From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 4 Nov 2017 14:09:34 -0400
Subject: [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class
In-Reply-To: <20171102173047.21952-1-jason@perfinion.com>
References: <20171102173047.21952-1-jason@perfinion.com>
Message-ID: <ab250e39-0235-8f8e-88f7-fc4641e4f307@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Taken from fedoras policy
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> ---
>   policy/mcs                   |  3 +++
>   policy/mls                   |  8 ++++++++
>   policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
>   policy/modules/kernel/mls.te |  3 +++
>   4 files changed, 55 insertions(+)
> 
> diff --git a/policy/mcs b/policy/mcs
> index 4d030112..94319570 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -123,6 +123,9 @@ mlsconstrain process { signal }
>   mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
>   	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>   
> +mlsconstrain key { create link read search setattr view write }
> +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
>   #
>   # MCS policy for SELinux-enabled databases
>   #
> diff --git a/policy/mls b/policy/mls
> index 69ca7263..2dadd205 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -281,6 +281,14 @@ mlsconstrain msg send
>   # { ipc sem msgq shm } associate
>   
>   
> +#
> +# MLS policy for the key class
> +#
> +
> +mlsconstrain key { create link read search setattr view write }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> +	 ( t1 == mlskeywrite ));
>   
>   
>   #
> diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
> index 3929ffc4..b09c0a5a 100644
> --- a/policy/modules/kernel/mls.if
> +++ b/policy/modules/kernel/mls.if
> @@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
>   
>   ########################################
>   ## <summary>
> +##	Make specified domain MLS trusted
> +##	for writing to keys up to
> +##	its clearance.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_to_clearance',`
> +	gen_require(`
> +		attribute mlskeywritetoclr;
> +	')
> +
> +	typeattribute $1 mlskeywritetoclr;
> +')
> +
> +########################################
> +## <summary>
> +##	Make specified domain MLS trusted
> +##	for writing to keys at all levels.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_all_levels',`
> +	gen_require(`
> +		attribute mlskeywrite;
> +	')
> +
> +	typeattribute $1 mlskeywrite;
> +')
> +
> +########################################
> +## <summary>
>   ##	Allow the specified domain to do a MLS
>   ##	range transition that changes
>   ##	the current level.
> diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
> index 15e50a36..e879ddd3 100644
> --- a/policy/modules/kernel/mls.te
> +++ b/policy/modules/kernel/mls.te
> @@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
>   attribute mlsipcwrite;
>   attribute mlsipcwritetoclr;
>   
> +attribute mlskeywrite;
> +attribute mlskeywritetoclr;
> +
>   attribute mlsprocread;
>   attribute mlsprocreadtoclr;
>   attribute mlsprocwrite;

Merged.

-- 
Chris PeBenito