* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/
@ 2012-12-03 9:35 Sven Vermeulen
0 siblings, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2012-12-03 9:35 UTC (permalink / raw
To: gentoo-commits
commit: 92d0e0f2b23eba1abdab38c534dda12e39390cc3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Nov 27 16:59:19 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 3 09:34:17 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=92d0e0f2
Implement mcs_constrained_type
This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.
This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.
It is used by svirt and probably also by sandbox
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/mcs | 30 ++++++++++++++++++++++++++----
policy/modules/kernel/mcs.if | 28 ++++++++++++++++++++++++++++
policy/modules/kernel/mcs.te | 1 +
3 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index f477c7f..216b3d1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcs_constrained_type ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
@@ -101,6 +117,12 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
+mlsconstrain process { signal }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index f52faaf..508e609 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -102,3 +102,31 @@ interface(`mcs_process_set_categories',`
typeattribute $1 mcssetcats;
')
+
+########################################
+## <summary>
+## Constrain by category access control (MCS).
+## </summary>
+## <desc>
+## <p>
+## Constrain the specified type by category based
+## access control (MCS) This prevents this domain from
+## interacting with subjects and operating on objects
+## that it otherwise would be able to interact
+## with or operate on respectively.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Type to be constrained by MCS.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`mcs_constrained',`
+ gen_require(`
+ attribute mcs_constrained_type;
+ ')
+
+ typeattribute $1 mcs_constrained_type;
+')
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 0e5b661..c608a8b 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -10,3 +10,4 @@ attribute mcsptraceall;
attribute mcssetcats;
attribute mcswriteall;
attribute mcsreadall;
+attribute mcs_constrained_type;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/
@ 2016-07-31 10:40 Sven Vermeulen
0 siblings, 0 replies; 3+ messages in thread
From: Sven Vermeulen @ 2016-07-31 10:40 UTC (permalink / raw
To: gentoo-commits
commit: 27f9f6206cc09e345feb25ca3a1a1905b48e769b
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Wed Jul 27 15:35:03 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 31 10:39:59 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f9f620
Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
Example of denial:
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
policy/mls | 4 +++-
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
policy/modules/kernel/mls.te | 1 +
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/mls b/policy/mls
index 3603de1..db3ed90 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
- ( h1 dom h2 );
+ (( h1 dom h2 ) or
+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfilewrite ));
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 27d6401..829605b 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
########################################
## <summary>
## Make specified domain MLS trusted
+## for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+ gen_require(`
+ attribute mlsfilerelabeltoclr;
+ ')
+
+ typeattribute $1 mlsfilerelabeltoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
## for writing to files at all levels. (Deprecated)
## </summary>
## <desc>
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e508050..13b8625 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
attribute mlsfilewriteinrange;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
attribute mlsnetread;
attribute mlsnetreadtoclr;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: c12c719d9ac0789fa319eaf9aa06731bfdf47827
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov 2 17:30:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:38:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12c719d
mls mcs: Add constraints for key class
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
policy/mcs | 3 +++
policy/mls | 8 ++++++++
policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/mls.te | 3 +++
4 files changed, 55 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+mlsconstrain key { create link read search setattr view write }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/mls b/policy/mls
index 69ca7263..2dadd205 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+ (( l1 eq l2 ) or
+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlskeywrite ));
#
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc4..b09c0a5a 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
########################################
## <summary>
+## Make specified domain MLS trusted
+## for writing to keys up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+ gen_require(`
+ attribute mlskeywritetoclr;
+ ')
+
+ typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+ gen_require(`
+ attribute mlskeywrite;
+ ')
+
+ typeattribute $1 mlskeywrite;
+')
+
+########################################
+## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a36..e879ddd3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-11-05 8:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-31 10:40 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/, policy/modules/kernel/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2017-11-05 8:01 Jason Zaman
2012-12-03 9:35 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox