This process is not allowed to interact with subjects or operate on objects
that it would otherwise be able to interact with or operate on
respectively.
This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.
It is used by svirt and probably also by sandbox
Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/mcs b/policy/mcs
index f477c7f..c366f56 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
@@ -101,6 +117,12 @@
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
+mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..8cd6d57 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,29 @@
typeattribute $1 mcssetcats;
')
+
+########################################
+## <summary>
+## Make specified process type MCS untrusted.
+## </summary>
+## <desc>
+## <p>
+## This prevents this domain from interacting
+## with subjects and operating on objects
+## that it otherwise would be able to
+## interact with or operate on respectively.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## The type of the process.
+## </summary>
+## </param>
+#
+interface(`mcs_untrusted_proc',`
+ gen_require(`
+ attribute mcsuntrustedproc;
+ ')
+
+ typeattribute $1 mcsuntrustedproc;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..1d16afc 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcsuntrustedproc;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes the idea is that MCS Trust is opt in versus opt out. So if a policy
writer wants to separate his domains based on MCS policy he must add this
attribute.
We currently separate:
seinfo -amcsuntrustedproc -x
mcsuntrustedproc
svirt_lxc_net_t
openshift_app_t
openshift_min_t
openshift_net_t
openshift_min_app_t
openshift_net_app_t
sandbox_x_t
svirt_t
sandbox_min_t
sandbox_net_t
sandbox_web_t
svirt_prot_exec_t
openshift_t
sandbox_t
On 11/02/2012 02:46 PM, Dominick Grift wrote:
>
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on
> respectively.
>
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
>
> It is used by svirt and probably also by sandbox
>
> Signed-off-by: Dominick Grift <[email protected]> diff --git
> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs
> +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not
> constrained.
>
> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1
> == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or (
> t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall )
> or + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
> } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc )
> and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
> sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall )
> or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain {
> lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2 )
> or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
> domain)));
>
> # New filesystem object labels must be dominated by the relabeling subject
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
>
> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 !=
> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket }
> node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy
> for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if
> b/policy/modules/kernel/mcs.if index f52faaf..8cd6d57 100644 ---
> a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3
> +102,29 @@
>
> typeattribute $1 mcssetcats; ') +
> +######################################## +## <summary> +## Make specified
> process type MCS untrusted. +## </summary> +## <desc> +## <p> +## This
> prevents this domain from interacting +## with subjects and operating on
> objects +## that it otherwise would be able to +## interact with or operate
> on respectively. +## </p> +## </desc> +## <param name="domain"> +##
> <summary> +## The type of the process. +## </summary> +## </param> +#
> +interface(`mcs_untrusted_proc',` + gen_require(` + attribute
> mcsuntrustedproc; + ') + + typeattribute $1 mcsuntrustedproc; +') diff
> --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index
> 0e5b661..1d16afc 100644 --- a/policy/modules/kernel/mcs.te +++
> b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats;
> attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc;
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCU+ZMACgkQrlYvE4MpobPk/wCdHhXWrFfi0EQ3Jv85dauOmxlD
0eIAoKb7vByxTcby+rK+6A6UgnRSkve1
=5aaK
-----END PGP SIGNATURE-----
On 11/02/12 14:46, Dominick Grift wrote:
>
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on
> respectively.
>
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
>
> It is used by svirt and probably also by sandbox
>
> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..c366f56 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
> # - /proc/pid operations are not constrained.
>
> mlsconstrain file { read ioctl lock execute execute_no_trans }
> - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain file { write setattr append unlink link rename }
> - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain dir { search read ioctl lock }
> - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>
> # New filesystem object labels must be dominated by the relabeling subject
> # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
> mlsconstrain process { sigkill sigstop }
> (( h1 dom h2 ) or ( t1 == mcskillall ));
>
> +mlsconstrain process { signal }
> + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +
This doesn't look right. It says that only untrusted processes are MCS-constrained for these permissions.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote:
> On 11/02/12 14:46, Dominick Grift wrote:
>>
>> This process is not allowed to interact with subjects or operate on
>> objects that it would otherwise be able to interact with or operate on
>> respectively.
>>
>> This is, i think, to make sure that specified processes cannot interact
>> with subject or operate on objects regardless of its mcs range.
>>
>> It is used by svirt and probably also by sandbox
>>
>> Signed-off-by: Dominick Grift <[email protected]> diff --git
>> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs
>> +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not
>> constrained.
>>
>> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1
>> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 )
>> or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>>
>> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom
>> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or (
>> t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>>
>> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 ==
>> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>>
>> mlsconstrain dir { write setattr append unlink link rename add_name
>> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
>> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
>> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
>> } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc
>> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
>> sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain
>> { lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2
>> ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>>
>> # New filesystem object labels must be dominated by the relabeling
>> subject # clearance, also the objects are single-level. @@ -101,6 +117,12
>> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
>> mcskillall ));
>>
>> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 !=
>> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket
>> } node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); +
>
> This doesn't look right. It says that only untrusted processes are
> MCS-constrained for these permissions.
>
Yes the idea we have moved to is to make MCS contraints opt in by the policy
writer rather then optout.
seinfo -amcsuntrustedproc -x
mcsuntrustedproc
svirt_lxc_net_t
openshift_app_t
openshift_min_t
openshift_net_t
openshift_min_app_t
openshift_net_app_t
svirt_nokvm_t
sandbox_x_t
svirt_t
sandbox_min_t
sandbox_net_t
sandbox_web_t
openshift_t
sandbox_t
That way we don't have to deal with lots of domains that might interact with a
MCS constrained application. cupsd_t, httpd_t...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlCz3eUACgkQrlYvE4MpobP6QwCg4cG4qIaRbtpRSfAILfeMJD/N
KyMAoOimApzFIMl970MycKusZMQCjP8r
=uhgE
-----END PGP SIGNATURE-----
On 11/26/12 16:23, Daniel J Walsh wrote:
> On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote:
>> On 11/02/12 14:46, Dominick Grift wrote:
>>>
>>> This process is not allowed to interact with subjects or operate on
>>> objects that it would otherwise be able to interact with or operate on
>>> respectively.
>>>
>>> This is, i think, to make sure that specified processes cannot interact
>>> with subject or operate on objects regardless of its mcs range.
>>>
>>> It is used by svirt and probably also by sandbox
>>>
>>> Signed-off-by: Dominick Grift <[email protected]> diff --git
>>> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs
>>> +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not
>>> constrained.
>>>
>>> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1
>>> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 )
>>> or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom
>>> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or (
>>> t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 ==
>>> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall
>>> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain)));
>>>
>>> mlsconstrain dir { write setattr append unlink link rename add_name
>>> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
>>> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
>>> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
>>> } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc
>>> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
>>> sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall
>>> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain
>>> { lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2
>>> ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> # New filesystem object labels must be dominated by the relabeling
>>> subject # clearance, also the objects are single-level. @@ -101,6 +117,12
>>> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
>>> mcskillall ));
>>>
>>> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 !=
>>> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket
>>> } node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); +
>
>> This doesn't look right. It says that only untrusted processes are
>> MCS-constrained for these permissions.
>
>
> Yes the idea we have moved to is to make MCS contraints opt in by the policy
> writer rather then optout.
Ok, then in that case, my preference would be to have it like ubac and have an attribute called mcsconstrained or mcs_constrained_type and the interface name changed accordingly. Then it would be clearer that its an opt-in mechanism.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com