From: dahchanson@gmail.com (Chad Hanson) Date: Wed, 24 Apr 2013 14:39:01 -0400 Subject: [refpolicy] write equal --> no write down In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, What you are asking for is actually already in this this policy. You should change On Wed, Apr 24, 2013 at 12:33 PM, Cl?ment Parard wrote: > Hello. > > I would like to modify the policy/mls file to change the "write equal" to > "no write down". However, despite several attempts, I don't. > Is it possible to get help? I work under CentOS 6.4. > I have three users with three different /home each has a different level > of confidentiality (s0,s1,s2) and i'd get "no read up, no write down". "no > read up" is ok by default but not "no write down". > > Logically, I will edit this part : > > # the "single level" file "write" ops > mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } > (( l1 eq l2 ) or > (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or > (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or > ( t1 == mlsfilewrite ) or > ( t2 == mlstrustedobject )); > > # Directory "write" ops > mlsconstrain dir { add_name remove_name reparent rmdir } > (( l1 eq l2 ) or > (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or > (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or > ( t1 == mlsfilewrite ) or > ( t2 == mlstrustedobject )); > > > Thank you in advance. > Cordially. > > -- > Cl?ment Parard > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130424/deda8cad/attachment.html