From d31d3c159e33505345ba4c52b6c182e35133c477 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Nov 16 2006 13:38:14 +0000 Subject: This modifies the mls constraint for polmatch in the association class. Specifically: - polmatch need no longer make an exception for unlabeled_t since a flow will now always match SPD rules with no contexts (per the IPSec leak fix patch upstreamed a few weeks back), as opposed to needing polmatch access to unlabeled_t. Signed-off-by: Venkat Yekkirala --- diff --git a/Changelog b/Changelog index 1bdd76e..5aea1d9 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Association polmatch MLS constraint making unlabeled_t an exception + is no longer needed, patch from Venkat Yekkirala. - Context contains checking for PAM and cron from James Antill. - Add a reload target to Modules.devel and change the load target to only insert modules that were changed. diff --git a/policy/mls b/policy/mls index bdca162..859ebaa 100644 --- a/policy/mls +++ b/policy/mls @@ -585,8 +585,7 @@ mlsconstrain association { sendto } ( t2 == unlabeled_t )); mlsconstrain association { polmatch } - ((( l1 dom l2 ) and ( h1 domby h2 )) or - ( t2 == unlabeled_t )); + (( l1 dom l2 ) and ( h1 domby h2 ));