From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 27 Nov 2012 14:44:14 -0500
Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type
In-Reply-To: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com>
References: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <50B5180E.8060709@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/27/2012 11:59 AM, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on 
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact 
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> 
> diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 ---
> a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations
> are not constrained.
> 
> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1
> == mcsreadall ) or +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> 
> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
> t1 == mcswriteall ) or +	(( t1 != mcs_constrained_type ) and (t2 ==
> domain)));
> 
> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> 
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file {
> open } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 !=
> mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file
> chr_file blk_file sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or (
> t1 == mcsreadall ) or +	(( t1 != mcs_constrained_type ) and (t2 ==
> domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write
> setattr } +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcs_constrained_type ) and (t2 == domain)));
> 
> # New filesystem object labels must be dominated by the relabeling subject 
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ 
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
> 
> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
> mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket
> rawip_socket } node_bind +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type
> )); + # # MCS policy for SELinux-enabled databases # diff --git
> a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index
> f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++
> b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@
> 
> typeattribute $1 mcssetcats; ') + 
> +######################################## +## <summary> +##	Constrain by
> category access control (MCS). +## </summary> +## <desc> +##	<p> +##
> Constrain the specified type by category based +##	access control (MCS)
> This prevents this domain from +##	interacting with subjects and operating
> on objects +##	that it otherwise would be able to interact +##	with or
> operate on respectively. +##	</p> +## </desc> +## <param name="domain"> +##
> <summary> +##	Type to be constrained by MCS. +##	</summary> +## </param> 
> +## <infoflow type="none"/> +# +interface(`mcs_constrained',` +
> gen_require(` +		attribute mcs_constrained_type; +	') + +	typeattribute $1
> mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te
> b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 ---
> a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3
> +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute
> mcsreadall; +attribute mcs_constrained_type; 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
Looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC1GA0ACgkQrlYvE4MpobM2tQCfSgNuqcCilBEuofKNVMfe6n2S
UrQAoN5IPW3SGuD5qgNWTzNQ+BzGWbD/
=ylpr
-----END PGP SIGNATURE-----