From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 27 Jul 2016 19:00:22 -0400 Subject: [refpolicy] [PATCH] Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. In-Reply-To: <1469633703-11252-1-git-send-email-lvrabec@redhat.com> References: <1469633703-11252-1-git-send-email-lvrabec@redhat.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/27/16 11:35, Lukas Vrabec wrote: > Example of denial: > type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for > pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147 > scontext=root:system_r:rpm_t:s0 > tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir The commit message is slightly misleading (the denial isn't a relabel to clearance situation; it's a complete exemption), but it's merged. > --- > policy/mls | 4 +++- > policy/modules/kernel/mls.if | 20 ++++++++++++++++++++ > policy/modules/kernel/mls.te | 1 + > 3 files changed, 24 insertions(+), 1 deletion(-) > > diff --git a/policy/mls b/policy/mls > index 3603de1..db3ed90 100644 > --- a/policy/mls > +++ b/policy/mls > @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } > > # new file labels must be dominated by the relabeling subjects clearance > mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto > - ( h1 dom h2 ); > + (( h1 dom h2 ) or > + (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or > + ( t1 == mlsfilewrite )); > > # the file "read" ops (note the check is dominance of the low level) > mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } > diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if > index 27d6401..829605b 100644 > --- a/policy/modules/kernel/mls.if > +++ b/policy/modules/kernel/mls.if > @@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',` > ######################################## > ## > ## Make specified domain MLS trusted > +## for relabelto to files up to its clearance. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`mls_file_relabel_to_clearance',` > + gen_require(` > + attribute mlsfilerelabeltoclr; > + ') > + > + typeattribute $1 mlsfilerelabeltoclr; > +') > + > +######################################## > +## > +## Make specified domain MLS trusted > ## for writing to files at all levels. (Deprecated) > ## > ## > diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te > index e508050..13b8625 100644 > --- a/policy/modules/kernel/mls.te > +++ b/policy/modules/kernel/mls.te > @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr; > attribute mlsfilewriteinrange; > attribute mlsfileupgrade; > attribute mlsfiledowngrade; > +attribute mlsfilerelabeltoclr; > > attribute mlsnetread; > attribute mlsnetreadtoclr; > -- Chris PeBenito