* [PATCH 3/4] reference policy support for setransd enhancement
@ 2006-10-17 16:00 Darrel Goeddel
2006-10-24 14:15 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Darrel Goeddel @ 2006-10-17 16:00 UTC (permalink / raw)
To: SELinux List
Cc: Stephen Smalley, Joshua Brindle, Karl MacMillan, Linda Knippers,
Daniel Walsh
This patch is for the fedora policy. I can "translate" (pun?) this to the
current CVS policy if necessary.
Add the flask definitions for the new context class (and add the setsockcreate
to the process class so the generated headers do not miss things) and the
corresponding mlsconstraint.
Add an interface that will allow a domain the ability to override the MLS
check when translating contexts (mls_context_translate_all_levels).
Make the setrans daemon run at the highest MLS label and protect the config
file at the same label (and make this work by adding mls_socket_write_all_levels
to the setransd policy).
Allow the translating domain TE access to translate contexts with the setrans_t
type. This is the type that the daemon will use when doing the check. The
type is from the running setransd process.
---
policy/flask/access_vectors | 6 ++++++
policy/flask/security_classes | 2 ++
policy/mls | 10 ++++++++++
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
policy/modules/kernel/mls.te | 4 +++-
policy/modules/system/selinuxutil.fc | 1 +
policy/modules/system/setrans.if | 1 +
policy/modules/system/setrans.te | 1 +
8 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 5d4f36a..6770ff1 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -253,6 +253,7 @@ class process
execstack
execheap
setkeycreate
+ setsockcreate
}
@@ -632,3 +633,8 @@ class key
setattr
create
}
+
+class context
+{
+ translate
+}
diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 57f49bc..53c0cf1 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -93,4 +93,6 @@ class packet
# Kernel access key retention
class key
+class context # userspace
+
# FLASK
diff --git a/policy/mls b/policy/mls
index 06085c5..fb70a32 100644
--- a/policy/mls
+++ b/policy/mls
@@ -617,4 +617,14 @@ mlsconstrain association { polmatch }
((( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == unlabeled_t ));
+
+
+
+#
+# MLS policy for the context class
+#
+
+mlsconstrain context translate
+ (( h1 dom h2 ) or ( t1 == mlstranslate ));
+
') dnl end enable_mls
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 5ca509e..8946213 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -451,3 +451,23 @@ interface(`mls_fd_share_all_levels',`
typeattribute $1 mlsfdshare;
')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for translating contexts at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mls_context_translate_all_levels',`
+ gen_require(`
+ attribute mlstranslate;
+ ')
+
+ typeattribute $1 mlstranslate;
+')
+
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 6e5cb9f..3dce831 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -50,6 +50,8 @@ attribute mlsrangetrans;
attribute mlsfduse;
attribute mlsfdshare;
+attribute mlstranslate;
+
########################################
#
# THIS IS A HACK
@@ -67,6 +69,6 @@ ifdef(`enable_mls',`
range_transition initrc_t auditd_exec_t s15:c0.c1023;
range_transition kernel_t init_exec_t s0 - s15:c0.c1023;
range_transition kernel_t lvm_exec_t s0 - s15:c0.c1023;
-#range_transition initrc_t setrans_exec_t s15:c0.c1023;
+range_transition initrc_t setrans_exec_t s15:c0.c1023;
range_transition run_init_t initrc_exec_t s0 - s15:c0.c1023;
')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 78d5e51..4641575 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -7,6 +7,7 @@ #
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,s15:c0.c1023)
+/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c1023)
/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,s15:c0.c1023)
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 9547503..94f2c53 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -22,4 +22,5 @@ interface(`setrans_translate_context',`
allow $1 setrans_var_run_t:sock_file rw_file_perms;
allow $1 setrans_var_run_t:dir search_dir_perms;
files_list_pids($1)
+ allow $1 setrans_t:context translate;
')
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2d54d0a..dd68201 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -53,6 +53,7 @@ mls_file_read_up(setrans_t)
mls_file_write_down(setrans_t)
mls_net_receive_all_levels(setrans_t)
mls_socket_read_all_levels(setrans_t)
+mls_socket_write_all_levels(setrans_t)
mls_rangetrans_target(setrans_t)
mls_fd_use_all_levels(setrans_t)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 3/4] reference policy support for setransd enhancement
2006-10-17 16:00 [PATCH 3/4] reference policy support for setransd enhancement Darrel Goeddel
@ 2006-10-24 14:15 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2006-10-24 14:15 UTC (permalink / raw)
To: Darrel Goeddel
Cc: SELinux List, Stephen Smalley, Joshua Brindle, Karl MacMillan,
Linda Knippers, Daniel Walsh
On Tue, 2006-10-17 at 11:00 -0500, Darrel Goeddel wrote:
> This patch is for the fedora policy. I can "translate" (pun?) this to the
> current CVS policy if necessary.
>
> Add the flask definitions for the new context class (and add the setsockcreate
> to the process class so the generated headers do not miss things) and the
> corresponding mlsconstraint.
>
> Add an interface that will allow a domain the ability to override the MLS
> check when translating contexts (mls_context_translate_all_levels).
>
> Make the setrans daemon run at the highest MLS label and protect the config
> file at the same label (and make this work by adding mls_socket_write_all_levels
> to the setransd policy).
>
> Allow the translating domain TE access to translate contexts with the setrans_t
> type. This is the type that the daemon will use when doing the check. The
> type is from the running setransd process.
This was merged last Friday (Oct 20).
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-24 14:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-17 16:00 [PATCH 3/4] reference policy support for setransd enhancement Darrel Goeddel
2006-10-24 14:15 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.