From: dwalsh@redhat.com (Daniel J Walsh)
Date: Sat, 03 Nov 2012 07:01:39 -0400
Subject: [refpolicy] [PATCH] Implement mcsuntrustedproc.
In-Reply-To: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com>
References: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <5094F993.7010800@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes the idea is that MCS Trust is opt in versus opt out.  So if a policy
writer wants to separate his domains based on MCS policy he must add this
attribute.

We currently separate:

seinfo -amcsuntrustedproc -x
   mcsuntrustedproc
      svirt_lxc_net_t
      openshift_app_t
      openshift_min_t
      openshift_net_t
      openshift_min_app_t
      openshift_net_app_t
      sandbox_x_t
      svirt_t
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t
      svirt_prot_exec_t
      openshift_t
      sandbox_t

On 11/02/2012 02:46 PM, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on 
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact 
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs 
> +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations are not
> constrained.
> 
> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1
> == mcsreadall ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
> t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
> } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc )
> and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
> sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain {
> lnk_file chr_file blk_file sock_file } { write setattr } +	(( h1 dom h2 )
> or ( t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
> domain)));
> 
> # New filesystem object labels must be dominated by the relabeling subject 
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ 
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
> 
> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket }
> node_bind +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy
> for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if
> b/policy/modules/kernel/mcs.if index f52faaf..8cd6d57 100644 ---
> a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3
> +102,29 @@
> 
> typeattribute $1 mcssetcats; ') + 
> +######################################## +## <summary> +##	Make specified
> process type MCS untrusted. +## </summary> +## <desc> +##	<p> +##	This
> prevents this domain from interacting +##	with subjects and operating on
> objects +##	that it otherwise would be able to +##	interact with or operate
> on respectively. +##	</p> +## </desc> +## <param name="domain"> +##
> <summary> +##	The type of the process. +##	</summary> +## </param> +# 
> +interface(`mcs_untrusted_proc',` +	gen_require(` +		attribute
> mcsuntrustedproc; +	') + +	typeattribute $1 mcsuntrustedproc; +') diff
> --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index
> 0e5b661..1d16afc 100644 --- a/policy/modules/kernel/mcs.te +++
> b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats; 
> attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc; 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCU+ZMACgkQrlYvE4MpobPk/wCdHhXWrFfi0EQ3Jv85dauOmxlD
0eIAoKb7vByxTcby+rK+6A6UgnRSkve1
=5aaK
-----END PGP SIGNATURE-----