From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 27 Jul 2016 19:00:22 -0400
Subject: [refpolicy] [PATCH] Add new MLS attribute to allow relabeling
 objects higher than system low. This exception is needed for package
 managers when processing sensitive data.
In-Reply-To: <1469633703-11252-1-git-send-email-lvrabec@redhat.com>
References: <1469633703-11252-1-git-send-email-lvrabec@redhat.com>
Message-ID: <d2c7e5ed-ac2a-332b-71f1-95d88808edc2@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/27/16 11:35, Lukas Vrabec wrote:
> Example of denial:
> type=AVC msg=audit(1461664028.583:784): avc:  denied  { relabelto } for
> pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
> scontext=root:system_r:rpm_t:s0
> tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir


The commit message is slightly misleading (the denial isn't a relabel to 
clearance situation; it's a complete exemption), but it's merged.

> ---
>  policy/mls                   |  4 +++-
>  policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
>  policy/modules/kernel/mls.te |  1 +
>  3 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/policy/mls b/policy/mls
> index 3603de1..db3ed90 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
>
>  # new file labels must be dominated by the relabeling subjects clearance
>  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
> -	( h1 dom h2 );
> +	(( h1 dom h2 ) or
> +	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
> +	( t1 == mlsfilewrite ));
>
>  # the file "read" ops (note the check is dominance of the low level)
>  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
> diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
> index 27d6401..829605b 100644
> --- a/policy/modules/kernel/mls.if
> +++ b/policy/modules/kernel/mls.if
> @@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
>  ########################################
>  ## <summary>
>  ##	Make specified domain MLS trusted
> +##	for relabelto to files up to its clearance.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_file_relabel_to_clearance',`
> +	gen_require(`
> +		attribute mlsfilerelabeltoclr;
> +	')
> +
> +	typeattribute $1 mlsfilerelabeltoclr;
> +')
> +
> +########################################
> +## <summary>
> +##	Make specified domain MLS trusted
>  ##	for writing to files at all levels.  (Deprecated)
>  ## </summary>
>  ## <desc>
> diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
> index e508050..13b8625 100644
> --- a/policy/modules/kernel/mls.te
> +++ b/policy/modules/kernel/mls.te
> @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
>  attribute mlsfilewriteinrange;
>  attribute mlsfileupgrade;
>  attribute mlsfiledowngrade;
> +attribute mlsfilerelabeltoclr;
>
>  attribute mlsnetread;
>  attribute mlsnetreadtoclr;
>


-- 
Chris PeBenito