diff options
Diffstat (limited to 'policy/mls')
| -rw-r--r-- | policy/mls | 14 |
1 files changed, 9 insertions, 5 deletions
@@ -344,11 +344,15 @@ mlsconstrain msg send # MLS policy for the fd class # -# these access vectors have no MLS restrictions -# fd use - - - +# No sharing of open file descriptors between levels unless +# the process type is authorized to use fds created by +# other levels (mlsfduse) or the fd type is authorized to +# shared among levels (mlsfdshare). +mlsconstrain fd use ( + l1 eq l2 + or t1 == mlsfduse + or t2 == mlsfdshare +); # # MLS policy for the network object classes |