aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2012-03-20 14:35:12 -0400
committerEric Paris <eparis@redhat.com>2012-04-09 12:22:47 -0400
commitaa893269de6277b44be88e25dcd5331c934c29c4 (patch)
treef994e023f787c1665b65725f2c009a9f5a021be7 /security/selinux/include
parent6ce74ec75ca690c4fb3a3c5f8b7767d094d93215 (diff)
SELinux: allow default source/target selectors for user/role/range
When new objects are created we have great and flexible rules to determine the type of the new object. We aren't quite as flexible or mature when it comes to determining the user, role, and range. This patch adds a new ability to specify the place a new objects user, role, and range should come from. For users and roles it can come from either the source or the target of the operation. aka for files the user can either come from the source (the running process and todays default) or it can come from the target (aka the parent directory of the new file) examples always are done with directory context: system_u:object_r:mnt_t:s0-s0:c0.c512 process context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [no rule] unconfined_u:object_r:mnt_t:s0 test_none [default user source] unconfined_u:object_r:mnt_t:s0 test_user_source [default user target] system_u:object_r:mnt_t:s0 test_user_target [default role source] unconfined_u:unconfined_r:mnt_t:s0 test_role_source [default role target] unconfined_u:object_r:mnt_t:s0 test_role_target [default range source low] unconfined_u:object_r:mnt_t:s0 test_range_source_low [default range source high] unconfined_u:object_r:mnt_t:s0:c0.c1023 test_range_source_high [default range source low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c1023 test_range_source_low-high [default range target low] unconfined_u:object_r:mnt_t:s0 test_range_target_low [default range target high] unconfined_u:object_r:mnt_t:s0:c0.c512 test_range_target_high [default range target low-high] unconfined_u:object_r:mnt_t:s0-s0:c0.c512 test_range_target_low-high Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/security.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index d871e8ad2103..ba53400195c0 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -31,13 +31,14 @@
31#define POLICYDB_VERSION_BOUNDARY 24 31#define POLICYDB_VERSION_BOUNDARY 24
32#define POLICYDB_VERSION_FILENAME_TRANS 25 32#define POLICYDB_VERSION_FILENAME_TRANS 25
33#define POLICYDB_VERSION_ROLETRANS 26 33#define POLICYDB_VERSION_ROLETRANS 26
34#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
34 35
35/* Range of policy versions we understand*/ 36/* Range of policy versions we understand*/
36#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE 37#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
37#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX 38#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
38#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE 39#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
39#else 40#else
40#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS 41#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
41#endif 42#endif
42 43
43/* Mask for just the mount related flags */ 44/* Mask for just the mount related flags */