All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] l1 domby l2 for contains MLS constraint
@ 2011-02-15  2:40 HarryCiao
  2011-02-16 15:09 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: HarryCiao @ 2011-02-15  2:40 UTC (permalink / raw)
  To: refpolicy


Hi Chris,

With help from Stephan Smalley I think we should take into consideration of a user's low MLS level for the constraint for the contains permission of the context class, so that mls_systemlow is no longer regarded contained in mls_systemhigh.

With the attached patch the compute_av command could yield expected result now:

[root/sysadm_r/s0 at QtCao ~]# compute_av root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context 
allowed= { contains }
[root/sysadm_r/s0 at QtCao ~]# 
[root/sysadm_r/s0 at QtCao ~]# compute_av root:sysadm_r:sysadm_t:s15:c0.c1023 root:sysadm_r:sysadm_t:s0 context
allowed= null
[root/sysadm_r/s0 at QtCao ~]# 

Best regards,
Harry
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110215/725be1db/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-l1-domby-l2-for-contains-MLS-constraint.patch
Type: text/x-patch
Size: 946 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110215/725be1db/attachment-0001.bin 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-02-16 15:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-15  2:40 [refpolicy] l1 domby l2 for contains MLS constraint HarryCiao
2011-02-16 15:09 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.