From: lvrabec@redhat.com (Lukas Vrabec)
Date: Wed, 27 Jul 2016 17:35:03 +0200
Subject: [refpolicy] [PATCH] Add new MLS attribute to allow relabeling
objects higher than system low. This exception is needed for
package managers when processing sensitive data.
Message-ID: <1469633703-11252-1-git-send-email-lvrabec@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Example of denial:
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
---
policy/mls | 4 +++-
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
policy/modules/kernel/mls.te | 1 +
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/mls b/policy/mls
index 3603de1..db3ed90 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
+ (( h1 dom h2 ) or
+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfilewrite ));
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 27d6401..829605b 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
########################################
##
## Make specified domain MLS trusted
+## for relabelto to files up to its clearance.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_file_relabel_to_clearance',`
+ gen_require(`
+ attribute mlsfilerelabeltoclr;
+ ')
+
+ typeattribute $1 mlsfilerelabeltoclr;
+')
+
+########################################
+##
+## Make specified domain MLS trusted
## for writing to files at all levels. (Deprecated)
##
##
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e508050..13b8625 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
attribute mlsfilewriteinrange;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
attribute mlsnetread;
attribute mlsnetreadtoclr;
--
2.5.5