1 |
commit: c12c719d9ac0789fa319eaf9aa06731bfdf47827 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Nov 2 17:30:45 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 5 06:38:35 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12c719d |
7 |
|
8 |
mls mcs: Add constraints for key class |
9 |
|
10 |
Taken from fedoras policy |
11 |
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls |
12 |
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs |
13 |
|
14 |
policy/mcs | 3 +++ |
15 |
policy/mls | 8 ++++++++ |
16 |
policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++ |
17 |
policy/modules/kernel/mls.te | 3 +++ |
18 |
4 files changed, 55 insertions(+) |
19 |
|
20 |
diff --git a/policy/mcs b/policy/mcs |
21 |
index 4d030112..94319570 100644 |
22 |
--- a/policy/mcs |
23 |
+++ b/policy/mcs |
24 |
@@ -123,6 +123,9 @@ mlsconstrain process { signal } |
25 |
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind |
26 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
27 |
|
28 |
+mlsconstrain key { create link read search setattr view write } |
29 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
30 |
+ |
31 |
# |
32 |
# MCS policy for SELinux-enabled databases |
33 |
# |
34 |
|
35 |
diff --git a/policy/mls b/policy/mls |
36 |
index 69ca7263..2dadd205 100644 |
37 |
--- a/policy/mls |
38 |
+++ b/policy/mls |
39 |
@@ -281,6 +281,14 @@ mlsconstrain msg send |
40 |
# { ipc sem msgq shm } associate |
41 |
|
42 |
|
43 |
+# |
44 |
+# MLS policy for the key class |
45 |
+# |
46 |
+ |
47 |
+mlsconstrain key { create link read search setattr view write } |
48 |
+ (( l1 eq l2 ) or |
49 |
+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or |
50 |
+ ( t1 == mlskeywrite )); |
51 |
|
52 |
|
53 |
# |
54 |
|
55 |
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if |
56 |
index 3929ffc4..b09c0a5a 100644 |
57 |
--- a/policy/modules/kernel/mls.if |
58 |
+++ b/policy/modules/kernel/mls.if |
59 |
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',` |
60 |
|
61 |
######################################## |
62 |
## <summary> |
63 |
+## Make specified domain MLS trusted |
64 |
+## for writing to keys up to |
65 |
+## its clearance. |
66 |
+## </summary> |
67 |
+## <param name="domain"> |
68 |
+## <summary> |
69 |
+## Domain allowed access. |
70 |
+## </summary> |
71 |
+## </param> |
72 |
+## <rolecap/> |
73 |
+# |
74 |
+interface(`mls_key_write_to_clearance',` |
75 |
+ gen_require(` |
76 |
+ attribute mlskeywritetoclr; |
77 |
+ ') |
78 |
+ |
79 |
+ typeattribute $1 mlskeywritetoclr; |
80 |
+') |
81 |
+ |
82 |
+######################################## |
83 |
+## <summary> |
84 |
+## Make specified domain MLS trusted |
85 |
+## for writing to keys at all levels. |
86 |
+## </summary> |
87 |
+## <param name="domain"> |
88 |
+## <summary> |
89 |
+## Domain allowed access. |
90 |
+## </summary> |
91 |
+## </param> |
92 |
+## <rolecap/> |
93 |
+# |
94 |
+interface(`mls_key_write_all_levels',` |
95 |
+ gen_require(` |
96 |
+ attribute mlskeywrite; |
97 |
+ ') |
98 |
+ |
99 |
+ typeattribute $1 mlskeywrite; |
100 |
+') |
101 |
+ |
102 |
+######################################## |
103 |
+## <summary> |
104 |
## Allow the specified domain to do a MLS |
105 |
## range transition that changes |
106 |
## the current level. |
107 |
|
108 |
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te |
109 |
index 15e50a36..e879ddd3 100644 |
110 |
--- a/policy/modules/kernel/mls.te |
111 |
+++ b/policy/modules/kernel/mls.te |
112 |
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr; |
113 |
attribute mlsipcwrite; |
114 |
attribute mlsipcwritetoclr; |
115 |
|
116 |
+attribute mlskeywrite; |
117 |
+attribute mlskeywritetoclr; |
118 |
+ |
119 |
attribute mlsprocread; |
120 |
attribute mlsprocreadtoclr; |
121 |
attribute mlsprocwrite; |