From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2] Implement mcs_constrained_type
Date: Tue, 27 Nov 2012 14:44:14 -0500 [thread overview]
Message-ID: <50B5180E.8060709@redhat.com> (raw)
In-Reply-To: <1354035559-13168-1-git-send-email-dominick.grift@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/27/2012 11:59 AM, Dominick Grift wrote:
>
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on
> respectively.
>
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
>
> It is used by svirt and probably also by sandbox
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>
> diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 ---
> a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ # - /proc/pid operations
> are not constrained.
>
> mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1
> == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain file { write setattr append unlink link rename } - (( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + (( h1 dom h2 ) or (
> t1 == mcswriteall ) or + (( t1 != mcs_constrained_type ) and (t2 ==
> domain)));
>
> mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); + (( h1 dom h2 ) or ( t1 == mcsreadall )
> or + (( t1 != mcs_constrained_type ) and (t2 == domain)));
>
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
> mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file {
> open } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or + (( t1 !=
> mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file
> chr_file blk_file sock_file } { getattr read ioctl } + (( h1 dom h2 ) or (
> t1 == mcsreadall ) or + (( t1 != mcs_constrained_type ) and (t2 ==
> domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write
> setattr } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or + (( t1 !=
> mcs_constrained_type ) and (t2 == domain)));
>
> # New filesystem object labels must be dominated by the relabeling subject
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
>
> +mlsconstrain process { signal } + (( h1 dom h2 ) or ( t1 !=
> mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket
> rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type
> )); + # # MCS policy for SELinux-enabled databases # diff --git
> a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index
> f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++
> b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@
>
> typeattribute $1 mcssetcats; ') +
> +######################################## +## <summary> +## Constrain by
> category access control (MCS). +## </summary> +## <desc> +## <p> +##
> Constrain the specified type by category based +## access control (MCS)
> This prevents this domain from +## interacting with subjects and operating
> on objects +## that it otherwise would be able to interact +## with or
> operate on respectively. +## </p> +## </desc> +## <param name="domain"> +##
> <summary> +## Type to be constrained by MCS. +## </summary> +## </param>
> +## <infoflow type="none"/> +# +interface(`mcs_constrained',` +
> gen_require(` + attribute mcs_constrained_type; + ') + + typeattribute $1
> mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te
> b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 ---
> a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3
> +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute
> mcsreadall; +attribute mcs_constrained_type;
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
Looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC1GA0ACgkQrlYvE4MpobM2tQCfSgNuqcCilBEuofKNVMfe6n2S
UrQAoN5IPW3SGuD5qgNWTzNQ+BzGWbD/
=ylpr
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2012-11-27 19:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-27 16:59 [refpolicy] [PATCH v2] Implement mcs_constrained_type Dominick Grift
2012-11-27 19:44 ` Daniel J Walsh [this message]
2012-11-28 21:26 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B5180E.8060709@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.