commit: 88789af6ca837b3adf9af2dcf23857373f1c5be3
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:26:23 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88789af6
mcs: deprecate mcs overrides
Deprecate mcs overrides in favor of using mcs_constrained_type.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/mcs | 34 ++++++++++++++--------------------
1 file changed, 14 insertions(+), 20 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index c0d424a9..44b57e59 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain dir { write setattr append unlink link rename add_name
remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain fifo_file { open }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and ( t2 == domain )));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or
- (( t1 != mcs_constrained_type ) and (t2 == domain)));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or
+ ( t1 != mcs_constrained_type ));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } {
relabelfrom }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } {
create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { transition dyntransition }
- (( h1 dom h2 ) or ( t1 == mcssetcats ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { ptrace }
- (( h1 dom h2) or ( t1 == mcsptraceall ));
+ (( h1 dom h2) or ( t1 != mcs_constrained_type ));
mlsconstrain process { sigkill sigstop }
- (( h1 dom h2 ) or ( t1 == mcskillall ));
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain process { signal }
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
