From: jason@perfinion.com (Jason Zaman)
Date: Thu, 2 Nov 2017 19:11:26 +0800
Subject: [refpolicy] [PATCH 1/5] mls mcs: Add constraints for key class
In-Reply-To: <60124e71-3d3b-d832-426d-83b38026c74f@ieee.org>
References: <20171031053707.6893-1-jason@perfinion.com>
	<60124e71-3d3b-d832-426d-83b38026c74f@ieee.org>
Message-ID: <20171102111126.GB8319@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Nov 01, 2017 at 06:49:23PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > Taken from fedoras policy
> > https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> > https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> > ---
> >   policy/mcs | 3 +++
> >   policy/mls | 8 ++++++++
> >   2 files changed, 11 insertions(+)
> > 
> > diff --git a/policy/mcs b/policy/mcs
> > index 4d030112..94319570 100644
> > --- a/policy/mcs
> > +++ b/policy/mcs
> > @@ -123,6 +123,9 @@ mlsconstrain process { signal }
> >   mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> >   	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> >   
> > +mlsconstrain key { create link read search setattr view write }
> > +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> > +
> >   #
> >   # MCS policy for SELinux-enabled databases
> >   #
> > diff --git a/policy/mls b/policy/mls
> > index 69ca7263..c9be3125 100644
> > --- a/policy/mls
> > +++ b/policy/mls
> > @@ -281,6 +281,14 @@ mlsconstrain msg send
> >   # { ipc sem msgq shm } associate
> >   
> >   
> > +#
> > +# MLS policy for the key class
> > +#
> > +
> > +mlsconstrain key { create link read search setattr view write }
> > +	(( l1 eq l2 ) or
> > +	 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> > +	 ( t1 == mlsprocwrite ));
> 
> Why doesn't this have a new set of attributes for exemption, e.g. 
> mlskeywritetoclr?

Oops. I'll fix that and add the interfaces for it.
> 
> -- 
> Chris PeBenito