diff for duplicates of <20090212211531.619341973@hp.com> diff --git a/a/1.txt b/N1/1.txt index 504bc85..f124512 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,86 +1,3 @@ -Add MLS constraints for several network related access controls including -the new ingress/egress controls and the older Secmark controls. Based on -the following post to the SELinux Reference Policy mailing list: - - * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html - -Signed-off-by: Paul Moore <paul.moore@hp.com> - ---- - policy/mls | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -Index: refpolicy_svn_repo/policy/mls -=================================================================== ---- refpolicy_svn_repo.orig/policy/mls -+++ refpolicy_svn_repo/policy/mls -@@ -295,8 +295,59 @@ mlsconstrain { netif node } { tcp_send u - # these access vectors have no MLS restrictions - # node enforce_dest - -+# -+# MLS policy for the network ingress/egress controls -+# - -+# the netif ingress/egress ops, the ingress permission is a "write" operation -+# because the subject in this particular case is the remote domain which is -+# writing data out the network interface which is acting as the object -+mlsconstrain { netif } { ingress } -+ (( l1 eq l2 ) or -+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or -+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsnetwrite ) or -+ ( t1 == unlabeled_t )); -+mlsconstrain { netif } { egress } -+ (( l1 eq l2 ) or -+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or -+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsnetwrite )); - -+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation -+# because the subject in this particular case is the remote domain which is -+# writing data out the network node which is acting as the object -+mlsconstrain { node } { recvfrom } -+ (( l1 eq l2 ) or -+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or -+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsnetwrite ) or -+ ( t1 == unlabeled_t )); -+mlsconstrain { node } { sendto } -+ (( l1 eq l2 ) or -+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or -+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsnetwrite )); -+ -+# the forward ops, the forward_in permission is a "write" operation because the -+# subject in this particular case is the remote domain which is writing data -+# to the network with a secmark label, the object in this case -+mlsconstrain { packet } { forward_in forward_out } -+ (( l1 eq l2 ) or -+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or -+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ ( t1 == mlsnetwrite ) or -+ ( t1 == unlabeled_t )); -+ -+# -+# MLS policy for the secmark and peer controls -+# -+ -+# the peer/packet recv op -+mlsconstrain { peer packet } { recv } -+ (( l1 dom l2 ) or -+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsnetread )); - - # - # MLS policy for the process class - --- -paul moore -linux @ hp - - --- -This message was distributed to subscribers of the selinux mailing list. -If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with -the words "unsubscribe selinux" without quotes as the message. +An embedded and charset-unspecified text was scrubbed... +Name: netpeer-constraints +Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090212/5b32db6c/attachment.pl diff --git a/a/content_digest b/N1/content_digest index fa5700d..de6e00d 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,95 +1,11 @@ - "From\0Paul Moore <paul.moore@hp.com>\0" - "Subject\0[PATCH] refpolicy: Add missing network related MLS constraints\0" + "From\0paul.moore@hp.com (Paul Moore)\0" + "Subject\0[refpolicy] [PATCH] refpolicy: Add missing network related MLS constraints\0" "Date\0Thu, 12 Feb 2009 16:15:26 -0500\0" "To\0refpolicy@oss.tresys.com\0" - "Cc\0selinux@tycho.nsa.gov\0" "\00:1\0" "b\0" - "Add MLS constraints for several network related access controls including\n" - "the new ingress/egress controls and the older Secmark controls. Based on\n" - "the following post to the SELinux Reference Policy mailing list:\n" - "\n" - " * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html\n" - "\n" - "Signed-off-by: Paul Moore <paul.moore@hp.com>\n" - "\n" - "---\n" - " policy/mls | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++\n" - " 1 file changed, 51 insertions(+)\n" - "\n" - "Index: refpolicy_svn_repo/policy/mls\n" - "===================================================================\n" - "--- refpolicy_svn_repo.orig/policy/mls\n" - "+++ refpolicy_svn_repo/policy/mls\n" - "@@ -295,8 +295,59 @@ mlsconstrain { netif node } { tcp_send u\n" - " # these access vectors have no MLS restrictions\n" - " # node enforce_dest\n" - " \n" - "+#\n" - "+# MLS policy for the network ingress/egress controls\n" - "+#\n" - " \n" - "+# the netif ingress/egress ops, the ingress permission is a \"write\" operation\n" - "+# because the subject in this particular case is the remote domain which is\n" - "+# writing data out the network interface which is acting as the object\n" - "+mlsconstrain { netif } { ingress }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or\n" - "+\t (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t ( t1 == mlsnetwrite ) or\n" - "+\t ( t1 == unlabeled_t ));\n" - "+mlsconstrain { netif } { egress }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or\n" - "+\t (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t ( t1 == mlsnetwrite ));\n" - " \n" - "+# the node recvfrom/sendto ops, the recvfrom permission is a \"write\" operation\n" - "+# because the subject in this particular case is the remote domain which is\n" - "+# writing data out the network node which is acting as the object\n" - "+mlsconstrain { node } { recvfrom }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or\n" - "+\t (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t ( t1 == mlsnetwrite ) or\n" - "+\t ( t1 == unlabeled_t ));\n" - "+mlsconstrain { node } { sendto }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or\n" - "+\t (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t ( t1 == mlsnetwrite ));\n" - "+\n" - "+# the forward ops, the forward_in permission is a \"write\" operation because the\n" - "+# subject in this particular case is the remote domain which is writing data\n" - "+# to the network with a secmark label, the object in this case\n" - "+mlsconstrain { packet } { forward_in forward_out }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or\n" - "+\t (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t ( t1 == mlsnetwrite ) or\n" - "+\t ( t1 == unlabeled_t ));\n" - "+\n" - "+#\n" - "+# MLS policy for the secmark and peer controls\n" - "+#\n" - "+\n" - "+# the peer/packet recv op\n" - "+mlsconstrain { peer packet } { recv }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsnetread ));\n" - " \n" - " #\n" - " # MLS policy for the process class\n" - "\n" - "-- \n" - "paul moore\n" - "linux @ hp\n" - "\n" - "\n" - "--\n" - "This message was distributed to subscribers of the selinux mailing list.\n" - "If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with\n" - "the words \"unsubscribe selinux\" without quotes as the message." + "An embedded and charset-unspecified text was scrubbed...\n" + "Name: netpeer-constraints\n" + Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20090212/5b32db6c/attachment.pl -2d4387866e38a1b3284f8f81ff5a0a8f673daa36129de6c7b271fd891228661b +a1d9a0f5ad7a95b22af21cf04d1a6f324771be61de91b0869f3e980161e7c20d
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.