All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH v2] Implement mcs_constrained_type
@ 2012-11-27 16:59 Dominick Grift
  2012-11-27 19:44 ` Daniel J Walsh
  2012-11-28 21:26 ` Christopher J. PeBenito
  0 siblings, 2 replies; 3+ messages in thread
From: Dominick Grift @ 2012-11-27 16:59 UTC (permalink / raw)
  To: refpolicy


This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.

This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.

It is used by svirt and probably also by sandbox

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

diff --git a/policy/mcs b/policy/mcs
index f477c7f..216b3d1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
@@ -101,6 +117,12 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+mlsconstrain process { signal }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..508e609 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,31 @@
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##	Constrain by category access control (MCS).
+## </summary>
+## <desc>
+##	<p>
+##	Constrain the specified type by category based
+##	access control (MCS) This prevents this domain from
+##	interacting with subjects and operating on objects
+##	that it otherwise would be able to interact
+##	with or operate on respectively.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be constrained by MCS.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`mcs_constrained',`
+	gen_require(`
+		attribute mcs_constrained_type;
+	')
+
+	typeattribute $1 mcs_constrained_type;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..c608a8b 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@
 attribute mcssetcats;
 attribute mcswriteall;
 attribute mcsreadall;
+attribute mcs_constrained_type;

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH v2] Implement mcs_constrained_type
  2012-11-27 16:59 [refpolicy] [PATCH v2] Implement mcs_constrained_type Dominick Grift
@ 2012-11-27 19:44 ` Daniel J Walsh
  2012-11-28 21:26 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2012-11-27 19:44 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/27/2012 11:59 AM, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on objects
> that it would otherwise be able to interact with or operate on 
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact 
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> 
> diff --git a/policy/mcs b/policy/mcs index f477c7f..216b3d1 100644 ---
> a/policy/mcs +++ b/policy/mcs @@ -69,16 +69,32 @@ #  - /proc/pid operations
> are not constrained.
> 
> mlsconstrain file { read ioctl lock execute execute_no_trans } -	(( h1 dom
> h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1
> == mcsreadall ) or +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> 
> mlsconstrain file { write setattr append unlink link rename } -	(( h1 dom
> h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); +	(( h1 dom h2 ) or (
> t1 == mcswriteall ) or +	(( t1 != mcs_constrained_type ) and (t2 ==
> domain)));
> 
> mlsconstrain dir { search read ioctl lock } -	(( h1 dom h2 ) or ( t1 ==
> mcsreadall ) or ( t2 == domain )); +	(( h1 dom h2 ) or ( t1 == mcsreadall )
> or +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> 
> mlsconstrain dir { write setattr append unlink link rename add_name
> remove_name } -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain
> )); +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcs_constrained_type ) and (t2 == domain))); + +mlsconstrain fifo_file {
> open } +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or +	(( t1 !=
> mcs_constrained_type ) and ( t2 == domain ))); + +mlsconstrain { lnk_file
> chr_file blk_file sock_file } { getattr read ioctl } +	(( h1 dom h2 ) or (
> t1 == mcsreadall ) or +	(( t1 != mcs_constrained_type ) and (t2 ==
> domain))); + +mlsconstrain { lnk_file chr_file blk_file sock_file } { write
> setattr } +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or +	(( t1 !=
> mcs_constrained_type ) and (t2 == domain)));
> 
> # New filesystem object labels must be dominated by the relabeling subject 
> # clearance, also the objects are single-level. @@ -101,6 +117,12 @@ 
> mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 ==
> mcskillall ));
> 
> +mlsconstrain process { signal } +	(( h1 dom h2 ) or ( t1 !=
> mcs_constrained_type )); + +mlsconstrain { tcp_socket udp_socket
> rawip_socket } node_bind +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type
> )); + # # MCS policy for SELinux-enabled databases # diff --git
> a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index
> f52faaf..508e609 100644 --- a/policy/modules/kernel/mcs.if +++
> b/policy/modules/kernel/mcs.if @@ -102,3 +102,31 @@
> 
> typeattribute $1 mcssetcats; ') + 
> +######################################## +## <summary> +##	Constrain by
> category access control (MCS). +## </summary> +## <desc> +##	<p> +##
> Constrain the specified type by category based +##	access control (MCS)
> This prevents this domain from +##	interacting with subjects and operating
> on objects +##	that it otherwise would be able to interact +##	with or
> operate on respectively. +##	</p> +## </desc> +## <param name="domain"> +##
> <summary> +##	Type to be constrained by MCS. +##	</summary> +## </param> 
> +## <infoflow type="none"/> +# +interface(`mcs_constrained',` +
> gen_require(` +		attribute mcs_constrained_type; +	') + +	typeattribute $1
> mcs_constrained_type; +') diff --git a/policy/modules/kernel/mcs.te
> b/policy/modules/kernel/mcs.te index 0e5b661..c608a8b 100644 ---
> a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -10,3
> +10,4 @@ attribute mcssetcats; attribute mcswriteall; attribute
> mcsreadall; +attribute mcs_constrained_type; 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
Looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC1GA0ACgkQrlYvE4MpobM2tQCfSgNuqcCilBEuofKNVMfe6n2S
UrQAoN5IPW3SGuD5qgNWTzNQ+BzGWbD/
=ylpr
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH v2] Implement mcs_constrained_type
  2012-11-27 16:59 [refpolicy] [PATCH v2] Implement mcs_constrained_type Dominick Grift
  2012-11-27 19:44 ` Daniel J Walsh
@ 2012-11-28 21:26 ` Christopher J. PeBenito
  1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2012-11-28 21:26 UTC (permalink / raw)
  To: refpolicy

On 11/27/12 11:59, Dominick Grift wrote:
> 
> This process is not allowed to interact with subjects or operate on
> objects that it would otherwise be able to interact with or operate on
> respectively.
> 
> This is, i think, to make sure that specified processes cannot interact
> with subject or operate on objects regardless of its mcs range.
> 
> It is used by svirt and probably also by sandbox

Merged.
 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> 
> diff --git a/policy/mcs b/policy/mcs
> index f477c7f..216b3d1 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -69,16 +69,32 @@
>  #  - /proc/pid operations are not constrained.
>  
>  mlsconstrain file { read ioctl lock execute execute_no_trans }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain file { write setattr append unlink link rename }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain dir { search read ioctl lock }
> -	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
> -	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain fifo_file { open }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
> +	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
> +
> +mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
> +	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
> +	(( t1 != mcs_constrained_type ) and (t2 == domain)));
>  
>  # New filesystem object labels must be dominated by the relabeling subject
>  # clearance, also the objects are single-level.
> @@ -101,6 +117,12 @@
>  mlsconstrain process { sigkill sigstop }
>  	(( h1 dom h2 ) or ( t1 == mcskillall ));
>  
> +mlsconstrain process { signal }
> +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> +	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
>  #
>  # MCS policy for SELinux-enabled databases
>  #
> diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
> index f52faaf..508e609 100644
> --- a/policy/modules/kernel/mcs.if
> +++ b/policy/modules/kernel/mcs.if
> @@ -102,3 +102,31 @@
>  
>  	typeattribute $1 mcssetcats;
>  ')
> +
> +########################################
> +## <summary>
> +##	Constrain by category access control (MCS).
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Constrain the specified type by category based
> +##	access control (MCS) This prevents this domain from
> +##	interacting with subjects and operating on objects
> +##	that it otherwise would be able to interact
> +##	with or operate on respectively.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be constrained by MCS.
> +##	</summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`mcs_constrained',`
> +	gen_require(`
> +		attribute mcs_constrained_type;
> +	')
> +
> +	typeattribute $1 mcs_constrained_type;
> +')
> diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
> index 0e5b661..c608a8b 100644
> --- a/policy/modules/kernel/mcs.te
> +++ b/policy/modules/kernel/mcs.te
> @@ -10,3 +10,4 @@
>  attribute mcssetcats;
>  attribute mcswriteall;
>  attribute mcsreadall;
> +attribute mcs_constrained_type;

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-11-28 21:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-27 16:59 [refpolicy] [PATCH v2] Implement mcs_constrained_type Dominick Grift
2012-11-27 19:44 ` Daniel J Walsh
2012-11-28 21:26 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.