From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 27 Nov 2012 14:44:14 -0500 Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type In-Reply-To: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com> References: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com> Message-ID: <50B5180E.8060709@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/27/2012 11:59 AM, Dominick Grift wrote: > > This process is not allowed to interact with subjects or operate on objects > that it would otherwise be able to interact with or operate on > respectively. > > This is, i think, to make sure that specified processes cannot interact > with subject or operate on objects regardless of its mcs range. > > It is used by svirt and probably also by sandbox > > Signed-off-by: Dominick Grift > > diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 --- > a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations > are not constrained. > > mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom > h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 > == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > mlsconstrain file { write setattr append unlink link rename } - (( h1 dom > h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( > t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 == > domain))); > > mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == > mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall ) > or + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > mlsconstrain dir { write setattr append unlink link rename add_name > remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain > )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != > mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file { > open } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 != > mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file > chr_file blk_file sock_file } { getattr read ioctl } + (( h1 dom h2 ) or ( > t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == > domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write > setattr } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 != > mcs_constrained_type ) and (t2 == domain))); > > # New filesystem object labels must be dominated by the relabeling subject > # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ > mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == > mcskillall )); > > +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 != > mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket > rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type > )); + # # MCS policy for SELinux-enabled databases # diff --git > a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index > f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++ > b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@ > > typeattribute $1 mcssetcats; ') + > +######################################## +## +## Constrain by > category access control (MCS). +## +## +##

+## > Constrain the specified type by category based +## access control (MCS) > This prevents this domain from +## interacting with subjects and operating > on objects +## that it otherwise would be able to interact +## with or > operate on respectively. +##

+##
+## +## > +## Type to be constrained by MCS. +## +## > +## +# +interface(`mcs_constrained',` + > gen_require(` + attribute mcs_constrained_type; + ') + + typeattribute $1 > mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te > b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 --- > a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3 > +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute > mcsreadall; +attribute mcs_constrained_type; > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Looks good to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC1GA0ACgkQrlYvE4MpobM2tQCfSgNuqcCilBEuofKNVMfe6n2S UrQAoN5IPW3SGuD5qgNWTzNQ+BzGWbD/ =ylpr -----END PGP SIGNATURE-----