Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506094pxb; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyVekwK5NBLpH6NtBMp9ako7ifNzfvi/JzBn+FLgnDDE34dPv8bwoEb/20caEVdoTE0kARS X-Received: by 2002:aa7:cb09:: with SMTP id s9mr18319729edt.359.1635542014215; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542014; cv=none; d=google.com; s=arc-20160816; b=TNWK0C31B9M32SR/iEhY+gbjrTsbm3eRQwlNhZA2OWyjmegleVUjxpeY8n+3qZ//yj YjkTfeuGTq8KThuXZclmNc68q+JWAhRc3f0hsV2pT42yWKv83qvC8uqHIMU3q4fpjrKm CQDisYSQz91zB0ndEbT8Zb+pZxhXv9QPunx8+ge4srZ2oYcT1mrq3r2olqp9VsfnF1WX EPtUbjc10X7eOknRu9a3gg/TBB4NpCMN6Oa0SGnH8S8TaM2MpqDbAGAyIirmHExUnPVE zyNdyMsTwGZ9r3nZrwneyc+Z7Jk+CMPDWy9EFN+Pt/+FEox3753o7qrzknvsbr79K2aT F6SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=k3/9svclwNBcGveBNKhLMl2RCYBmVSRKuI4ZHgao0sc=; b=z2vnprGph3WfWSWwgRy9rspJr+28vVvDHnbl8agK5H9YA1QuAhlwfSCuG72uZQS11Z 3mTtwfobltyEzUz8TCIBYe4Hx1rYhIfmTl33aII4QLsORBjjP+Da+lZu6h1N2fgtXEFj 5SjzBH3YbYn0vluAQq7/TeCgpyOlBGkBi9H3Q40L2a8cuMQT3Q1LUbPoG4/aigP4pnPe huvHCQvMF1tQ7AloN7oRGLzhWBHf/sMe1qrlHkOgrP+DIfStOON1hwJcN+d2sxur+h68 uMo2WZ9GkJv6qiL41ImJKG03q4ioktlV6aEKRtsdZLGsnt9HMmUQOqgy6phw+E+rXHC0 SEaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=JUK2RZP6; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dr17si11132594ejc.345.2021.10.29.14.13.29; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=JUK2RZP6; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231565AbhJ2VPl (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:41 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33200 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231584AbhJ2VPk (ORCPT ); Fri, 29 Oct 2021 17:15:40 -0400 Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id BAF12C3AC1 for ; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 3D0378EF36; Fri, 29 Oct 2021 17:04:54 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k3/9svclwNBcGveBNKhLMl2RCYBmVSRKuI4ZHgao0sc=; b=JUK2RZP6GaYXXeAvaiTn7lliTrx0DziRz3MFdWIQ81NQPi7LcMo2rJLpEoYMN5sX7wK300 VzJein5wCpdEP7wExbws+4bytNCtnXqk1FGvVvVjLyOWaRsK38hz4DFaX/cSq9G4XRejpR r6s2Em0fkQDfFqnAt3dak0kHYzy2hDlL1NJOMKD5qItyTXC03yjsAeP3F4qOwUpQsTOpxU mGqreufDSarxlVv8h/poVD3tb7DwOwUgVqQb/ZLX0wxDQ00+xK+hKmVXq6/MRiGKEWEDeq DqkAgHbLCuurOGp3JQKNCgL2yZkBhhFq+v9nriC8KZlG1SoYRZ4I5TQ0kWQ+8g== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 1/7] mcs: deprecate mcs overrides Date: Fri, 29 Oct 2021 17:04:37 -0400 Message-Id: <20211029210443.17461-2-me@concord.sh> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211029210443.17461-1-me@concord.sh> References: <20211029210443.17461-1-me@concord.sh> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=-2.60 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Deprecate mcs overrides in favor of using mcs_constrained_type. Signed-off-by: Kenton Groombridge --- policy/mcs | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/policy/mcs b/policy/mcs index c0d424a97..44b57e594 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain fifo_file { open } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and ( t2 == domain ))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or + ( t1 != mcs_constrained_type )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); + (( h1 dom h2) or ( t1 != mcs_constrained_type )); mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -- 2.33.1