[refpolicy] [PATCH] Implement mcsuntrustedproc.

[refpolicy] [PATCH] Implement mcsuntrustedproc.

[Dominick Grift]

This process is not allowed to interact with subjects or operate on objects
that it would otherwise be able to interact with or operate on
respectively.

This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.

It is used by svirt and probably also by sandbox

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/mcs b/policy/mcs
index f477c7f..c366f56 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcsuntrustedproc ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
@@ -101,6 +117,12 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+mlsconstrain process { signal }
+	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..8cd6d57 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,29 @@
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##	Make specified process type MCS untrusted.
+## </summary>
+## <desc>
+##	<p>
+##	This prevents this domain from interacting
+##	with subjects and operating on objects
+##	that it otherwise would be able to
+##	interact with or operate on respectively.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	The type of the process.
+##	</summary>
+## </param>
+#
+interface(`mcs_untrusted_proc',`
+	gen_require(`
+		attribute mcsuntrustedproc;
+	')
+
+	typeattribute $1 mcsuntrustedproc;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..1d16afc 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@
 attribute mcssetcats;
 attribute mcswriteall;
 attribute mcsreadall;
+attribute mcsuntrustedproc;

[refpolicy] [PATCH] Implement mcsuntrustedproc.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes the idea is that MCS Trust is opt in versus opt out.  So if a policy
writer wants to separate his domains based on MCS policy he must add this
attribute.

We currently separate:

seinfo -amcsuntrustedproc -x
   mcsuntrustedproc
      svirt_lxc_net_t
      openshift_app_t
      openshift_min_t
      openshift_net_t
      openshift_min_app_t
      openshift_net_app_t
      sandbox_x_t
      svirt_t
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t
      svirt_prot_exec_t
      openshift_t
      sandbox_t

On 11/02/2012 02:46 PM, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on 
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact 
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs 
> +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations are not
> constrained.
> 
> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1
> == mcsreadall ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
> t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> 
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
> } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc )
> and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
> sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain {
> lnk_file chr_file blk_file sock_file } { write setattr } +	(( h1 dom h2 )
> or ( t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
> domain)));
> 
> # New filesystem object labels must be dominated by the relabeling subject 
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ 
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
> 
> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket }
> node_bind +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); + # # MCS policy
> for SELinux-enabled databases # diff --git a/policy/modules/kernel/mcs.if
> b/policy/modules/kernel/mcs.if index f52faaf..8cd6d57 100644 ---
> a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -102,3
> +102,29 @@
> 
> typeattribute $1 mcssetcats; ') + 
> +######################################## +## <summary> +##	Make specified
> process type MCS untrusted. +## </summary> +## <desc> +##	<p> +##	This
> prevents this domain from interacting +##	with subjects and operating on
> objects +##	that it otherwise would be able to +##	interact with or operate
> on respectively. +##	</p> +## </desc> +## <param name="domain"> +##
> <summary> +##	The type of the process. +##	</summary> +## </param> +# 
> +interface(`mcs_untrusted_proc',` +	gen_require(` +		attribute
> mcsuntrustedproc; +	') + +	typeattribute $1 mcsuntrustedproc; +') diff
> --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index
> 0e5b661..1d16afc 100644 --- a/policy/modules/kernel/mcs.te +++
> b/policy/modules/kernel/mcs.te @@ -10,3 +10,4 @@ attribute mcssetcats; 
> attribute mcswriteall; attribute mcsreadall; +attribute mcsuntrustedproc; 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCU+ZMACgkQrlYvE4MpobPk/wCdHhXWrFfi0EQ3Jv85dauOmxlD
0eIAoKb7vByxTcby+rK+6A6UgnRSkve1
=5aaK
-----END PGP SIGNATURE-----

[refpolicy] [PATCH] Implement mcsuntrustedproc.

[Christopher J. PeBenito]

On 11/02/12 14:46, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..c366f56 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
>  #  - /proc/pid operations are not constrained.
>  
>  mlsconstrain file { read ioctl lock execute execute_no_trans }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain file { write setattr append unlink link rename }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain dir { search read ioctl lock }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>  
>  # New filesystem object labels must be dominated by the relabeling subject
>  # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
>  mlsconstrain process { sigkill sigstop }
>  	(( h1 dom h2 ) or ( t1 == mcskillall ));
>  
> +mlsconstrain process { signal }
> +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
> +

This doesn't look right.  It says that only untrusted processes are MCS-constrained for these permissions.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH] Implement mcsuntrustedproc.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote:
> On 11/02/12 14:46, Dominick Grift wrote:
>> 
>> This process is not allowed to interact with subjects or operate on
>> objects that it would otherwise be able to interact with or operate on 
>> respectively.
>> 
>> This is, i think, to make sure that specified processes cannot interact 
>> with subject or operate on objects regardless of its mcs range.
>> 
>> It is used by svirt and probably also by sandbox
>> 
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
>> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs 
>> +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations are not
>> constrained.
>> 
>> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1
>> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 )
>> or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
>> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
>> t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
>> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>> 
>> mlsconstrain dir { write setattr append unlink link rename add_name
>> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
>> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
>> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
>> } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc
>> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
>> sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain
>> { lnk_file chr_file blk_file sock_file } { write setattr } +	(( h1 dom h2
>> ) or ( t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> # New filesystem object labels must be dominated by the relabeling
>> subject # clearance, also the objects are single-level. @@ -101,6 +117,12
>> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
>> mcskillall ));
>> 
>> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
>> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket
>> } node_bind +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); +
> 
> This doesn't look right.  It says that only untrusted processes are
> MCS-constrained for these permissions.
> 

Yes the idea we have moved to is to make MCS contraints opt in by the policy
writer rather then optout.

seinfo  -amcsuntrustedproc -x
   mcsuntrustedproc
      svirt_lxc_net_t
      openshift_app_t
      openshift_min_t
      openshift_net_t
      openshift_min_app_t
      openshift_net_app_t
      svirt_nokvm_t
      sandbox_x_t
      svirt_t
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t
      openshift_t
      sandbox_t


That way we don't have to deal with lots of domains that might interact with a
MCS constrained application.  cupsd_t, httpd_t...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCz3eUACgkQrlYvE4MpobP6QwCg4cG4qIaRbtpRSfAILfeMJD/N
KyMAoOimApzFIMl970MycKusZMQCjP8r
=uhgE
-----END PGP SIGNATURE-----

[refpolicy] [PATCH] Implement mcsuntrustedproc.

[Christopher J. PeBenito]

On 11/26/12 16:23, Daniel J Walsh wrote:
> On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote:
>> On 11/02/12 14:46, Dominick Grift wrote:
>>>
>>> This process is not allowed to interact with subjects or operate on
>>> objects that it would otherwise be able to interact with or operate on 
>>> respectively.
>>>
>>> This is, i think, to make sure that specified processes cannot interact 
>>> with subject or operate on objects regardless of its mcs range.
>>>
>>> It is used by svirt and probably also by sandbox
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
>>> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs 
>>> +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations are not
>>> constrained.
>>>
>>> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1
>>> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 )
>>> or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
>>> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
>>> t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
>>> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall
>>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>>>
>>> mlsconstrain dir { write setattr append unlink link rename add_name
>>> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
>>> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
>>> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
>>> } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc
>>> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
>>> sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or ( t1 == mcsreadall
>>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain
>>> { lnk_file chr_file blk_file sock_file } { write setattr } +	(( h1 dom h2
>>> ) or ( t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>>> domain)));
>>>
>>> # New filesystem object labels must be dominated by the relabeling
>>> subject # clearance, also the objects are single-level. @@ -101,6 +117,12
>>> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
>>> mcskillall ));
>>>
>>> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
>>> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket
>>> } node_bind +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); +
> 
>> This doesn't look right.  It says that only untrusted processes are
>> MCS-constrained for these permissions.
> 
> 
> Yes the idea we have moved to is to make MCS contraints opt in by the policy
> writer rather then optout.

Ok, then in that case, my preference would be to have it like ubac and have an attribute called mcsconstrained or mcs_constrained_type and the interface name changed accordingly.  Then it would be clearer that its an opt-in mechanism.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com