diff options
| author |   Chris PeBenito <chpebeni@linux.microsoft.com> | 2022-06-20 10:54:46 -0400 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-09-03 11:41:55 -0700 |
| commit | 1bc42bf81c5adfdbcc4c993e4d279b8e07e81094 (patch) | |
| tree | 59a8c765f62f5ba15b5adfded966cdcb48b8de59 | |
| parent | mcs: Add additional SysV IPC constraints. (diff) | |
| download | hardened-refpolicy-1bc42bf81c5adfdbcc4c993e4d279b8e07e81094.tar.gz hardened-refpolicy-1bc42bf81c5adfdbcc4c993e4d279b8e07e81094.tar.bz2 hardened-refpolicy-1bc42bf81c5adfdbcc4c993e4d279b8e07e81094.zip | |
mcs: Collapse constraints.
Collapse file constraints as they are equivalent due to the same expresssions.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/mcs | 36 |
1 files changed, 4 insertions, 32 deletions
diff --git a/policy/mcs b/policy/mcs index e8006b115..af880058c 100644 --- a/policy/mcs +++ b/policy/mcs @@ -66,27 +66,14 @@ gen_levels(1,mcs_num_cats) # # Note: # - getattr on dirs/files is not constrained. -# - /proc/pid operations are not constrained. -mlsconstrain file { read ioctl lock execute execute_no_trans } +mlsconstrain dir_file_class_set { open read ioctl lock write setattr append create unlink link rename relabelfrom relabelto } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain file { write setattr append unlink link rename } +mlsconstrain file { execute execute_no_trans } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain fifo_file { open } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } +mlsconstrain dir { search add_name remove_name rmdir } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject @@ -95,23 +82,8 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); -# new file labels must be dominated by the relabeling subject clearance -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); - -mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 != mcs_constrained_type )); - -mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain process { signal } +mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind |