From: dahchanson@gmail.com (Chad Hanson)
Date: Wed, 24 Apr 2013 14:48:12 -0400
Subject: [refpolicy] write equal --> no write down
In-Reply-To: <CAChsXUb1fPjiB3Y0wqfp68MOfsLHZdiRq-f-2qtPXAwXCXusaw@mail.gmail.com>
References: <CAChsXUb1fPjiB3Y0wqfp68MOfsLHZdiRq-f-2qtPXAwXCXusaw@mail.gmail.com>
Message-ID: <CAOFCXeciDZY567nRNDY_GrA9Y6LtnW2xDxax_bF8a-PWF-N_zw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

What you are asking for is in this this policy in a slightly different form.
You should change

( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or

to

(( h1 dom l2 ) and ( l1 domby l2 )) or

to allow a process of s0-s1 to write to files of s0 or s1, but not s2.
The attribute mlsfilewritetoclr stands for the privilege to write to
the process clearance. If you want unrestricted write up, you do the
the following rule:

(l1 domby l2) or


On Wed, Apr 24, 2013 at 12:33 PM, Cl?ment Parard
<clement.parard@gmail.com> wrote:
> Hello.
>
> I would like to modify the policy/mls file to change the "write equal" to
> "no write down". However, despite several attempts, I don't.
> Is it possible to get help? I work under CentOS 6.4.
> I have three users with three different /home each has a different level of
> confidentiality (s0,s1,s2) and i'd get "no read up, no write down". "no read
> up" is ok by default but not "no write down".
>
> Logically, I will edit this part :
>
> # the "single level" file "write" ops
> mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } {
> write create setattr relabelfrom append unlink link rename mounton }
> 	(( l1 eq l2 ) or
> 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> 	 (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
> 	 ( t1 == mlsfilewrite ) or
> 	 ( t2 == mlstrustedobject ));
>
> # Directory "write" ops
> mlsconstrain dir { add_name remove_name reparent rmdir }
> 	(( l1 eq l2 ) or
> 	 (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
> 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> 	 ( t1 == mlsfilewrite ) or
> 	 ( t2 == mlstrustedobject ));
>
>
> Thank you in advance.
> Cordially.
>
> --
> Cl?ment Parard
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>