From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 26 Nov 2012 16:23:49 -0500 Subject: [refpolicy] [PATCH] Implement mcsuntrustedproc. In-Reply-To: <50B3931F.906@tresys.com> References: <1351881968-8686-1-git-send-email-dominick.grift@gmail.com> <50B3931F.906@tresys.com> Message-ID: <50B3DDE5.7090506@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote: > On 11/02/12 14:46, Dominick Grift wrote: >> >> This process is not allowed to interact with subjects or operate on >> objects that it would otherwise be able to interact with or operate on >> respectively. >> >> This is, i think, to make sure that specified processes cannot interact >> with subject or operate on objects regardless of its mcs range. >> >> It is used by svirt and probably also by sandbox >> >> Signed-off-by: Dominick Grift diff --git >> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs >> +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not >> constrained. >> >> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 >> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) >> or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc ) and (t2 == >> domain))); >> >> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom >> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( >> t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == >> domain))); >> >> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == >> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall >> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); >> >> mlsconstrain dir { write setattr append unlink link rename add_name >> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain >> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != >> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open >> } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcsuntrustedproc >> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file >> sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall >> ) or + (( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain >> { lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2 >> ) or ( t1 == mcswriteall ) or + (( t1 != mcsuntrustedproc ) and (t2 == >> domain))); >> >> # New filesystem object labels must be dominated by the relabeling >> subject # clearance, also the objects are single-level. @@ -101,6 +117,12 >> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == >> mcskillall )); >> >> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != >> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket >> } node_bind + (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + > > This doesn't look right. It says that only untrusted processes are > MCS-constrained for these permissions. > Yes the idea we have moved to is to make MCS contraints opt in by the policy writer rather then optout. seinfo -amcsuntrustedproc -x mcsuntrustedproc svirt_lxc_net_t openshift_app_t openshift_min_t openshift_net_t openshift_min_app_t openshift_net_app_t svirt_nokvm_t sandbox_x_t svirt_t sandbox_min_t sandbox_net_t sandbox_web_t openshift_t sandbox_t That way we don't have to deal with lots of domains that might interact with a MCS constrained application. cupsd_t, httpd_t... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCz3eUACgkQrlYvE4MpobP6QwCg4cG4qIaRbtpRSfAILfeMJD/N KyMAoOimApzFIMl970MycKusZMQCjP8r =uhgE -----END PGP SIGNATURE-----