From: dwalsh@redhat.com (Daniel J Walsh) Date: Sat, 03 Nov 2012 07:01:39 -0400 Subject: [refpolicy] [PATCH] Implement mcsuntrustedproc. In-Reply-To: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com> References: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com> Message-ID: <5094F993.7010800@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes the idea is that MCS Trust is opt in versus opt out. So if a policy writer wants to separate his domains based on MCS policy he must add this attribute. We currently separate: seinfo -amcsuntrustedproc -x mcsuntrustedproc svirt_lxc_net_t openshift_app_t openshift_min_t openshift_net_t openshift_min_app_t openshift_net_app_t sandbox_x_t svirt_t sandbox_min_t sandbox_net_t sandbox_web_t svirt_prot_exec_t openshift_t sandbox_t On 11/02/2012 02:46 PM, Dominick Grift wrote: > > This process is not allowed to interact with subjects or operate on > objects that it would otherwise be able to interact with or operate on > respectively. > > This is, i think, to make sure that specified processes cannot interact > with subject or operate on objects regardless of its mcs range. > > It is used by svirt and probably also by sandbox > > Signed-off-by: Dominick Grift diff --git > a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs > +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not > constrained. > > mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom > h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 > == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); > > mlsconstrain file { write setattr append unlink link rename } - (( h1 dom > h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( > t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); > > mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == > mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) > or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); > > mlsconstrain dir { write setattr append unlink link rename add_name > remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain > )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != > mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open > } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) > and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file > sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall ) > or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain { > lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2 ) > or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == > domain))); > > # New filesystem object labels must be dominated by the relabeling subject > # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ > mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == > mcskillall )); > > +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != > mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket } > node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy > for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if > b/policy/modules/kernel/mcs.if index f52faaf..8cd6d57 100644 --- > a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3 > +102,29 @@ > > typeattribute $1 mcssetcats; ') + > +######################################## +## +## Make specified > process type MCS untrusted. +## +## +##

+## This > prevents this domain from interacting +## with subjects and operating on > objects +## that it otherwise would be able to +## interact with or operate > on respectively. +##

+##
+## +## > +## The type of the process. +## +## +# > +interface(`mcs_untrusted_proc',` + gen_require(` + attribute > mcsuntrustedproc; + ') + + typeattribute $1 mcsuntrustedproc; +') diff > --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index > 0e5b661..1d16afc 100644 --- a/policy/modules/kernel/mcs.te +++ > b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats; > attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc; > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCU+ZMACgkQrlYvE4MpobPk/wCdHhXWrFfi0EQ3Jv85dauOmxlD 0eIAoKb7vByxTcby+rK+6A6UgnRSkve1 =5aaK -----END PGP SIGNATURE-----