[refpolicy] [PATCH] Implement mcsuntrustedproc.

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2012 11:04 AM, Christopher J. PeBenito wrote:
> On 11/02/12 14:46, Dominick Grift wrote:
>> 
>> This process is not allowed to interact with subjects or operate on
>> objects that it would otherwise be able to interact with or operate on 
>> respectively.
>> 
>> This is, i think, to make sure that specified processes cannot interact 
>> with subject or operate on objects regardless of its mcs range.
>> 
>> It is used by svirt and probably also by sandbox
>> 
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> diff --git
>> a/policy/mcs b/policy/mcs index f477c7f..c366f56 100644 --- a/policy/mcs 
>> +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations are not
>> constrained.
>> 
>> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1
>> dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 )
>> or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
>> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
>> t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
>> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
>> 
>> mlsconstrain dir { write setattr append unlink link rename add_name
>> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
>> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
>> mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain fifo_file { open
>> } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 != mcsuntrustedproc
>> ) and ( t2 == domain ))); + +mlsconstrain { lnk_file chr_file blk_file
>> sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or ( t1 == mcsreadall
>> ) or +	(( t1 != mcsuntrustedproc ) and (t2 == domain))); + +mlsconstrain
>> { lnk_file chr_file blk_file sock_file } { write setattr } +	(( h1 dom h2
>> ) or ( t1 == mcswriteall ) or +	(( t1 != mcsuntrustedproc ) and (t2 ==
>> domain)));
>> 
>> # New filesystem object labels must be dominated by the relabeling
>> subject # clearance, also the objects are single-level. @@ -101,6 +117,12
>> @@ mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
>> mcskillall ));
>> 
>> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
>> mcsuntrustedproc )); + +mlsconstrain { tcp_socket udp_socket rawip_socket
>> } node_bind +	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); +
> 
> This doesn't look right.  It says that only untrusted processes are
> MCS-constrained for these permissions.
> 

Yes the idea we have moved to is to make MCS contraints opt in by the policy
writer rather then optout.

seinfo  -amcsuntrustedproc -x
   mcsuntrustedproc
      svirt_lxc_net_t
      openshift_app_t
      openshift_min_t
      openshift_net_t
      openshift_min_app_t
      openshift_net_app_t
      svirt_nokvm_t
      sandbox_x_t
      svirt_t
      sandbox_min_t
      sandbox_net_t
      sandbox_web_t
      openshift_t
      sandbox_t


That way we don't have to deal with lots of domains that might interact with a
MCS constrained application.  cupsd_t, httpd_t...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlCz3eUACgkQrlYvE4MpobP6QwCg4cG4qIaRbtpRSfAILfeMJD/N
KyMAoOimApzFIMl970MycKusZMQCjP8r
=uhgE
-----END PGP SIGNATURE-----