From Debian package 0.0.20080702-4

Prevent MCS write down

Stopped applying after upstream 808341bb (2009-10-07)
Was updated by Manoj in 0.2.20091013-1 so that it applied, but no longer
restricts write down on files (probably the most important part!)
I am not sure if the rest still works correctly

One line appeared upstream in 515889b1 (2011-03-31).
Unfortunately I have no idea what this does.

Index: policy/mcs
===================================================================
--- policy/mcs.orig
+++ policy/mcs
@@ -72,7 +72,11 @@
 	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
 
 mlsconstrain file { write setattr append unlink link rename }
+ifdef(`distro_debian', `
+	((( h1 dom h2 ) and (l1 domby l2)) or ( t1 == mcswriteall ) or (t2 == mcstrustedobject) or ( t2 == domain ));
+', `
 	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+')
 
 mlsconstrain dir { search read ioctl lock }
 	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
@@ -83,20 +87,35 @@
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
+ifdef(`distro_debian', `
+	(( h1 dom h2 ) and (l2 eq h2 ) and
+	((l1 domby l2) or (t2 == mcstrustedobject)));
+', `
 	(( h1 dom h2 ) and ( l2 eq h2 ));
+')
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
 
+# not mandatory at this time - can write down
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
 mlsconstrain process { transition dyntransition }
+ifdef(`distro_debian', `
+	(( ( h1 dom h2 ) and ((l1 domby l2) or (t1 == mcssetlow)) ) or ( t1 == mcssetcats ));
+', `
 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+')
+
 
 mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 == mcsptraceall ));
+ifdef(`distro_debian', `
+	( (h1 dom h2) and ((l1 domby l2) or ( t1 == mcsptraceall )) );
+', `
+	(( h1 dom h2) or (t1 == mcsptraceall) );
+')
 
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
Index: policy/modules/kernel/mcs.if
===================================================================
--- policy/modules/kernel/mcs.if.orig
+++ policy/modules/kernel/mcs.if
@@ -102,3 +102,53 @@
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##     Make specified domain MCS trusted
+##     for setting the low level of its range for the processes it executes,
+##      IE MCS will not be mandatory for it.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain target for user exemption.
+##     </summary>
+## </param>
+#
+interface(`mcs_process_set_low',`
+	gen_require(`
+		attribute mcssetlow;
+	')
+
+	typeattribute $1 mcssetlow;
+')
+
+########################################
+## <summary>
+##      Make specified object MCS trusted.
+## </summary>
+## <desc>
+##      <p>
+##      Make specified object MCS trusted.  This
+##      allows all levels to read and write the
+##      object.
+##      </p>
+##      <p>
+##      This currently only applies to filesystem
+##      objects, for example, files and directories.
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      The type of the object.
+##      </summary>
+## </param>
+#
+interface(`mcs_trusted_object',`
+	gen_require(`
+		attribute mcstrustedobject;
+	')
+
+	typeattribute $1 mcstrustedobject;
+')
+
Index: policy/modules/kernel/mcs.te
===================================================================
--- policy/modules/kernel/mcs.te.orig
+++ policy/modules/kernel/mcs.te
@@ -5,8 +5,16 @@
 # Declarations
 #
 
+# process may kill all processes (init)
 attribute mcskillall;
+# process may ptrace at all levels
 attribute mcsptraceall;
+# process may run a child in any level
 attribute mcssetcats;
+# process may set the low level for a child with no restriction
+attribute mcssetlow;
+# object may be accessed by any process at a higher level
+attribute mcstrustedobject;
+
 attribute mcswriteall;
 attribute mcsreadall;
Index: policy/modules/kernel/selinux.te
===================================================================
--- policy/modules/kernel/selinux.te.orig
+++ policy/modules/kernel/selinux.te
@@ -19,6 +19,7 @@
 type security_t, boolean_type;
 fs_type(security_t)
 mls_trusted_object(security_t)
+mcs_trusted_object(security_t)
 sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
 genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
 genfscon securityfs / gen_context(system_u:object_r:security_t,s0)