[refpolicy] mls.patch

[refpolicy] mls.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch

Joe this is the patch I have off of current reference policy.   Is this
correct or should I use reference policy mls?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjb3FEACgkQrlYvE4MpobN1xACgvaEBGk/voTESvAuYqyO2s+5g
DWYAoObTfnusOs+FcaJIc7PeZQl9W/KR
=y3BJ
-----END PGP SIGNATURE-----

[refpolicy] mls.patch

[Joe Nall]

On Sep 25, 2008, at 1:45 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
>
> Joe this is the patch I have off of current reference policy.   Is  
> this
> correct or should I use reference policy mls?

It was my transcription of Eamon's verbal how-to and it works so far.  
It may not be the final word on the topic as we are just starting to  
test X in mls enforcing. Eamon might be able to loosen it up some  
safely.

joe

[refpolicy] mls.patch

[Eamon Walsh]

Joe Nall wrote:
> On Sep 25, 2008, at 1:45 PM, Daniel J Walsh wrote:
>
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
>>
>> Joe this is the patch I have off of current reference policy.   Is  
>> this
>> correct or should I use reference policy mls?
>>     
>
> It was my transcription of Eamon's verbal how-to and it works so far.  
> It may not be the final word on the topic as we are just starting to  
> test X in mls enforcing. Eamon might be able to loosen it up some  
> safely.
>
> joe
>
>   

Also, here is a combined version of the range transition patches I sent
earlier.  These were in response to the socket level and root window
level issued raised by Ted.

Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if	(revision 2819)
+++ policy/modules/services/xserver.if	(working copy)
@@ -77,6 +77,9 @@
 	files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
 
 	filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
+	ifdef(`enable_mls',`
+		range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
+	')
 
 	manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
 	manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
@@ -95,6 +98,9 @@
 
 	# Labeling rules for default windows and colormaps
 	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
+	ifdef(`enable_mls',`
+		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
+	')
 
 	kernel_read_system_state($1_xserver_t)
 	kernel_read_device_sysctls($1_xserver_t)


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency

[refpolicy] mls.patch

[Christopher J. PeBenito]

On Thu, 2008-09-25 at 14:45 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
> 
> Joe this is the patch I have off of current reference policy.   Is this
> correct or should I use reference policy mls?

This has a problem: It makes the xserver module required in the base
module.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] mls.patch

[Joe Nall]

On Oct 6, 2008, at 10:07 AM, Christopher J. PeBenito wrote:

> On Thu, 2008-09-25 at 14:45 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
>>
>> Joe this is the patch I have off of current reference policy.   Is  
>> this
>> correct or should I use reference policy mls?
>
> This has a problem: It makes the xserver module required in the base
> module.

Due to the use of rootwindow_type?

Should a new attribute be added to mls.te and used here?

joe

[refpolicy] mls.patch

[Christopher J. PeBenito]

On Fri, 2008-09-26 at 11:26 -0400, Eamon Walsh wrote:
> Joe Nall wrote:
> > On Sep 25, 2008, at 1:45 PM, Daniel J Walsh wrote:
> >
> >   
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
> >>
> >> Joe this is the patch I have off of current reference policy.   Is  
> >> this
> >> correct or should I use reference policy mls?
> >>     
> >
> > It was my transcription of Eamon's verbal how-to and it works so far.  
> > It may not be the final word on the topic as we are just starting to  
> > test X in mls enforcing. Eamon might be able to loosen it up some  
> > safely.
> >
> > joe
> >
> >   
> 
> Also, here is a combined version of the range transition patches I sent
> earlier.  These were in response to the socket level and root window
> level issued raised by Ted.

Merged.

> Index: policy/modules/services/xserver.if
> ===================================================================
> --- policy/modules/services/xserver.if	(revision 2819)
> +++ policy/modules/services/xserver.if	(working copy)
> @@ -77,6 +77,9 @@
>  	files_tmp_filetrans($1_xserver_t, $1_xserver_tmp_t, { file dir sock_file })
>  
>  	filetrans_pattern($1_xserver_t, xdm_xserver_tmp_t, $1_xserver_tmp_t, sock_file)
> +	ifdef(`enable_mls',`
> +		range_transition $1_xserver_t $1_xserver_tmp_t:sock_file s0 - mls_systemhigh;
> +	')
>  
>  	manage_dirs_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
>  	manage_files_pattern($1_xserver_t, $1_xserver_tmpfs_t, $1_xserver_tmpfs_t)
> @@ -95,6 +98,9 @@
>  
>  	# Labeling rules for default windows and colormaps
>  	type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
> +	ifdef(`enable_mls',`
> +		range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
> +	')
>  
>  	kernel_read_system_state($1_xserver_t)
>  	kernel_read_device_sysctls($1_xserver_t)
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] mls.patch

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Thu, 2008-09-25 at 14:45 -0400, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
>>
>> Joe this is the patch I have off of current reference policy.   Is this
>> correct or should I use reference policy mls?
> 
> This has a problem: It makes the xserver module required in the base
> module.
> 
Should this constraint be moved to xserver.te then?

[refpolicy] mls.patch

[Christopher J. PeBenito]

On Mon, 2008-10-06 at 13:32 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2008-09-25 at 14:45 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
> >>
> >> Joe this is the patch I have off of current reference policy.   Is this
> >> correct or should I use reference policy mls?
> > 
> > This has a problem: It makes the xserver module required in the base
> > module.
> > 
> Should this constraint be moved to xserver.te then?

Unfortunately that won't work as constraints don't work in modules.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] mls.patch

[Christopher J. PeBenito]

On Mon, 2008-10-06 at 10:19 -0500, Joe Nall wrote:
> On Oct 6, 2008, at 10:07 AM, Christopher J. PeBenito wrote:
> > On Thu, 2008-09-25 at 14:45 -0400, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/mls.patch
> >>
> >> Joe this is the patch I have off of current reference policy.   Is  
> >> this
> >> correct or should I use reference policy mls?
> >
> > This has a problem: It makes the xserver module required in the base
> > module.
> 
> Due to the use of rootwindow_type?
> 
> Should a new attribute be added to mls.te and used here?

I would make a mlsrootwindow attribute and apply it to types in the same
places that rootwindow_type are used, rather than trying to just have
one attribute.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150