1 |
commit: 2de290b85e9d1c50e4e6f076a16fc803dfab4adc |
2 |
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com> |
3 |
AuthorDate: Thu Jun 23 19:29:50 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 18:41:55 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2de290b8 |
7 |
|
8 |
mcs: Reorganize file. |
9 |
|
10 |
Add more comments. |
11 |
|
12 |
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/mcs | 53 ++++++++++++++++++++++++++++++++++++----------------- |
16 |
1 file changed, 36 insertions(+), 17 deletions(-) |
17 |
|
18 |
diff --git a/policy/mcs b/policy/mcs |
19 |
index c3d76d09..30129dcb 100644 |
20 |
--- a/policy/mcs |
21 |
+++ b/policy/mcs |
22 |
@@ -82,10 +82,15 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } |
23 |
((( h1 dom h2 ) and ( l2 eq h2 )) or |
24 |
( t1 != mcs_constrained_type )); |
25 |
|
26 |
- |
27 |
+# |
28 |
+# MCS policy for process classes |
29 |
+# |
30 |
mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate } |
31 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
32 |
|
33 |
+# |
34 |
+# MCS policy for socket classes |
35 |
+# |
36 |
mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown } |
37 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
38 |
|
39 |
@@ -101,9 +106,16 @@ mlsconstrain unix_stream_socket connectto |
40 |
mlsconstrain unix_dgram_socket sendto |
41 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
42 |
|
43 |
+ |
44 |
+# |
45 |
+# MCS policy for key class |
46 |
+# |
47 |
mlsconstrain key { create link read search setattr view write } |
48 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
49 |
|
50 |
+# |
51 |
+# MCS policy for SysV IPC |
52 |
+# |
53 |
mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write } |
54 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
55 |
|
56 |
@@ -116,9 +128,32 @@ mlsconstrain msgq enqueue |
57 |
mlsconstrain shm lock |
58 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
59 |
|
60 |
+# |
61 |
+# MCS policy for context class |
62 |
+# |
63 |
mlsconstrain context contains |
64 |
((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type )); |
65 |
|
66 |
+# |
67 |
+# MCS policy for network classes |
68 |
+# |
69 |
+ |
70 |
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation |
71 |
+# because the subject in this particular case is the remote domain which is |
72 |
+# writing data out the network node which is acting as the object |
73 |
+mlsconstrain { node } { recvfrom sendto } |
74 |
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); |
75 |
+ |
76 |
+mlsconstrain { packet peer } { recv } |
77 |
+ (( l1 dom l2 ) or |
78 |
+ (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ))); |
79 |
+ |
80 |
+# The netif ingress/egress ops, the ingress permission is a "write" operation |
81 |
+# because the subject in this particular case is the remote domain which is |
82 |
+# writing data out the network interface which is acting as the object |
83 |
+mlsconstrain { netif } { egress ingress } |
84 |
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); |
85 |
+ |
86 |
# |
87 |
# MCS policy for SELinux-enabled databases |
88 |
# |
89 |
@@ -162,20 +197,4 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } |
90 |
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } |
91 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
92 |
|
93 |
-# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation |
94 |
-# because the subject in this particular case is the remote domain which is |
95 |
-# writing data out the network node which is acting as the object |
96 |
-mlsconstrain { node } { recvfrom sendto } |
97 |
- (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); |
98 |
- |
99 |
-mlsconstrain { packet peer } { recv } |
100 |
- (( l1 dom l2 ) or |
101 |
- (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ))); |
102 |
- |
103 |
-# The netif ingress/egress ops, the ingress permission is a "write" operation |
104 |
-# because the subject in this particular case is the remote domain which is |
105 |
-# writing data out the network interface which is acting as the object |
106 |
-mlsconstrain { netif } { egress ingress } |
107 |
- (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); |
108 |
- |
109 |
') dnl end enable_mcs |