[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

Sat, 03 Sep 2022 12:54:10 -0700 

commit:     1bc42bf81c5adfdbcc4c993e4d279b8e07e81094
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Mon Jun 20 14:54:46 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1bc42bf8

mcs: Collapse constraints.

Collapse file constraints as they are equivalent due to the same expresssions.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 36 ++++--------------------------------
 1 file changed, 4 insertions(+), 32 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index e8006b11..af880058 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -66,27 +66,14 @@ gen_levels(1,mcs_num_cats)
 #
 # Note:
 #  - getattr on dirs/files is not constrained.
-#  - /proc/pid operations are not constrained.
 
-mlsconstrain file { read ioctl lock execute execute_no_trans }
+mlsconstrain dir_file_class_set { open read ioctl lock write setattr append 
create unlink link rename relabelfrom relabelto }
        (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain file { write setattr append unlink link rename }
+mlsconstrain file { execute execute_no_trans }
        (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain dir { search read ioctl lock }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain dir { write setattr append unlink link rename add_name 
remove_name }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain fifo_file { open }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+mlsconstrain dir { search add_name remove_name rmdir }
        (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
@@ -95,23 +82,8 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
        ((( h1 dom h2 ) and ( l2 eq h2 )) or
         ( t1 != mcs_constrained_type ));
 
-# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { 
relabelfrom }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { 
create relabelto }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { transition dyntransition }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { ptrace }
-       (( h1 dom h2) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { sigkill sigstop }
-       (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain process { signal }
+mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
        (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind

Reply via email to