Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/
Date: Sun, 31 Jul 2016 10:40:56
Message-Id: 1469961599.27f9f6206cc09e345feb25ca3a1a1905b48e769b.swift@gentoo
1 commit: 27f9f6206cc09e345feb25ca3a1a1905b48e769b
2 Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
3 AuthorDate: Wed Jul 27 15:35:03 2016 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Sun Jul 31 10:39:59 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f9f620
7
8 Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
9
10 Example of denial:
11 type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
12 pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
13 scontext=root:system_r:rpm_t:s0
14 tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
15
16 policy/mls | 4 +++-
17 policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
18 policy/modules/kernel/mls.te | 1 +
19 3 files changed, 24 insertions(+), 1 deletion(-)
20
21 diff --git a/policy/mls b/policy/mls
22 index 3603de1..db3ed90 100644
23 --- a/policy/mls
24 +++ b/policy/mls
25 @@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
26
27 # new file labels must be dominated by the relabeling subjects clearance
28 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
29 - ( h1 dom h2 );
30 + (( h1 dom h2 ) or
31 + (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
32 + ( t1 == mlsfilewrite ));
33
34 # the file "read" ops (note the check is dominance of the low level)
35 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
36
37 diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
38 index 27d6401..829605b 100644
39 --- a/policy/modules/kernel/mls.if
40 +++ b/policy/modules/kernel/mls.if
41 @@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
42 ########################################
43 ## <summary>
44 ## Make specified domain MLS trusted
45 +## for relabelto to files up to its clearance.
46 +## </summary>
47 +## <param name="domain">
48 +## <summary>
49 +## Domain allowed access.
50 +## </summary>
51 +## </param>
52 +## <rolecap/>
53 +#
54 +interface(`mls_file_relabel_to_clearance',`
55 + gen_require(`
56 + attribute mlsfilerelabeltoclr;
57 + ')
58 +
59 + typeattribute $1 mlsfilerelabeltoclr;
60 +')
61 +
62 +########################################
63 +## <summary>
64 +## Make specified domain MLS trusted
65 ## for writing to files at all levels. (Deprecated)
66 ## </summary>
67 ## <desc>
68
69 diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
70 index e508050..13b8625 100644
71 --- a/policy/modules/kernel/mls.te
72 +++ b/policy/modules/kernel/mls.te
73 @@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
74 attribute mlsfilewriteinrange;
75 attribute mlsfileupgrade;
76 attribute mlsfiledowngrade;
77 +attribute mlsfilerelabeltoclr;
78
79 attribute mlsnetread;
80 attribute mlsnetreadtoclr;
Report Message
Find on MARC Find on Google Groups