[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/
Date:	Sun, 05 Nov 2017 08:01:46
Message-Id:	`1509863915.c12c719d9ac0789fa319eaf9aa06731bfdf47827.perfinion@gentoo`

1

commit:     c12c719d9ac0789fa319eaf9aa06731bfdf47827

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Thu Nov  2 17:30:45 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Nov  5 06:38:35 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12c719d

7

8

mls mcs: Add constraints for key class

9

10

Taken from fedoras policy

11

https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls

12

https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs

13

14

 policy/mcs                   |  3 +++

15

 policy/mls                   |  8 ++++++++

16

 policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++

17

 policy/modules/kernel/mls.te |  3 +++

18

 4 files changed, 55 insertions(+)

19

20

diff --git a/policy/mcs b/policy/mcs

21

index 4d030112..94319570 100644

22

--- a/policy/mcs

23

+++ b/policy/mcs

24

@@ -123,6 +123,9 @@ mlsconstrain process { signal }

25

 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind

26

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

27

28

+mlsconstrain key { create link read search setattr view write }

29

+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

30

+

31

#

32

 # MCS policy for SELinux-enabled databases

33

#

34

35

diff --git a/policy/mls b/policy/mls

36

index 69ca7263..2dadd205 100644

37

--- a/policy/mls

38

+++ b/policy/mls

39

@@ -281,6 +281,14 @@ mlsconstrain msg send

40

 # { ipc sem msgq shm } associate

41

42

43

+#

44

+# MLS policy for the key class

45

+#

46

+

47

+mlsconstrain key { create link read search setattr view write }

48

+	(( l1 eq l2 ) or

49

+	 (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or

50

+	 ( t1 == mlskeywrite ));

51

52

53

#

54

55

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if

56

index 3929ffc4..b09c0a5a 100644

57

--- a/policy/modules/kernel/mls.if

58

+++ b/policy/modules/kernel/mls.if

59

@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`

60

61

 ########################################

62

 ## <summary>

63

+##	Make specified domain MLS trusted

64

+##	for writing to keys up to

65

+##	its clearance.

66

+## </summary>

67

+## <param name="domain">

68

+##	<summary>

69

+##	Domain allowed access.

70

+##	</summary>

71

+## </param>

72

+## <rolecap/>

73

+#

74

+interface(`mls_key_write_to_clearance',`

75

+	gen_require(`

76

+		attribute mlskeywritetoclr;

77

+	')

78

+

79

+	typeattribute $1 mlskeywritetoclr;

80

+')

81

+

82

+########################################

83

+## <summary>

84

+##	Make specified domain MLS trusted

85

+##	for writing to keys at all levels.

86

+## </summary>

87

+## <param name="domain">

88

+##	<summary>

89

+##	Domain allowed access.

90

+##	</summary>

91

+## </param>

92

+## <rolecap/>

93

+#

94

+interface(`mls_key_write_all_levels',`

95

+	gen_require(`

96

+		attribute mlskeywrite;

97

+	')

98

+

99

+	typeattribute $1 mlskeywrite;

100

+')

101

+

102

+########################################

103

+## <summary>

104

 ##	Allow the specified domain to do a MLS

105

 ##	range transition that changes

106

 ##	the current level.

107

108

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te

109

index 15e50a36..e879ddd3 100644

110

--- a/policy/modules/kernel/mls.te

111

+++ b/policy/modules/kernel/mls.te

112

@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;

113

 attribute mlsipcwrite;

114

 attribute mlsipcwritetoclr;

115

116

+attribute mlskeywrite;

117

+attribute mlskeywritetoclr;

118

+

119

 attribute mlsprocread;

120

 attribute mlsprocreadtoclr;

121

 attribute mlsprocwrite;

1	commit: c12c719d9ac0789fa319eaf9aa06731bfdf47827
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Thu Nov 2 17:30:45 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 5 06:38:35 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12c719d
7
8	mls mcs: Add constraints for key class
9
10	Taken from fedoras policy
11	https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
12	https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
13
14	policy/mcs \| 3 +++
15	policy/mls \| 8 ++++++++
16	policy/modules/kernel/mls.if \| 41 +++++++++++++++++++++++++++++++++++++++++
17	policy/modules/kernel/mls.te \| 3 +++
18	4 files changed, 55 insertions(+)
19
20	diff --git a/policy/mcs b/policy/mcs
21	index 4d030112..94319570 100644
22	--- a/policy/mcs
23	+++ b/policy/mcs
24	@@ -123,6 +123,9 @@ mlsconstrain process { signal }
25	mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
26	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
27
28	+mlsconstrain key { create link read search setattr view write }
29	+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
30	+
31	#
32	# MCS policy for SELinux-enabled databases
33	#
34
35	diff --git a/policy/mls b/policy/mls
36	index 69ca7263..2dadd205 100644
37	--- a/policy/mls
38	+++ b/policy/mls
39	@@ -281,6 +281,14 @@ mlsconstrain msg send
40	# { ipc sem msgq shm } associate
41
42
43	+#
44	+# MLS policy for the key class
45	+#
46	+
47	+mlsconstrain key { create link read search setattr view write }
48	+ (( l1 eq l2 ) or
49	+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
50	+ ( t1 == mlskeywrite ));
51
52
53	#
54
55	diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
56	index 3929ffc4..b09c0a5a 100644
57	--- a/policy/modules/kernel/mls.if
58	+++ b/policy/modules/kernel/mls.if
59	@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
60
61	########################################
62	## <summary>
63	+## Make specified domain MLS trusted
64	+## for writing to keys up to
65	+## its clearance.
66	+## </summary>
67	+## <param name="domain">
68	+## <summary>
69	+## Domain allowed access.
70	+## </summary>
71	+## </param>
72	+## <rolecap/>
73	+#
74	+interface(`mls_key_write_to_clearance',`
75	+ gen_require(`
76	+ attribute mlskeywritetoclr;
77	+ ')
78	+
79	+ typeattribute $1 mlskeywritetoclr;
80	+')
81	+
82	+########################################
83	+## <summary>
84	+## Make specified domain MLS trusted
85	+## for writing to keys at all levels.
86	+## </summary>
87	+## <param name="domain">
88	+## <summary>
89	+## Domain allowed access.
90	+## </summary>
91	+## </param>
92	+## <rolecap/>
93	+#
94	+interface(`mls_key_write_all_levels',`
95	+ gen_require(`
96	+ attribute mlskeywrite;
97	+ ')
98	+
99	+ typeattribute $1 mlskeywrite;
100	+')
101	+
102	+########################################
103	+## <summary>
104	## Allow the specified domain to do a MLS
105	## range transition that changes
106	## the current level.
107
108	diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
109	index 15e50a36..e879ddd3 100644
110	--- a/policy/modules/kernel/mls.te
111	+++ b/policy/modules/kernel/mls.te
112	@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
113	attribute mlsipcwrite;
114	attribute mlsipcwritetoclr;
115
116	+attribute mlskeywrite;
117	+attribute mlskeywritetoclr;
118	+
119	attribute mlsprocread;
120	attribute mlsprocreadtoclr;
121	attribute mlsprocwrite;

Gentoo Archives: gentoo-commits