This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.
This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.
It is used by svirt and probably also by sandbox
Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/mcs b/policy/mcs
index f477c7f..216b3d1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
@@ -101,6 +117,12 @@
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
+mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..508e609 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,31 @@
typeattribute $1 mcssetcats;
')
+
+########################################
+## <summary>
+## Constrain by category access control (MCS).
+## </summary>
+## <desc>
+## <p>
+## Constrain the specified type by category based
+## access control (MCS) This prevents this domain from
+## interacting with subjects and operating on objects
+## that it otherwise would be able to interact
+## with or operate on respectively.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be constrained by MCS.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`mcs_constrained',`
+ gen_require(`
+ attribute mcs_constrained_type;
+ ')
+
+ typeattribute $1 mcs_constrained_type;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..c608a8b 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcs_constrained_type;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/27/2012 11:59 AM, Dominick Grift wrote:
>
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on
> respectively.
>
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
>
> It is used by svirt and probably also by sandbox
>
> Signed-off-by: Dominick Grift <[email protected]>
>
> diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 ---
> a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations
> are not constrained.
>
> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1
> == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or (
> t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 ==
> domain)));
>
> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall )
> or + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
> mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file {
> open } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 !=
> mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file
> chr_file blk_file sock_file } { getattr read ioctl } + (( h1 dom h2 ) or (
> t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 ==
> domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write
> setattr } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
> mcs_constrained_type ) and (t2 == domain)));
>
> # New filesystem object labels must be dominated by the relabeling subject
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
>
> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 !=
> mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket
> rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type
> )); + # # MCS policy for SELinux-enabled databases # diff --git
> a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index
> f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++
> b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@
>
> typeattribute $1 mcssetcats; ') +
> +######################################## +## <summary> +## Constrain by
> category access control (MCS). +## </summary> +## <desc> +## <p> +##
> Constrain the specified type by category based +## access control (MCS)
> This prevents this domain from +## interacting with subjects and operating
> on objects +## that it otherwise would be able to interact +## with or
> operate on respectively. +## </p> +## </desc> +## <param name="domain"> +##
> <summary> +## Type to be constrained by MCS. +## </summary> +## </param>
> +## <infoflow type="none"/> +# +interface(`mcs_constrained',` +
> gen_require(` + attribute mcs_constrained_type; + ') + + typeattribute $1
> mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te
> b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 ---
> a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3
> +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute
> mcsreadall; +attribute mcs_constrained_type;
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC1GA0ACgkQrlYvE4MpobM2tQCfSgNuqcCilBEuofKNVMfe6n2S
UrQAoN5IPW3SGuD5qgNWTzNQ+BzGWbD/
=ylpr
-----END PGP SIGNATURE-----
On 11/27/12 11:59, Dominick Grift wrote:
>
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on
> respectively.
>
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
>
> It is used by svirt and probably also by sandbox
Merged.
> Signed-off-by: Dominick Grift <[email protected]>
>
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..216b3d1 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
> # - /proc/pid operations are not constrained.
>
> mlsconstrain file { read ioctl lock execute execute_no_trans }
> - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain file { write setattr append unlink link rename }
> - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain dir { search read ioctl lock }
> - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcs_constrained_type ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> + (( h1 dom h2 ) or ( t1 == mcsreadall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> + (( h1 dom h2 ) or ( t1 == mcswriteall ) or
> + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> # New filesystem object labels must be dominated by the relabeling subject
> # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
> mlsconstrain process { sigkill sigstop }
> (( h1 dom h2 ) or ( t1 == mcskillall ));
>
> +mlsconstrain process { signal }
> + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> #
> # MCS policy for SELinux-enabled databases
> #
> diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
> index f52faaf..508e609 100644
> --- a/policy/modules/kernel/mcs.if
> +++ b/policy/modules/kernel/mcs.if
> @@ -102,3 +102,31 @@
>
> typeattribute $1 mcssetcats;
> ')
> +
> +########################################
> +## <summary>
> +## Constrain by category access control (MCS).
> +## </summary>
> +## <desc>
> +## <p>
> +## Constrain the specified type by category based
> +## access control (MCS) This prevents this domain from
> +## interacting with subjects and operating on objects
> +## that it otherwise would be able to interact
> +## with or operate on respectively.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Type to be constrained by MCS.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`mcs_constrained',`
> + gen_require(`
> + attribute mcs_constrained_type;
> + ')
> +
> + typeattribute $1 mcs_constrained_type;
> +')
> diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
> index 0e5b661..c608a8b 100644
> --- a/policy/modules/kernel/mcs.te
> +++ b/policy/modules/kernel/mcs.te
> @@ -10,3 +10,4 @@
> attribute mcssetcats;
> attribute mcswriteall;
> attribute mcsreadall;
> +attribute mcs_constrained_type;
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com