Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp506098pxb; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGqaLuMeHzSO+gVPTtNlCiFCvYL8zMSsZoSXJ2s/ANChBdS0mnf6Fpuqbs3ZCGJQLeEiWM X-Received: by 2002:a17:907:d14:: with SMTP id gn20mr17217903ejc.304.1635542014521; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635542014; cv=none; d=google.com; s=arc-20160816; b=jQdtvU6XO2BJc9JWabzykOnXp/6aXSsUl370+ZeV4gXGjXVVEo3ZwI8JA5nx7LEVEl Lfl5wDSB/se39bSYFxhCbTXJVbi5L/CwA2UpjVqW/3x8NAQ77KjB5dukUu2f0VEneRVR hM6Z6I2SOZZPDKv9e3pgQwMHBA/YffomZfJxoe1MouA81DNaNpsTDIVDVRjqSHWbySwM +1TD4jbNoQuc3O4XncYytZyiszL3eVJSM8Lt/JjxK7oNOM6CkfF5rmZSQ7c4o4L3LSUv dHg5seHfkPTqUL/suduC/dgPb5Kdkt+SpWOAj5LlnZ/T2LsjEWmnbZ3c859ohVh3xyTP eDsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=UD7qxNXO4H4+3kekyPOzpwmEvj9aa42jD/Tbt2bY5VI=; b=gXv1gTR3njM6I3yZV5zuXkN5ErBmtYM5J1YcM0rq+hcP3XqoL88qh+YvFubygwTMlD dpZ8hgFqIyBGy3eGkveDxKBOKhv9OxpXbNhag8WLCcpLAnn336Jo6Qtc1plIs1Ubod9v CGAzexVM8NdPfe7bL4l4MIAaym1xlOxS9cZXmwmcImgxLBY9XicrjxIDxo90ec4oYy6Z Q34sHgW+dmG/H3uxvAiYJtG4fgQOPaF3ybpKkrDaFfP9EoPrDw6Fy4sny/hbLAvLyCPL wFPNNo3VRf3XcOxd9UwHp0AHtNLEprInit2+nqngIXdC53dWs95Foe7Dqmh55eXWgvw0 4iDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=FOXPoY4w; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o2si13774358ejy.80.2021.10.29.14.13.29; Fri, 29 Oct 2021 14:13:34 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@concord.sh header.s=dkim header.b=FOXPoY4w; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=concord.sh Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230267AbhJ2VPl (ORCPT + 20 others); Fri, 29 Oct 2021 17:15:41 -0400 Received: from yunyun.fuwafuwatime.moe ([107.191.99.165]:33196 "EHLO yunyun.fuwafuwatime.moe" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230302AbhJ2VPk (ORCPT ); Fri, 29 Oct 2021 17:15:40 -0400 Received: from megumin.fuwafuwatime.moe (c-174-50-100-124.hsd1.ga.comcast.net [174.50.100.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by yunyun.fuwafuwatime.moe (Postfix) with ESMTPSA id B7287C3AC0 for ; Fri, 29 Oct 2021 17:04:55 -0400 (EDT) Received: from bubbles.localdomain (bubbles.localdomain [192.168.1.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by megumin.fuwafuwatime.moe (Postfix) with ESMTPSA id 023928EF35; Fri, 29 Oct 2021 17:04:53 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concord.sh; s=dkim; t=1635541494; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=UD7qxNXO4H4+3kekyPOzpwmEvj9aa42jD/Tbt2bY5VI=; b=FOXPoY4wSwODXWPjmZx7DcHe7NXAJ9I4ewjl3MS8dxUIb2o8ZC14GIXJCPdJ2SMZMJzIiQ gUvau5KMa8Kb8w6KxEeK+gSHiZkN8uc2Lu5aYssVrWJLgAt6/0PYWStK1nVv7KlzWXNt7P UlZI55eHv87qUZfRYcm8fOlDfGPiA1fzcAFtcSGw9VI7YDOhyx+rVFpVUazsK3v17hHieL ZUC9g25lY09bj/BA9fAeXmVzO7y3ISEaBQ5eY4zoMky9KgLf6+krOFyAIO0tKF38AJDW68 mzMsuVDmT7d7T9rYy7MkRXQdUiQTHjw5AQ/C3XD3Dyav0LdZYKL8MQuaAbBHTg== From: Kenton Groombridge To: selinux-refpolicy@vger.kernel.org Cc: Kenton Groombridge Subject: [PATCH 0/7] mcs, various: pull in changes from Fedora policy Date: Fri, 29 Oct 2021 17:04:36 -0400 Message-Id: <20211029210443.17461-1-me@concord.sh> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Authentication-Results: ORIGINATING; auth=pass smtp.auth=me@concord.sh smtp.mailfrom=me@concord.sh X-Spam-Status: No, score=1.40 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Pull in some changes from the Fedora policy's MCS constraints. Most notably, the MCS override attributes were deprecated in favor of mcs_constrained_type. This means that domains will have unchecked access to objects with categories UNLESS the domain is mcs_constrained_type. This alleviates confusion between the MCS overrides and mcs_constrained_type to imply that a domain must be MCS-constrained to have MCS checks at all. Other changes include additional constraints to miscellaneous IPC objects, node "write" operations, and netif egress/ingress operations. Kenton Groombridge (7): mcs: deprecate mcs overrides mcs: restrict create, relabelto on mcs files mcs: add additional constraints to databases mcs: constrain misc IPC objects mcs: combine single-level object creation constraints various: deprecate mcs override interfaces corenet: make netlabel_peer_t mcs constrained policy/mcs | 61 ++++++++++++++++--------- policy/modules/admin/rpm.te | 2 - policy/modules/admin/tmpreaper.te | 2 - policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/kernel/mcs.if | 24 ++-------- policy/modules/services/policykit.te | 2 - policy/modules/services/postfix.te | 10 ---- policy/modules/services/watchdog.te | 2 - policy/modules/system/init.te | 6 --- policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 - policy/modules/system/unconfined.te | 3 -- 12 files changed, 45 insertions(+), 71 deletions(-) -- 2.33.1