2016-07-27 15:35:03

by Lukas Vrabec

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.

Example of denial:
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
---
policy/mls | 4 +++-
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
policy/modules/kernel/mls.te | 1 +
3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/policy/mls b/policy/mls
index 3603de1..db3ed90 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }

# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
+ (( h1 dom h2 ) or
+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfilewrite ));

# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 27d6401..829605b 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
########################################
## <summary>
## Make specified domain MLS trusted
+## for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+ gen_require(`
+ attribute mlsfilerelabeltoclr;
+ ')
+
+ typeattribute $1 mlsfilerelabeltoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
## for writing to files at all levels. (Deprecated)
## </summary>
## <desc>
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e508050..13b8625 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
attribute mlsfilewriteinrange;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;

attribute mlsnetread;
attribute mlsnetreadtoclr;
--
2.5.5


2016-07-27 23:00:22

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.

On 07/27/16 11:35, Lukas Vrabec wrote:
> Example of denial:
> type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
> pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
> scontext=root:system_r:rpm_t:s0
> tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir


The commit message is slightly misleading (the denial isn't a relabel to
clearance situation; it's a complete exemption), but it's merged.

> ---
> policy/mls | 4 +++-
> policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
> policy/modules/kernel/mls.te | 1 +
> 3 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/policy/mls b/policy/mls
> index 3603de1..db3ed90 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
>
> # new file labels must be dominated by the relabeling subjects clearance
> mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
> - ( h1 dom h2 );
> + (( h1 dom h2 ) or
> + (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
> + ( t1 == mlsfilewrite ));
>
> # the file "read" ops (note the check is dominance of the low level)
> mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
> diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
> index 27d6401..829605b 100644
> --- a/policy/modules/kernel/mls.if
> +++ b/policy/modules/kernel/mls.if
> @@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
> ########################################
> ## <summary>
> ## Make specified domain MLS trusted
> +## for relabelto to files up to its clearance.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_file_relabel_to_clearance',`
> + gen_require(`
> + attribute mlsfilerelabeltoclr;
> + ')
> +
> + typeattribute $1 mlsfilerelabeltoclr;
> +')
> +
> +########################################
> +## <summary>
> +## Make specified domain MLS trusted
> ## for writing to files at all levels. (Deprecated)
> ## </summary>
> ## <desc>
> diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
> index e508050..13b8625 100644
> --- a/policy/modules/kernel/mls.te
> +++ b/policy/modules/kernel/mls.te
> @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
> attribute mlsfilewriteinrange;
> attribute mlsfileupgrade;
> attribute mlsfiledowngrade;
> +attribute mlsfilerelabeltoclr;
>
> attribute mlsnetread;
> attribute mlsnetreadtoclr;
>


--
Chris PeBenito