From: dahchanson@gmail.com (Chad Hanson) Date: Sun, 10 Dec 2017 23:02:15 -0500 Subject: [refpolicy] [PATCH] Fix implementation of MLS file relabel attributes Message-ID: <20171211040215.53324-1-dahchanson@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below. Signed-off-by: Chad Hanson --- policy/mls | 2 +- policy/modules/kernel/mls.if | 28 ++++++++++++++++++++++++---- policy/modules/kernel/mls.te | 3 ++- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/policy/mls b/policy/mls index 2dadd205..73ff301b 100644 --- a/policy/mls +++ b/policy/mls @@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto (( h1 dom h2 ) or (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfilewrite )); + ( t1 == mlsfilerelabel )); # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index b09c0a5a..2e2bebc2 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -71,6 +71,26 @@ interface(`mls_file_write_to_clearance',` typeattribute $1 mlsfilewritetoclr; ') +######################################## +## +## Make specified domain MLS trusted +## for writing to files at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_write_all_levels',` + gen_require(` + attribute mlsfilewrite; + ') + + typeattribute $1 mlsfilewrite; +') + ######################################## ## ## Make specified domain MLS trusted @@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',` ######################################## ## ## Make specified domain MLS trusted -## for writing to files at all levels. +## for relabelto to files at all levels. ## ## ## @@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',` ## ## # -interface(`mls_file_write_all_levels',` +interface(`mls_file_relabel',` gen_require(` - attribute mlsfilewrite; + attribute mlsfilerelabel; ') - typeattribute $1 mlsfilewrite; + typeattribute $1 mlsfilerelabel; ') ######################################## diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index ad74e81f..7c50e75c 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -10,9 +10,10 @@ attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; attribute mlsfilewriteinrange; +attribute mlsfilerelabel; +attribute mlsfilerelabeltoclr; attribute mlsfileupgrade; attribute mlsfiledowngrade; -attribute mlsfilerelabeltoclr; attribute mlsnetread; attribute mlsnetreadtoclr; -- 2.14.1