From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 16 Feb 2011 10:09:39 -0500
Subject: [refpolicy] l1 domby l2 for contains MLS constraint
In-Reply-To: <SNT139-w28574EB8DB488E1FFFD708ABD30@phx.gbl>
References: <SNT139-w28574EB8DB488E1FFFD708ABD30@phx.gbl>
Message-ID: <4D5BE8B3.5030508@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/14/11 21:40, HarryCiao wrote:
> Hi Chris,
> 
> With help from Stephan Smalley I think we should take into consideration
> of a user's low MLS level for the constraint for the contains permission
> of the context class, so that mls_systemlow is no longer regarded
> contained in mls_systemhigh.
> 
> With the attached patch the compute_av command could yield expected
> result now:
> 
> [root/sysadm_r/s0 at QtCao ~]# compute_av
> root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
> allowed= { contains }
> [root/sysadm_r/s0 at QtCao ~]#
> [root/sysadm_r/s0 at QtCao ~]# compute_av
> root:sysadm_r:sysadm_t:s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
> allowed= null
> [root/sysadm_r/s0 at QtCao ~]#

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com