1 |
commit: 27f9f6206cc09e345feb25ca3a1a1905b48e769b |
2 |
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com> |
3 |
AuthorDate: Wed Jul 27 15:35:03 2016 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jul 31 10:39:59 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f9f620 |
7 |
|
8 |
Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data. |
9 |
|
10 |
Example of denial: |
11 |
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for |
12 |
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147 |
13 |
scontext=root:system_r:rpm_t:s0 |
14 |
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir |
15 |
|
16 |
policy/mls | 4 +++- |
17 |
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++ |
18 |
policy/modules/kernel/mls.te | 1 + |
19 |
3 files changed, 24 insertions(+), 1 deletion(-) |
20 |
|
21 |
diff --git a/policy/mls b/policy/mls |
22 |
index 3603de1..db3ed90 100644 |
23 |
--- a/policy/mls |
24 |
+++ b/policy/mls |
25 |
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } |
26 |
|
27 |
# new file labels must be dominated by the relabeling subjects clearance |
28 |
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto |
29 |
- ( h1 dom h2 ); |
30 |
+ (( h1 dom h2 ) or |
31 |
+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or |
32 |
+ ( t1 == mlsfilewrite )); |
33 |
|
34 |
# the file "read" ops (note the check is dominance of the low level) |
35 |
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } |
36 |
|
37 |
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if |
38 |
index 27d6401..829605b 100644 |
39 |
--- a/policy/modules/kernel/mls.if |
40 |
+++ b/policy/modules/kernel/mls.if |
41 |
@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',` |
42 |
######################################## |
43 |
## <summary> |
44 |
## Make specified domain MLS trusted |
45 |
+## for relabelto to files up to its clearance. |
46 |
+## </summary> |
47 |
+## <param name="domain"> |
48 |
+## <summary> |
49 |
+## Domain allowed access. |
50 |
+## </summary> |
51 |
+## </param> |
52 |
+## <rolecap/> |
53 |
+# |
54 |
+interface(`mls_file_relabel_to_clearance',` |
55 |
+ gen_require(` |
56 |
+ attribute mlsfilerelabeltoclr; |
57 |
+ ') |
58 |
+ |
59 |
+ typeattribute $1 mlsfilerelabeltoclr; |
60 |
+') |
61 |
+ |
62 |
+######################################## |
63 |
+## <summary> |
64 |
+## Make specified domain MLS trusted |
65 |
## for writing to files at all levels. (Deprecated) |
66 |
## </summary> |
67 |
## <desc> |
68 |
|
69 |
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te |
70 |
index e508050..13b8625 100644 |
71 |
--- a/policy/modules/kernel/mls.te |
72 |
+++ b/policy/modules/kernel/mls.te |
73 |
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr; |
74 |
attribute mlsfilewriteinrange; |
75 |
attribute mlsfileupgrade; |
76 |
attribute mlsfiledowngrade; |
77 |
+attribute mlsfilerelabeltoclr; |
78 |
|
79 |
attribute mlsnetread; |
80 |
attribute mlsnetreadtoclr; |