/[gentoo-projects]/selinux/base-policy/mls
Gentoo

Contents of /selinux/base-policy/mls

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.5 - (show annotations) (download)
Sat Jun 4 16:51:32 2005 UTC (9 years, 4 months ago) by pebenito
Branch: MAIN
CVS Tags: HEAD
Changes since 1.4: +22 -18 lines
update mls

1 #
2 # Define sensitivities
3 #
4 # Each sensitivity has a name and zero or more aliases.
5 #
6 sensitivity s0;
7 sensitivity s1;
8 sensitivity s2;
9 sensitivity s3;
10 sensitivity s4;
11 sensitivity s5;
12 sensitivity s6;
13 sensitivity s7;
14 sensitivity s8;
15 sensitivity s9;
16
17
18 #
19 # Define the ordering of the sensitivity levels (least to greatest)
20 #
21 dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
22
23 #
24 # Define the categories
25 #
26 # Each category has a name and zero or more aliases.
27 #
28 category c0;
29 category c1;
30 category c2;
31 category c3;
32 category c4;
33 category c5;
34 category c6;
35 category c7;
36 category c8;
37 category c9;
38 category c10;
39 category c11;
40 category c12;
41 category c13;
42 category c14;
43 category c15;
44 category c16;
45 category c17;
46 category c18;
47 category c19;
48 category c20;
49 category c21;
50 category c22;
51 category c23;
52 category c24;
53 category c25;
54 category c26;
55 category c27;
56 category c28;
57 category c29;
58 category c30;
59 category c31;
60 category c32;
61 category c33;
62 category c34;
63 category c35;
64 category c36;
65 category c37;
66 category c38;
67 category c39;
68 category c40;
69 category c41;
70 category c42;
71 category c43;
72 category c44;
73 category c45;
74 category c46;
75 category c47;
76 category c48;
77 category c49;
78 category c50;
79 category c51;
80 category c52;
81 category c53;
82 category c54;
83 category c55;
84 category c56;
85 category c57;
86 category c58;
87 category c59;
88 category c60;
89 category c61;
90 category c62;
91 category c63;
92 category c64;
93 category c65;
94 category c66;
95 category c67;
96 category c68;
97 category c69;
98 category c70;
99 category c71;
100 category c72;
101 category c73;
102 category c74;
103 category c75;
104 category c76;
105 category c77;
106 category c78;
107 category c79;
108 category c80;
109 category c81;
110 category c82;
111 category c83;
112 category c84;
113 category c85;
114 category c86;
115 category c87;
116 category c88;
117 category c89;
118 category c90;
119 category c91;
120 category c92;
121 category c93;
122 category c94;
123 category c95;
124 category c96;
125 category c97;
126 category c98;
127 category c99;
128 category c100;
129 category c101;
130 category c102;
131 category c103;
132 category c104;
133 category c105;
134 category c106;
135 category c107;
136 category c108;
137 category c109;
138 category c110;
139 category c111;
140 category c112;
141 category c113;
142 category c114;
143 category c115;
144 category c116;
145 category c117;
146 category c118;
147 category c119;
148 category c120;
149 category c121;
150 category c122;
151 category c123;
152 category c124;
153 category c125;
154 category c126;
155 category c127;
156
157
158 #
159 # Each MLS level specifies a sensitivity and zero or more categories which may
160 # be associated with that sensitivity.
161 #
162 level s0:c0.c127;
163 level s1:c0.c127;
164 level s2:c0.c127;
165 level s3:c0.c127;
166 level s4:c0.c127;
167 level s5:c0.c127;
168 level s6:c0.c127;
169 level s7:c0.c127;
170 level s8:c0.c127;
171 level s9:c0.c127;
172
173
174 #
175 # Define the MLS policy
176 #
177 # mlsconstrain class_set perm_set expression ;
178 #
179 # mlsvalidatetrans class_set expression ;
180 #
181 # expression : ( expression )
182 # | not expression
183 # | expression and expression
184 # | expression or expression
185 # | u1 op u2
186 # | r1 role_mls_op r2
187 # | t1 op t2
188 # | l1 role_mls_op l2
189 # | l1 role_mls_op h2
190 # | h1 role_mls_op l2
191 # | h1 role_mls_op h2
192 # | l1 role_mls_op h1
193 # | l2 role_mls_op h2
194 # | u1 op names
195 # | u2 op names
196 # | r1 op names
197 # | r2 op names
198 # | t1 op names
199 # | t2 op names
200 # | u3 op names (NOTE: this is only available for mlsvalidatetrans)
201 # | r3 op names (NOTE: this is only available for mlsvalidatetrans)
202 # | t3 op names (NOTE: this is only available for mlsvalidatetrans)
203 #
204 # op : == | !=
205 # role_mls_op : == | != | eq | dom | domby | incomp
206 #
207 # names : name | { name_list }
208 # name_list : name | name_list name
209 #
210
211 #
212 # MLS policy for the file classes
213 #
214
215 # make sure these file classes are "single level"
216 mlsconstrain { file lnk_file fifo_file } { create relabelto }
217 ( l2 eq h2 );
218
219 # new file labels must be dominated by the relabeling subject's clearance
220 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
221 ( h1 dom h2 );
222
223 # the file "read" ops (note the check is dominance of the low level)
224 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
225 (( l1 dom l2 ) or
226 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
227 ( t1 == mlsfileread ) or
228 ( t2 == mlstrustedobject ));
229
230 mlsconstrain dir search
231 (( l1 dom l2 ) or
232 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
233 ( t1 == mlsfileread ) or
234 ( t2 == mlstrustedobject ));
235
236 # the "single level" file "write" ops
237 mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
238 (( l1 eq l2 ) or
239 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
240 ( t1 == mlsfilewrite ) or
241 ( t2 == mlstrustedobject ));
242
243 # the "ranged" file "write" ops
244 mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
245 ((( l1 dom l2 ) and ( l1 domby h2 )) or
246 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
247 ( t1 == mlsfilewrite ) or
248 ( t2 == mlstrustedobject ));
249
250 mlsconstrain dir { add_name remove_name reparent rmdir }
251 ((( l1 dom l2 ) and ( l1 domby h2 )) or
252 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
253 ( t1 == mlsfilewrite ) or
254 ( t2 == mlstrustedobject ));
255
256 # these access vectors have no MLS restrictions
257 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
258 #
259 # file { execute_no_trans entrypoint }
260
261 # the file upgrade/downgrade rule
262 mlsvalidatetrans { file lnk_file chr_file blk_file sock_file fifo_file }
263 ((( l1 eq l2 ) or
264 (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
265 (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
266 (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
267 (( h1 eq h2 ) or
268 (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
269 (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
270 (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
271
272 # create can also require the upgrade/downgrade checks if the creating process
273 # has used setfscreate (note that both the high and low level of the object
274 # default to the process' sensitivity level)
275 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
276 ((( l1 eq l2 ) or
277 (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
278 (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
279 (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
280 (( l1 eq h2 ) or
281 (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
282 (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
283 (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
284
285
286
287
288 #
289 # MLS policy for the filesystem class
290 #
291
292 # new filesystem labels must be dominated by the relabeling subject's clearance
293 mlsconstrain filesystem relabelto
294 ( h1 dom h2 );
295
296 # the filesystem "read" ops (implicit single level)
297 mlsconstrain filesystem { getattr quotaget }
298 (( l1 dom l2 ) or
299 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
300 ( t1 == mlsfileread ));
301
302 # all the filesystem "write" ops (implicit single level)
303 mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
304 (( l1 eq l2 ) or
305 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
306 ( t1 == mlsfilewrite ));
307
308 # these access vectors have no MLS restrictions
309 # filesystem { transition associate }
310
311
312
313
314 #
315 # MLS policy for the socket classes
316 #
317
318 # new socket labels must be dominated by the relabeling subject's clearance
319 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
320 ( h1 dom h2 );
321
322 # the socket "read" ops (note the check is dominance of the low level)
323 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
324 (( l1 dom l2 ) or
325 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
326 ( t1 == mlsnetread ));
327
328 mlsconstrain { tcp_socket unix_stream_socket } acceptfrom
329 (( l1 dom l2 ) or
330 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
331 ( t1 == mlsnetread ));
332
333 mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
334 (( l1 dom l2 ) or
335 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
336 ( t1 == mlsnetread ));
337
338 # the socket "write" ops
339 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { setattr relabelfrom connect setopt shutdown }
340 ((( l1 dom l2 ) and ( l1 domby h2 )) or
341 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
342 ( t1 == mlsnetwrite ));
343
344 mlsconstrain { tcp_socket unix_stream_socket } { connectto newconn }
345 ((( l1 dom l2 ) and ( l1 domby h2 )) or
346 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
347 ( t1 == mlsnetwrite ));
348
349 # these access vectors have no MLS restrictions
350 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl write create lock append bind sendto send_msg name_bind }
351 #
352 # { tcp_socket udp_socket rawip_socket } node_bind
353 #
354 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
355 #
356
357
358
359
360 #
361 # MLS policy for the ipc classes
362 #
363
364 # the ipc "read" ops (implicit single level)
365 mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
366 (( l1 dom l2 ) or
367 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
368 ( t1 == mlsipcread ));
369
370 mlsconstrain msg receive
371 (( l1 dom l2 ) or
372 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
373 ( t1 == mlsipcread ));
374
375 # the ipc "write" ops (implicit single level)
376 mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
377 (( l1 eq l2 ) or
378 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
379 ( t1 == mlsipcwrite ));
380
381 mlsconstrain msgq enqueue
382 (( l1 eq l2 ) or
383 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
384 ( t1 == mlsipcwrite ));
385
386 mlsconstrain shm lock
387 (( l1 eq l2 ) or
388 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
389 ( t1 == mlsipcwrite ));
390
391 mlsconstrain msg send
392 (( l1 eq l2 ) or
393 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
394 ( t1 == mlsipcwrite ));
395
396 # these access vectors have no MLS restrictions
397 # { ipc sem msgq shm } associate
398
399
400
401
402 #
403 # MLS policy for the fd class
404 #
405
406 # these access vectors have no MLS restrictions
407 # fd use
408
409
410
411
412 #
413 # MLS policy for the node class
414 #
415
416 # these access vectors have no MLS restrictions
417 # node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
418
419
420
421
422 #
423 # MLS policy for the netif class
424 #
425
426 # these access vectors have no MLS restrictions
427 # netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest }
428
429
430
431
432 #
433 # MLS policy for the process class
434 #
435
436 # new process labels must be dominated by the relabeling subject's clearance
437 # and sensitivity level changes require privilege
438 mlsconstrain process transition
439 (( h1 dom h2 ) and
440 (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
441 (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
442 mlsconstrain process dyntransition
443 (( h1 dom h2 ) and
444 (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
445
446 # all the process "read" ops
447 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
448 (( l1 dom l2 ) or
449 (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
450 ( t1 == mlsprocread ));
451
452 # all the process "write" ops (note the check is equality on the low level)
453 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
454 (( l1 eq l2 ) or
455 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
456 ( t1 == mlsprocwrite ));
457
458 # these access vectors have no MLS restrictions
459 # process { fork sigchld signull noatsecure siginh setrlimit rlimitinh}
460
461
462
463
464 #
465 # MLS policy for the security class
466 #
467
468 # these access vectors have no MLS restrictions
469 # security *
470
471
472
473
474 #
475 # MLS policy for the system class
476 #
477
478 # these access vectors have no MLS restrictions
479 # system *
480
481
482
483
484 #
485 # MLS policy for the capability class
486 #
487
488 # these access vectors have no MLS restrictions
489 # capability *
490
491
492
493
494 #
495 # MLS policy for the passwd class
496 #
497
498 # these access vectors have no MLS restrictions
499 # passwd *
500
501
502
503
504 #
505 # MLS policy for the drawable class
506 #
507
508 # the drawable "read" ops (implicit single level)
509 mlsconstrain drawable { getattr copy }
510 (( l1 dom l2 ) or
511 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
512 ( t1 == mlsxwinread ));
513
514 # the drawable "write" ops (implicit single level)
515 mlsconstrain drawable { create destroy draw copy }
516 (( l1 eq l2 ) or
517 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
518 ( t1 == mlsxwinwrite ));
519
520
521
522
523 #
524 # MLS policy for the gc class
525 #
526
527 # the gc "read" ops (implicit single level)
528 mlsconstrain gc getattr
529 (( l1 dom l2 ) or
530 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
531 ( t1 == mlsxwinread ));
532
533 # the gc "write" ops (implicit single level)
534 mlsconstrain gc { create free setattr }
535 (( l1 eq l2 ) or
536 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
537 ( t1 == mlsxwinwrite ));
538
539
540
541
542 #
543 # MLS policy for the window class
544 #
545
546 # the window "read" ops (implicit single level)
547 mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
548 (( l1 dom l2 ) or
549 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
550 ( t1 == mlsxwinread ));
551
552 # the window "write" ops (implicit single level)
553 mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
554 (( l1 eq l2 ) or
555 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
556 ( t1 == mlsxwinwrite ));
557
558 # these access vectors have no MLS restrictions
559 # window { map unmap }
560
561
562
563
564 #
565 # MLS policy for the font class
566 #
567
568 # the font "read" ops (implicit single level)
569 mlsconstrain font { load getattr }
570 (( l1 dom l2 ) or
571 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
572 ( t1 == mlsxwinread ));
573
574 # the font "write" ops (implicit single level)
575 mlsconstrain font free
576 (( l1 eq l2 ) or
577 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
578 ( t1 == mlsxwinwrite ));
579
580 # these access vectors have no MLS restrictions
581 # font use
582
583
584
585
586 #
587 # MLS policy for the colormap class
588 #
589
590 # the colormap "read" ops (implicit single level)
591 mlsconstrain colormap { list read getattr }
592 (( l1 dom l2 ) or
593 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
594 ( t1 == mlsxwinread ));
595
596 # the colormap "write" ops (implicit single level)
597 mlsconstrain colormap { create free install uninstall store setattr }
598 (( l1 eq l2 ) or
599 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
600 ( t1 == mlsxwinwrite ));
601
602
603
604
605 #
606 # MLS policy for the property class
607 #
608
609 # the property "read" ops (implicit single level)
610 mlsconstrain property { read }
611 (( l1 dom l2 ) or
612 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
613 ( t1 == mlsxwinread ));
614
615 # the property "write" ops (implicit single level)
616 mlsconstrain property { create free write }
617 (( l1 eq l2 ) or
618 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
619 ( t1 == mlsxwinwrite ));
620
621
622
623
624 #
625 # MLS policy for the cursor class
626 #
627
628 # the cursor "write" ops (implicit single level)
629 mlsconstrain cursor { create createglyph free assign setattr }
630 (( l1 eq l2 ) or
631 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
632 ( t1 == mlsxwinwrite ));
633
634
635
636
637 #
638 # MLS policy for the xclient class
639 #
640
641 # the xclient "write" ops (implicit single level)
642 mlsconstrain xclient kill
643 (( l1 eq l2 ) or
644 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
645 ( t1 == mlsxwinwrite ));
646
647
648
649
650 #
651 # MLS policy for the xinput class
652 #
653
654 # the xinput "read" ops (implicit single level)
655 mlsconstrain xinput { lookup getattr mousemotion }
656 (( l1 dom l2 ) or
657 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
658 ( t1 == mlsxwinread ));
659
660 # the xinput "write" ops (implicit single level)
661 mlsconstrain xinput { setattr setfocus warppointer activegrab passivegrab ungrab bell relabelinput }
662 (( l1 eq l2 ) or
663 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
664 ( t1 == mlsxwinwrite ));
665
666
667
668
669 #
670 # MLS policy for the xserver class
671 #
672
673 # the xserver "read" ops (implicit single level)
674 mlsconstrain xserver { gethostlist getfontpath getattr screensaver }
675 (( l1 dom l2 ) or
676 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
677 ( t1 == mlsxwinread ));
678
679 # the xserver "write" ops (implicit single level)
680 mlsconstrain xserver { sethostlist setfontpath grab ungrab screensaver }
681 (( l1 eq l2 ) or
682 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
683 ( t1 == mlsxwinwrite ));
684
685
686
687
688 #
689 # MLS policy for the xextension class
690 #
691
692 # the xextension "read" ops (implicit single level)
693 mlsconstrain xextension query
694 (( l1 dom l2 ) or
695 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
696 ( t1 == mlsxwinread ));
697
698 # the xextension "write" ops (implicit single level)
699 mlsconstrain xextension use
700 (( l1 eq l2 ) or
701 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
702 ( t1 == mlsxwinwrite ));
703
704
705 #
706 # MLS policy for the pax class
707 #
708
709 # these access vectors have no MLS restrictions
710 # pax { pageexec emutramp mprotect randmmap randexec segmexec }
711
712
713
714
715 #
716 # MLS policy for the dbus class
717 #
718
719 # these access vectors have no MLS restrictions
720 # dbus { acquire_svc send_msg }
721
722
723
724
725 #
726 # MLS policy for the nscd class
727 #
728
729 # these access vectors have no MLS restrictions
730 # nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
731
732
733
734
735 #
736 # MLS policy for the association class
737 #
738
739 # these access vectors have no MLS restrictions
740 # association { sendto recvfrom }

  ViewVC Help
Powered by ViewVC 1.1.20