From 2d5d3d861cf0468c05f45727ab16a9c626847e85 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 24 Apr 2014 03:02:52 -0400 Subject: refpolicy: add setrans.conf for mcs/mls policy Add initial version for setrans.conf: - setrans-mls.conf: copied from \ policycoreutils/mcstrans/share/examples/default/setrans.conf - setrans-mcs.conf: copied from radhat policy. This fixes below issue: $ chcat -L IOError: No such file or directory: \ '/etc/selinux/$POLICY_NAME/setrans.conf' Signed-off-by: Wenzong Fan Signed-off-by: Joe MacDonald --- recipes-security/refpolicy/files/setrans-mcs.conf | 17 ++++++++ recipes-security/refpolicy/files/setrans-mls.conf | 52 +++++++++++++++++++++++ recipes-security/refpolicy/refpolicy_common.inc | 8 ++++ 3 files changed, 77 insertions(+) create mode 100644 recipes-security/refpolicy/files/setrans-mcs.conf create mode 100644 recipes-security/refpolicy/files/setrans-mls.conf diff --git a/recipes-security/refpolicy/files/setrans-mcs.conf b/recipes-security/refpolicy/files/setrans-mcs.conf new file mode 100644 index 0000000..0ac9c90 --- /dev/null +++ b/recipes-security/refpolicy/files/setrans-mcs.conf @@ -0,0 +1,17 @@ +# +# Multi-Category Security translation table for SELinux +# +# +# Objects can be categorized with 0-1023 categories defined by the admin. +# Objects can be in more than one category at a time. +# Categories are stored in the system as c0-c1023. Users can use this +# table to translate the categories into a more meaningful output. +# Examples: +# s0:c0=CompanyConfidential +# s0:c1=PatientRecord +# s0:c2=Unclassified +# s0:c3=TopSecret +# s0:c1,c3=CompanyConfidentialRedHat +s0=SystemLow +s0-s0:c0.c1023=SystemLow-SystemHigh +s0:c0.c1023=SystemHigh diff --git a/recipes-security/refpolicy/files/setrans-mls.conf b/recipes-security/refpolicy/files/setrans-mls.conf new file mode 100644 index 0000000..eb181d2 --- /dev/null +++ b/recipes-security/refpolicy/files/setrans-mls.conf @@ -0,0 +1,52 @@ +# +# Multi-Level Security translation table for SELinux +# +# Uncomment the following to disable translation libary +# disable=1 +# +# Objects can be labeled with one of 16 levels and be categorized with 0-1023 +# categories defined by the admin. +# Objects can be in more than one category at a time. +# Users can modify this table to translate the MLS labels for different purpose. +# +# Assumptions: using below MLS labels. +# SystemLow +# SystemHigh +# Unclassified +# Secret with compartments A and B. +# +# SystemLow and SystemHigh +s0=SystemLow +s15:c0.c1023=SystemHigh +s0-s15:c0.c1023=SystemLow-SystemHigh + +# Unclassified level +s1=Unclassified + +# Secret level with compartments +s2=Secret +s2:c0=A +s2:c1=B + +# ranges for Unclassified +s0-s1=SystemLow-Unclassified +s1-s2=Unclassified-Secret +s1-s15:c0.c1023=Unclassified-SystemHigh + +# ranges for Secret with compartments +s0-s2=SystemLow-Secret +s0-s2:c0=SystemLow-Secret:A +s0-s2:c1=SystemLow-Secret:B +s0-s2:c0,c1=SystemLow-Secret:AB +s1-s2:c0=Unclassified-Secret:A +s1-s2:c1=Unclassified-Secret:B +s1-s2:c0,c1=Unclassified-Secret:AB +s2-s2:c0=Secret-Secret:A +s2-s2:c1=Secret-Secret:B +s2-s2:c0,c1=Secret-Secret:AB +s2-s15:c0.c1023=Secret-SystemHigh +s2:c0-s2:c0,c1=Secret:A-Secret:AB +s2:c0-s15:c0.c1023=Secret:A-SystemHigh +s2:c1-s2:c0,c1=Secret:B-Secret:AB +s2:c1-s15:c0.c1023=Secret:B-SystemHigh +s2:c0,c1-s15:c0.c1023=Secret:AB-SystemHigh diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index fbf9441..76c3efb 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" # Specific config files for Poky SRC_URI += "file://customizable_types \ + file://setrans-mls.conf \ + file://setrans-mcs.conf \ " S = "${WORKDIR}/refpolicy" @@ -109,6 +111,12 @@ EOF cat ${WORKDIR}/customizable_types >> \ ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types + # install setrans.conf for mls/mcs policy + if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then + install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \ + ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf + fi + # install policy headers oe_runmake install-headers DESTDIR=${D} -- cgit v1.2.3-54-g00ecf