Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506009pxb;
        Fri, 29 Oct 2021 14:13:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyN/1Xeg9sIZjx9JaSJa1htJAfYpFGgy4mn9mYwfsfUxxCMYyvRKakR0ypk3j8rOJeGR8G9
X-Received: by 2002:a05:6402:348d:: with SMTP id v13mr18738103edc.279.1635542008998;
        Fri, 29 Oct 2021 14:13:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635542008; cv=none;
        d=google.com; s=arc-20160816;
        b=wgcKP9eBFdTJkClSZL33wznbzxmvUUwsSZP/7ydiFKBPl3w58JbWl6/etZo6ySHzAJ
         8V+hETy2YN8msh/Bn5FqtprX24YSOtDYtP9avO8WiDZFjVs/EjYx1Ep406dqD0ogiQIB
         ZK5BCTyFN2E8bKe7ssGJ1Hb1P/yGwbuINOloacCBfQp/wnNIPcRYaZ8h2Nsg5xZOE/fT
         c26cWlIE17i0pfHvk/apM4gPgStCJnp4OVMTpl3hfvLe8NnwEEMwc5ZPAzW2GE2ANRzK
         s2GnEuj16pdNnxI8thcsIbBX6+l48PaBxQKn9P7p4mvjpXOWS16bsEx9Ry08iEO7gvAg
         m91A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=K2wCHTiiJnUVP/nglaMU6vGJzJ7QEswCq1CMSSH9q7Q=;
        b=y6L7vvQaiduSPcyNmwwXHlmK48dEJRPToMbx9g4yT9fx4klxaDtwBFGaSzioYAOqYB
         R5UAXUwYjO8kF9f+TtSJ3Ux7kRYKChrefGUyVfeLHYyutaDpqgky++Y2A9FWomeOVca8
         wouFEscDBAQhd92BlkMXjbE4I9ATFJF4yoEAwiy2whhm/sS1hz5Kc9gwU4oR4w380BTT
         ybDC3sKwf8CWVtW/Q7I9Wc/j5hCo+n7lyZZAUOKpG5Vu4KhTDATwyXZ+L9ly6GM+P1Ly
         4UhdN5M2wieiLvXOtSBgcaCpMzsD5Dua0ZpURixIsl0w9SLDxmW3kcVKn8kzNt5TYt9D
         g88A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=loe2SzF2;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r5si10085258edb.130.2021.10.29.14.13.23;
        Fri, 29 Oct 2021 14:13:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@concord.sh header.s=dkim header.b=loe2SzF2;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231584AbhJ2VPm (ORCPT <rfc822;apot1624@gmail.com> + 20 others);
        Fri, 29 Oct 2021 17:15:42 -0400
Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33202 "EHLO
        yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231599AbhJ2VPk (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 29 Oct 2021 17:15:40 -0400
Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id B0072C150C
        for <selinux-refpolicy@vger.kernel.org>; Fri, 29 Oct 2021 17:04:55 -0400 (EDT)
Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 97F758EF41;
        Fri, 29 Oct 2021 17:04:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim;
        t=1635541494;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=K2wCHTiiJnUVP/nglaMU6vGJzJ7QEswCq1CMSSH9q7Q=;
        b=loe2SzF2MVgR3MV7ebHC4wohauP3zeuYp2mlpcZZ3QgGsE2MfIbveX/y3lppf99mGoS5cG
        2KG5xEr6Li7QQIutDkvL93cxl3ptD+PzXgmsqp4oue6Agi9yMu04qJp6wOiF4aE3cNKhyd
        bJ7AtSOiY5fTUScUsJ9L2SRBpfXPMKGaugTUCYFr2RUDqLl0QOP7GPGYD93RSkPpNkjWZN
        Odv5RntFFTMTipJMq+hR4wTsXoOO3eqS0UtYVW/ew3BuFnVD5ma2S2X7JmhbK5xv2aqdyo
        MKJwdkMlGqBCJJJl948PVsOnZEYGCnWwzylv4v9UyNpq0MKfubaZ6w2ydf8HMw==
From:   Kenton Groombridge <me@concord.sh>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Kenton Groombridge <me@concord.sh>
Subject: [PATCH 3/7] mcs: add additional constraints to databases
Date:   Fri, 29 Oct 2021 17:04:39 -0400
Message-Id: <20211029210443.17461-4-me@concord.sh>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <20211029210443.17461-1-me@concord.sh>
References: <20211029210443.17461-1-me@concord.sh>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Authentication-Results: ORIGINATING;
        auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh
X-Spam-Status: No, score=-2.60
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index d4d984e47..8db3838f5 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -135,6 +135,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
 mlsconstrain { db_tuple } { insert relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+mlsconstrain context contains
+	(( h1 dom h2 ) and ( l1 domby l2 ));
+
 # Access control for any database objects based on MCS rules.
 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 	( h1 dom h2 );
@@ -166,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
 
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+	(( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
 ') dnl end enable_mcs
-- 
2.33.1