[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/
Date:	Sat, 03 Sep 2022 19:54:09
Message-Id:	`1662230515.2de290b85e9d1c50e4e6f076a16fc803dfab4adc.perfinion@gentoo`

1

commit:     2de290b85e9d1c50e4e6f076a16fc803dfab4adc

2

Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>

3

AuthorDate: Thu Jun 23 19:29:50 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Sep  3 18:41:55 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2de290b8

7

8

mcs: Reorganize file.

9

10

Add more comments.

11

12

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/mcs | 53 ++++++++++++++++++++++++++++++++++++-----------------

16

 1 file changed, 36 insertions(+), 17 deletions(-)

17

18

diff --git a/policy/mcs b/policy/mcs

19

index c3d76d09..30129dcb 100644

20

--- a/policy/mcs

21

+++ b/policy/mcs

22

@@ -82,10 +82,15 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }

23

 	((( h1 dom h2 ) and ( l2 eq h2 )) or

24

 	 ( t1 != mcs_constrained_type ));

25

26

-

27

+#

28

+# MCS policy for process classes

29

+#

30

 mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate }

31

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

32

33

+#

34

+# MCS policy for socket classes

35

+#

36

 mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }

37

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

38

39

@@ -101,9 +106,16 @@ mlsconstrain unix_stream_socket connectto

40

 mlsconstrain unix_dgram_socket sendto

41

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

42

43

+

44

+#

45

+# MCS policy for key class

46

+#

47

 mlsconstrain key { create link read search setattr view write }

48

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

49

50

+#

51

+# MCS policy for SysV IPC

52

+#

53

 mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write }

54

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

55

56

@@ -116,9 +128,32 @@ mlsconstrain msgq enqueue

57

 mlsconstrain shm lock

58

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

59

60

+#

61

+# MCS policy for context class

62

+#

63

 mlsconstrain context contains

64

 	((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type ));

65

66

+#

67

+# MCS policy for network classes

68

+#

69

+

70

+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation

71

+# because the subject in this particular case is the remote domain which is

72

+# writing data out the network node which is acting as the object

73

+mlsconstrain { node } { recvfrom sendto }

74

+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));

75

+

76

+mlsconstrain { packet peer } { recv }

77

+	(( l1 dom l2 ) or

78

+	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));

79

+

80

+# The netif ingress/egress ops, the ingress permission is a "write" operation

81

+# because the subject in this particular case is the remote domain which is

82

+# writing data out the network interface which is acting as the object

83

+mlsconstrain { netif } { egress ingress }

84

+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));

85

+

86

#

87

 # MCS policy for SELinux-enabled databases

88

#

89

@@ -162,20 +197,4 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }

90

 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }

91

 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

92

93

-# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation

94

-# because the subject in this particular case is the remote domain which is

95

-# writing data out the network node which is acting as the object

96

-mlsconstrain { node } { recvfrom sendto }

97

-	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));

98

-

99

-mlsconstrain { packet peer } { recv }

100

-	(( l1 dom l2 ) or

101

-	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));

102

-

103

-# The netif ingress/egress ops, the ingress permission is a "write" operation

104

-# because the subject in this particular case is the remote domain which is

105

-# writing data out the network interface which is acting as the object

106

-mlsconstrain { netif } { egress ingress }

107

-	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));

108

-

109

 ') dnl end enable_mcs

1	commit: 2de290b85e9d1c50e4e6f076a16fc803dfab4adc
2	Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
3	AuthorDate: Thu Jun 23 19:29:50 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Sep 3 18:41:55 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2de290b8
7
8	mcs: Reorganize file.
9
10	Add more comments.
11
12	Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/mcs \| 53 ++++++++++++++++++++++++++++++++++++-----------------
16	1 file changed, 36 insertions(+), 17 deletions(-)
17
18	diff --git a/policy/mcs b/policy/mcs
19	index c3d76d09..30129dcb 100644
20	--- a/policy/mcs
21	+++ b/policy/mcs
22	@@ -82,10 +82,15 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
23	((( h1 dom h2 ) and ( l2 eq h2 )) or
24	( t1 != mcs_constrained_type ));
25
26	-
27	+#
28	+# MCS policy for process classes
29	+#
30	mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate }
31	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
32
33	+#
34	+# MCS policy for socket classes
35	+#
36	mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }
37	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
38
39	@@ -101,9 +106,16 @@ mlsconstrain unix_stream_socket connectto
40	mlsconstrain unix_dgram_socket sendto
41	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
42
43	+
44	+#
45	+# MCS policy for key class
46	+#
47	mlsconstrain key { create link read search setattr view write }
48	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
49
50	+#
51	+# MCS policy for SysV IPC
52	+#
53	mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write }
54	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
55
56	@@ -116,9 +128,32 @@ mlsconstrain msgq enqueue
57	mlsconstrain shm lock
58	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
59
60	+#
61	+# MCS policy for context class
62	+#
63	mlsconstrain context contains
64	((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type ));
65
66	+#
67	+# MCS policy for network classes
68	+#
69	+
70	+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
71	+# because the subject in this particular case is the remote domain which is
72	+# writing data out the network node which is acting as the object
73	+mlsconstrain { node } { recvfrom sendto }
74	+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
75	+
76	+mlsconstrain { packet peer } { recv }
77	+ (( l1 dom l2 ) or
78	+ (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
79	+
80	+# The netif ingress/egress ops, the ingress permission is a "write" operation
81	+# because the subject in this particular case is the remote domain which is
82	+# writing data out the network interface which is acting as the object
83	+mlsconstrain { netif } { egress ingress }
84	+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
85	+
86	#
87	# MCS policy for SELinux-enabled databases
88	#
89	@@ -162,20 +197,4 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
90	mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
91	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
92
93	-# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
94	-# because the subject in this particular case is the remote domain which is
95	-# writing data out the network node which is acting as the object
96	-mlsconstrain { node } { recvfrom sendto }
97	- (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
98	-
99	-mlsconstrain { packet peer } { recv }
100	- (( l1 dom l2 ) or
101	- (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
102	-
103	-# The netif ingress/egress ops, the ingress permission is a "write" operation
104	-# because the subject in this particular case is the remote domain which is
105	-# writing data out the network interface which is acting as the object
106	-mlsconstrain { netif } { egress ingress }
107	- (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
108	-
109	') dnl end enable_mcs

Gentoo Archives: gentoo-commits