From: pcclark@nps.edu (Paul Clark)
Date: Wed, 1 Feb 2012 17:09:45 -0800
Subject: [refpolicy] MLS file upgrade
Message-ID: <4F29E259.60205@nps.edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I want to change the MLS policy to allow any process to upgrade a file 
or directory, but I'm currently failing on an "easy" first step with a 
"relabelfrom" error.

I'm using Fedora 13 and selinux-policy-3.7.19-101.fc13.src.rpm.

I did *not* change the mlscontrain rule that deals with relabelfrom 
because I think it should still work.

My test file has the same type that chcon runs with (user_t), and I'm 
simply trying to change the level from s0 to s1 by doing the following:
     chcon -l s1 testfile

I changed the mlsvalidatetrans statement for "dir" and "file" so that 
the first line was changed from
     ((( l1 eq l2 ) or
to
     ((( l1 domby l2 ) or

Any obvious problems or suggestions?

Another approach would be to also give all domains the "mlsfileupgrade" 
attribute.  Because my test process was running with user_t, I added:
     mls_file_upgrade(user_t)
to modules/admin/usermanage.te, but there was no change in the error.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120201/2a421306/attachment.html