From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 28 Nov 2012 16:26:58 -0500 Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type In-Reply-To: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com> References: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com> Message-ID: <50B681A2.8070303@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/27/12 11:59, Dominick Grift wrote: > > This process is not allowed to interact with subjects or operate on > objects that it would otherwise be able to interact with or operate on > respectively. > > This is, i think, to make sure that specified processes cannot interact > with subject or operate on objects regardless of its mcs range. > > It is used by svirt and probably also by sandbox Merged. > Signed-off-by: Dominick Grift > > diff --git a/policy/mcs b/policy/mcs > index f477c7f..216b3d1 100644 > --- a/policy/mcs > +++ b/policy/mcs > @@ -69,16 +69,32 @@ > # - /proc/pid operations are not constrained. > > mlsconstrain file { read ioctl lock execute execute_no_trans } > - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); > + (( h1 dom h2 ) or ( t1 == mcsreadall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > mlsconstrain file { write setattr append unlink link rename } > - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); > + (( h1 dom h2 ) or ( t1 == mcswriteall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > mlsconstrain dir { search read ioctl lock } > - (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); > + (( h1 dom h2 ) or ( t1 == mcsreadall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > mlsconstrain dir { write setattr append unlink link rename add_name remove_name } > - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); > + (( h1 dom h2 ) or ( t1 == mcswriteall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > + > +mlsconstrain fifo_file { open } > + (( h1 dom h2 ) or ( t1 == mcsreadall ) or > + (( t1 != mcs_constrained_type ) and ( t2 == domain ))); > + > +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } > + (( h1 dom h2 ) or ( t1 == mcsreadall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > + > +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } > + (( h1 dom h2 ) or ( t1 == mcswriteall ) or > + (( t1 != mcs_constrained_type ) and (t2 == domain))); > > # New filesystem object labels must be dominated by the relabeling subject > # clearance, also the objects are single-level. > @@ -101,6 +117,12 @@ > mlsconstrain process { sigkill sigstop } > (( h1 dom h2 ) or ( t1 == mcskillall )); > > +mlsconstrain process { signal } > + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); > + > +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind > + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); > + > # > # MCS policy for SELinux-enabled databases > # > diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if > index f52faaf..508e609 100644 > --- a/policy/modules/kernel/mcs.if > +++ b/policy/modules/kernel/mcs.if > @@ -102,3 +102,31 @@ > > typeattribute $1 mcssetcats; > ') > + > +######################################## > +## > +## Constrain by category access control (MCS). > +## > +## > +##

> +## Constrain the specified type by category based > +## access control (MCS) This prevents this domain from > +## interacting with subjects and operating on objects > +## that it otherwise would be able to interact > +## with or operate on respectively. > +##

> +##
> +## > +## > +## Type to be constrained by MCS. > +## > +## > +## > +# > +interface(`mcs_constrained',` > + gen_require(` > + attribute mcs_constrained_type; > + ') > + > + typeattribute $1 mcs_constrained_type; > +') > diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te > index 0e5b661..c608a8b 100644 > --- a/policy/modules/kernel/mcs.te > +++ b/policy/modules/kernel/mcs.te > @@ -10,3 +10,4 @@ > attribute mcssetcats; > attribute mcswriteall; > attribute mcsreadall; > +attribute mcs_constrained_type; -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com