From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 27 Nov 2012 17:59:19 +0100 Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type Message-ID: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This process is not allowed to interact with subjects or operate on objects that it would otherwise be able to interact with or operate on respectively. This is, i think, to make sure that specified processes cannot interact with subject or operate on objects regardless of its mcs range. It is used by svirt and probably also by sandbox Signed-off-by: Dominick Grift diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file { open } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # # MCS policy for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@ typeattribute $1 mcssetcats; ') + +######################################## +## +## Constrain by category access control (MCS). +## +## +##

+## Constrain the specified type by category based +## access control (MCS) This prevents this domain from +## interacting with subjects and operating on objects +## that it otherwise would be able to interact +## with or operate on respectively. +##

+## +## +## +## Type to be constrained by MCS. +## +## +## +# +interface(`mcs_constrained',` + gen_require(` + attribute mcs_constrained_type; + ') + + typeattribute $1 mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute mcsreadall; +attribute mcs_constrained_type;