Attached are patches that implement range_transition statements for the policy. 
  The range_transitions will be used for admin users invoking certain programs. 
  Examples include starting/stopping daemons, working with log files, etc.  This 
allows the admin to perform tasks that need to be done at a certain MLS level 
without the need to manually switch level before doing so.  It is the MLS 
counterpart to type_transition and role_transition (more akin to role_transition 
because it only deals with process transitions).  The syntax is:

range_transition "process domain" "executable type" "new range";

The mlsconstraints (for process transition) requires either that the current 
domain has the privilege to change its level (mlsprocsetsl), or that the current 
domain has the privilege to "use" a range_transition (privrangetrans) AND that 
the new domain has the mlsrangetrans attribute.  The patch does not currently 
add the privrangetrans to any domains (a likely candidate is sysadm_t).  The MLS 
range that is transitioned to is also subject to the usual restriction of 
falling within the user's allowed MLS range.

PLEASE NOTE:  This patch changes the binary policy format.  However, it does not 
change the binary policy version.  The binary policy version was bumped to 19 
for the previous mls changes and has not yet been included in an official 
release - these changes would become a part of the version 18 to 19 update. 
People keeping up with the latest CVS snapshot will need to recompile the 
kernel, libsepol, checkpolicy, and the policy.

Questions/comments?

Thanks,

-- 

Darrel