Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

[James Antill <jantill@redhat.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1084 bytes --]

On Tue, 2006-10-31 at 11:21 -0500, Stephen Smalley wrote:

> No.  The ability to make the security call is controlled by the
> compute_av permission on the security class, and isn't based on the
> individual contexts passed as arguments.  That would be:
> 	allow $1 security_t:security compute_av;
> which has an interface:
> 	selinux_compute_access_vector($1)
> which is already in authlogin.if.  No change required for allowing the
> call to happen.
> 
> What you are instead trying to do is to define the _result_ of that
> compute_av call based on its arguments, not whether it can be made by
> login.  So the TE rule would go into userdomain.if and be of the form:
> 	allow $1 self:context <permissionname>;

 Ok, I think I have it now. Both patches are at (with the renamed
permission):

 http://people.redhat.com/jantill/pam-config_role/upstream/


-- 
James Antill - <james.antill@redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET,  SO_ATTACH_FILTER, ...);


[-- Attachment #1.2: policy-pam-range-checking.patch --]
[-- Type: text/x-patch, Size: 1095 bytes --]

Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors	(revision 2065)
+++ policy/flask/access_vectors	(working copy)
@@ -635,4 +635,5 @@
 class context
 {
 	translate
+	contains
 }
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if	(revision 2065)
+++ policy/modules/system/userdomain.if	(working copy)
@@ -51,6 +51,8 @@
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
 
+	allow $1_t self:context contains;
+
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 	term_create_pty($1_t,$1_devpts_t)
 
Index: policy/mls
===================================================================
--- policy/mls	(revision 2065)
+++ policy/mls	(working copy)
@@ -596,4 +596,7 @@
 mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
+mlsconstrain context contains
+	( h1 dom h2 );
+
 ') dnl end enable_mls

[-- Attachment #1.3: selinux-pam-range-checking.patch --]
[-- Type: text/x-patch, Size: 987 bytes --]

Index: libselinux/include/selinux/av_permissions.h
===================================================================
--- libselinux/include/selinux/av_permissions.h	(revision 2074)
+++ libselinux/include/selinux/av_permissions.h	(working copy)
@@ -896,3 +896,4 @@
 #define KEY__SETATTR                              0x00000020UL
 #define KEY__CREATE                               0x00000040UL
 #define CONTEXT__TRANSLATE                        0x00000001UL
+#define CONTEXT__CONTAINS                         0x00000002UL
Index: libselinux/src/av_perm_to_string.h
===================================================================
--- libselinux/src/av_perm_to_string.h	(revision 2074)
+++ libselinux/src/av_perm_to_string.h	(working copy)
@@ -266,3 +266,4 @@
     S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
     S_(SECCLASS_KEY, KEY__CREATE, "create")
     S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate")
+    S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains")

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]