Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp505937pxb; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTTIe+VjoMbHzVrTmpGqH6lq8qZqHt8KG3sKw4FsKmosfZ4ih1g/jwVLnJfefBm6X1HJJE X-Received: by 2002:a17:906:3d62:: with SMTP id r2mr16210383ejf.174.1635542003615; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542003; cv=none; d=google.com; s=arc-20160816; b=kksPPuuq9wnxsLTiYk0u48S15/9G60dHfHHst1bbLaoBVpjJCWUenjPsBUdBikqfp+ IKaZ5RtA8wND6tEjBUT7fXuN45V0DEbv5siGc95gIRc3ZVJeCAr51M9gsonIUw6j08L4 fs1bk6XzR7mmIGetuQqljQOUrSl5T9O+D7EAqF2dIF6yEfJY6kgcSlAwUaaDNrSru+JF 0dbaMnyOGHbmWa9wRCW9PhWVIZhmbzZ6bBnSZv+qOdYwiO1A78I+qjQuuZaCnNJ+7TG4 urWP6GvozWMxIu+yb/cF9n0nCBhouZJJmvDgQ2+jFS3gjv24cat6nZc/qNu0aTYuKGig mHbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=dzKEZl9vPv5k9biAQdoHDo+8ucJlOvnDr6Ku4UaQPjI=; b=UJtcem8rdsNbO8vXgc3seNx41DuDqKhlyn6JHvxLOJbVhpcCHztKna9XYU9v2VRUJJ 51MeTwa/fh5cs3LLXyQJfUTmJJk/7bO0lQM8IAjR73RRyah1cLg0jC1SeopcCxfMCgPW Rjz0d7xnu3nrimXF3k4tDMxU3/CprANxXCggsqVwzpNuLlD6lTJMivSPe3ZQh6n7mzzi fXcGoaEg+lH6qkn0js+wiBZQ+bfh/wesWB/uWiW9TlSdgDhNYeC5T5uwV+H2PQiqgthl j3oXCYRFA0/s+/Pyjc52kDT2A+jFZ/bRKyJEtWkNq8Y3hNl/3Aktf97Me4L4LNZ04uAd BuqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=FetYVmW3; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o2si13774358ejy.80.2021.10.29.14.13.14; Fri, 29 Oct 2021 14:13:23 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=FetYVmW3; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231601AbhJ2VPk (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:40 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33192 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230215AbhJ2VPj (ORCPT ); Fri, 29 Oct 2021 17:15:39 -0400 X-Greylist: delayed 495 seconds by postgrey-1.27 at vger.kernel.org; Fri, 29 Oct 2021 17:15:39 EDT Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id C2C65C3AC3 for ; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id CBFA48EF44; Fri, 29 Oct 2021 17:04:54 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dzKEZl9vPv5k9biAQdoHDo+8ucJlOvnDr6Ku4UaQPjI=; b=FetYVmW3LCQ1zPVWkYHYkhn5mUJM02mugPsCPp1+a9qSl/hvZBBL+8oOyZ/MwqEaa1PQVS OfaNrB7TCaAWicwrs72fixEv1SLMy7mpYMqTp7OW67KNQk1hF56bOvr/UE0g801IoQ3dna sR3hiGA0Nef/KnWjC8apRl1J9I2BLuJahP9mGIV95h9tVuo7hNOYr5xfNNHq6RycU8RlhU F+u0ZoB7fKChIf7xOQQ2/++Dn4n7eFgpgDKcO5LHgC1cyGh0niRF5CaT/Wau0zob+2uMyl ZVmXODAR+2U48HIfa1PFLNi8VkvVzZ/EIEhhOxBl7cA2etgasRJOfleT2hK43Q== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 4/7] mcs: constrain misc IPC objects Date: Fri, 29 Oct 2021 17:04:40 -0400 Message-Id: <20211029210443.17461-5-me@concord.sh> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211029210443.17461-1-me@concord.sh> References: <20211029210443.17461-1-me@concord.sh> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-2.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Kenton Groombridge --- policy/mcs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/mcs b/policy/mcs index 8db3838f5..6207b2734 100644 --- a/policy/mcs +++ b/policy/mcs @@ -123,6 +123,9 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind mlsconstrain key { create link read search setattr view write } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # # MCS policy for SELinux-enabled databases # -- 2.33.1