diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs index 69f172a..f85736d 100644 --- a/refpolicy/policy/mcs +++ b/refpolicy/policy/mcs @@ -136,35 +136,26 @@ level s0:c0.c255; # # Only files are constrained by MCS at this stage. # -mlsconstrain file { write setattr append unlink link rename - ioctl lock execute relabelfrom } (h1 dom h2); +mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } + ( h1 dom h2 ); -mlsconstrain file { create relabelto } ((h1 dom h2) and (l2 eq h2)); +mlsconstrain file { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); -mlsconstrain file { read } ((h1 dom h2) or ( t2 == domain ) or ( t1 == mlsfileread )); +mlsconstrain file { read } + (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } ( h1 dom h2 ); + mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); -mlsconstrain process { ptrace } ( h1 dom h2 ); - -mlsconstrain process { sigkill sigstop } ( h1 dom h2 ) or - ( t1 == mcskillall ); - -define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append -link unlink rename relabelfrom relabelto }') - -define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink -rename search add_name remove_name reparent write rmdir relabelfrom -relabelto }') +mlsconstrain process { ptrace } + ( h1 dom h2 ); -# XXX -# -# For some reason, we need to reference the mlsfileread attribute -# or we get a build error. Below is a dummy entry to do this. -mlsconstrain xextension query ( t1 == mlsfileread ); +mlsconstrain process { sigkill sigstop } + (( h1 dom h2 ) or ( t1 == mcskillall )); ') dnl end enable_mcs