From: d46.brown@student.qut.edu.au (Douglas Brown)
Date: Wed, 10 Apr 2013 19:25:31 +1000
Subject: [refpolicy] MCS Policy Constraints
In-Reply-To: <CAPzO=NzjeUC33aTrx8yBqrnZNoLO9a1KLQz-PQzDH2uXQuwb+w@mail.gmail.com>
References: <AC877EF0-952D-4C41-84A2-4FFBB84ED731@student.qut.edu.au>
	<CAPzO=NzjeUC33aTrx8yBqrnZNoLO9a1KLQz-PQzDH2uXQuwb+w@mail.gmail.com>
Message-ID: <B5C84A49-B59D-4FF2-99EB-A491C1329DBC@student.qut.edu.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/04/2013, at 6:27 AM, Sven Vermeulen wrote:

On Apr 9, 2013 10:11 PM, "Douglas Brown" <d46.brown at student.qut.edu.au<mailto:d46.brown@student.qut.edu.au>> wrote:
>
> Hi all,
>
> The MCS policy has only file, database and one network-related class constraint. I'm sure this is deliberate by design, however I'd like to know if there's any impediment to adding category domain separation for all the classes in the MLS policy to the MCS policy and if I may submit a patch to do so?

Isn't this because categories need to be set by users and this is only possible on the (mainly) file classes?

I don't think so. A context, and therefore categories, can be administratively assigned to processes, ports, or any other object.

Ideally on an opt-in basis, services could be run with a limited set of categories assigned to them and using the attribute 'mcs_constrained_type', could be (h1 dom h2) restricted, as is already the case with some socket classes, introduced with Dominick's commit c2f056b2f63ce37a84ac8f468d356108b1737d97 on 2012-11-27 to 'policy/mcs':

mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));


Cheers,
Doug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130410/b62869e3/attachment.html