Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506009pxb; Fri, 29 Oct 2021 14:13:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyN/1Xeg9sIZjx9JaSJa1htJAfYpFGgy4mn9mYwfsfUxxCMYyvRKakR0ypk3j8rOJeGR8G9 X-Received: by 2002:a05:6402:348d:: with SMTP id v13mr18738103edc.279.1635542008998; Fri, 29 Oct 2021 14:13:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542008; cv=none; d=google.com; s=arc-20160816; b=wgcKP9eBFdTJkClSZL33wznbzxmvUUwsSZP/7ydiFKBPl3w58JbWl6/etZo6ySHzAJ 8V+hETy2YN8msh/Bn5FqtprX24YSOtDYtP9avO8WiDZFjVs/EjYx1Ep406dqD0ogiQIB ZK5BCTyFN2E8bKe7ssGJ1Hb1P/yGwbuINOloacCBfQp/wnNIPcRYaZ8h2Nsg5xZOE/fT c26cWlIE17i0pfHvk/apM4gPgStCJnp4OVMTpl3hfvLe8NnwEEMwc5ZPAzW2GE2ANRzK s2GnEuj16pdNnxI8thcsIbBX6+l48PaBxQKn9P7p4mvjpXOWS16bsEx9Ry08iEO7gvAg m91A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=K2wCHTiiJnUVP/nglaMU6vGJzJ7QEswCq1CMSSH9q7Q=; b=y6L7vvQaiduSPcyNmwwXHlmK48dEJRPToMbx9g4yT9fx4klxaDtwBFGaSzioYAOqYB R5UAXUwYjO8kF9f+TtSJ3Ux7kRYKChrefGUyVfeLHYyutaDpqgky++Y2A9FWomeOVca8 wouFEscDBAQhd92BlkMXjbE4I9ATFJF4yoEAwiy2whhm/sS1hz5Kc9gwU4oR4w380BTT ybDC3sKwf8CWVtW/Q7I9Wc/j5hCo+n7lyZZAUOKpG5Vu4KhTDATwyXZ+L9ly6GM+P1Ly 4UhdN5M2wieiLvXOtSBgcaCpMzsD5Dua0ZpURixIsl0w9SLDxmW3kcVKn8kzNt5TYt9D g88A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=loe2SzF2; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r5si10085258edb.130.2021.10.29.14.13.23; Fri, 29 Oct 2021 14:13:28 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=loe2SzF2; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231584AbhJ2VPm (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:42 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33202 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231599AbhJ2VPk (ORCPT ); Fri, 29 Oct 2021 17:15:40 -0400 Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id B0072C150C for ; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 97F758EF41; Fri, 29 Oct 2021 17:04:54 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K2wCHTiiJnUVP/nglaMU6vGJzJ7QEswCq1CMSSH9q7Q=; b=loe2SzF2MVgR3MV7ebHC4wohauP3zeuYp2mlpcZZ3QgGsE2MfIbveX/y3lppf99mGoS5cG 2KG5xEr6Li7QQIutDkvL93cxl3ptD+PzXgmsqp4oue6Agi9yMu04qJp6wOiF4aE3cNKhyd bJ7AtSOiY5fTUScUsJ9L2SRBpfXPMKGaugTUCYFr2RUDqLl0QOP7GPGYD93RSkPpNkjWZN Odv5RntFFTMTipJMq+hR4wTsXoOO3eqS0UtYVW/ew3BuFnVD5ma2S2X7JmhbK5xv2aqdyo MKJwdkMlGqBCJJJl948PVsOnZEYGCnWwzylv4v9UyNpq0MKfubaZ6w2ydf8HMw== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 3/7] mcs: add additional constraints to databases Date: Fri, 29 Oct 2021 17:04:39 -0400 Message-Id: <20211029210443.17461-4-me@concord.sh> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211029210443.17461-1-me@concord.sh> References: <20211029210443.17461-1-me@concord.sh> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-2.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Signed-off-by: Kenton Groombridge --- policy/mcs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/policy/mcs b/policy/mcs index d4d984e47..8db3838f5 100644 --- a/policy/mcs +++ b/policy/mcs @@ -135,6 +135,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); +mlsconstrain context contains + (( h1 dom h2 ) and ( l1 domby l2 )); + # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); @@ -166,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network node which is acting as the object +mlsconstrain { node } { recvfrom sendto } + (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + +mlsconstrain { packet peer } { recv } + (( l1 dom l2 ) or + (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ))); + +# The netif ingress/egress ops, the ingress permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network interface which is acting as the object +mlsconstrain { netif } { egress ingress } + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); + ') dnl end enable_mcs -- 2.33.1