refpolicy: add setrans.conf for mcs/mls policy

Add initial version for setrans.conf:
- setrans-mls.conf: copied from \
  policycoreutils/mcstrans/share/examples/default/setrans.conf
- setrans-mcs.conf: copied from radhat policy.

This fixes below issue:
  $ chcat -L
  IOError: No such file or directory: \
    '/etc/selinux/$POLICY_NAME/setrans.conf'

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>

3 files changed, 77 insertions, 0 deletions

diff --git a/recipes-security/refpolicy/files/setrans-mcs.conf b/recipes-security/refpolicy/files/setrans-mcs.conf
new file mode 100644
index 0000000..0ac9c90
--- /dev/null
+++ b/recipes-security/refpolicy/files/setrans-mcs.conf
@@ -0,0 +1,17 @@
+#
+# Multi-Category Security translation table for SELinux
+# 
+#
+# Objects can be categorized with 0-1023 categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Categories are stored in the system as c0-c1023.  Users can use this
+# table to translate the categories into a more meaningful output.
+# Examples:
+# s0:c0=CompanyConfidential
+# s0:c1=PatientRecord
+# s0:c2=Unclassified
+# s0:c3=TopSecret
+# s0:c1,c3=CompanyConfidentialRedHat
+s0=SystemLow
+s0-s0:c0.c1023=SystemLow-SystemHigh
+s0:c0.c1023=SystemHigh
diff --git a/recipes-security/refpolicy/files/setrans-mls.conf b/recipes-security/refpolicy/files/setrans-mls.conf
new file mode 100644
index 0000000..eb181d2
--- /dev/null
+++ b/recipes-security/refpolicy/files/setrans-mls.conf
@@ -0,0 +1,52 @@
+#
+# Multi-Level Security translation table for SELinux
+# 
+# Uncomment the following to disable translation libary
+# disable=1
+#
+# Objects can be labeled with one of 16 levels and be categorized with 0-1023 
+# categories defined by the admin.
+# Objects can be in more than one category at a time.
+# Users can modify this table to translate the MLS labels for different purpose.
+#
+# Assumptions: using below MLS labels.
+#  SystemLow
+#  SystemHigh
+#  Unclassified 
+#  Secret with compartments A and B.
+# 
+# SystemLow and SystemHigh
+s0=SystemLow
+s15:c0.c1023=SystemHigh
+s0-s15:c0.c1023=SystemLow-SystemHigh
+
+# Unclassified level
+s1=Unclassified
+
+# Secret level with compartments
+s2=Secret
+s2:c0=A
+s2:c1=B
+
+# ranges for Unclassified
+s0-s1=SystemLow-Unclassified
+s1-s2=Unclassified-Secret
+s1-s15:c0.c1023=Unclassified-SystemHigh
+
+# ranges for Secret with compartments
+s0-s2=SystemLow-Secret
+s0-s2:c0=SystemLow-Secret:A
+s0-s2:c1=SystemLow-Secret:B
+s0-s2:c0,c1=SystemLow-Secret:AB
+s1-s2:c0=Unclassified-Secret:A
+s1-s2:c1=Unclassified-Secret:B
+s1-s2:c0,c1=Unclassified-Secret:AB
+s2-s2:c0=Secret-Secret:A
+s2-s2:c1=Secret-Secret:B
+s2-s2:c0,c1=Secret-Secret:AB
+s2-s15:c0.c1023=Secret-SystemHigh
+s2:c0-s2:c0,c1=Secret:A-Secret:AB
+s2:c0-s15:c0.c1023=Secret:A-SystemHigh
+s2:c1-s2:c0,c1=Secret:B-Secret:AB
+s2:c1-s15:c0.c1023=Secret:B-SystemHigh
+s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index fbf9441..76c3efb 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
 
 # Specific config files for Poky
 SRC_URI += "file://customizable_types \
+            file://setrans-mls.conf \
+            file://setrans-mcs.conf \
            "
 
 S = "${WORKDIR}/refpolicy"
@@ -109,6 +111,12 @@ EOF
         cat ${WORKDIR}/customizable_types >> \
                 ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
 
+        # install setrans.conf for mls/mcs policy
+        if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+                install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+                        ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+        fi
+
         # install policy headers
         oe_runmake install-headers DESTDIR=${D}