From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 28 Nov 2012 16:26:58 -0500
Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type
In-Reply-To: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com>
References: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <50B681A2.8070303@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/27/12 11:59, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox

Merged.
 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> 
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..216b3d1 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
>  #  - /proc/pid operations are not constrained.
>  
>  mlsconstrain file { read ioctl lock execute execute_no_trans }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain file { write setattr append unlink link rename }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain dir { search read ioctl lock }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  # New filesystem object labels must be dominated by the relabeling subject
>  # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
>  mlsconstrain process { sigkill sigstop }
>  	(( h1 dom h2 ) or ( t1 == mcskillall ));
>  
> +mlsconstrain process { signal }
> +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
>  #
>  # MCS policy for SELinux-enabled databases
>  #
> diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
> index f52faaf..508e609 100644
> --- a/policy/modules/kernel/mcs.if
> +++ b/policy/modules/kernel/mcs.if
> @@ -102,3 +102,31 @@
>  
>  	typeattribute $1 mcssetcats;
>  ')
> +
> +########################################
> +## <summary>
> +##	Constrain by category access control (MCS).
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Constrain the specified type by category based
> +##	access control (MCS) This prevents this domain from
> +##	interacting with subjects and operating on objects
> +##	that it otherwise would be able to interact
> +##	with or operate on respectively.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be constrained by MCS.
> +##	</summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`mcs_constrained',`
> +	gen_require(`
> +		attribute mcs_constrained_type;
> +	')
> +
> +	typeattribute $1 mcs_constrained_type;
> +')
> diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
> index 0e5b661..c608a8b 100644
> --- a/policy/modules/kernel/mcs.te
> +++ b/policy/modules/kernel/mcs.te
> @@ -10,3 +10,4 @@
>  attribute mcssetcats;
>  attribute mcswriteall;
>  attribute mcsreadall;
> +attribute mcs_constrained_type;

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com