revision 2819)
> +++ policy/modules/services/xserver.if	(working copy)
> @@ -77,6 +77,9 @@
>  	files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
>  
>  	filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
> +	ifdef(`enable_mls',`
> +		range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
> +	')
>  
>  	manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
>  	manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
> @@ -95,6 +98,9 @@
>  
>  	# Labeling rules for default windows and colormaps
>  	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
> +	ifdef(`enable_mls',`
> +		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
> +	')
>  
>  	kernel_read_system_state($1_xserver_t)
>  	kernel_read_device_sysctls($1_xserver_t)
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150