[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/, policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/, policy/modules/kernel/

[Sven Vermeulen]

commit:     414de294634f9a02b072c433c1aab4387f60925e
Author:     Chad Hanson <dahchanson <AT> gmail <DOT> com>
AuthorDate: Mon Dec 11 04:02:15 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 11:59:25 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=414de294

Fix implementation of MLS file relabel attributes

This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below.

Signed-off-by: Chad Hanson <dahchanson <AT> gmail.com>

 policy/mls                   |  2 +-
 policy/modules/kernel/mls.if | 28 ++++++++++++++++++++++++----
 policy/modules/kernel/mls.te |  3 ++-
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/policy/mls b/policy/mls
index 2dadd205..73ff301b 100644
--- a/policy/mls
+++ b/policy/mls
@@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
 	(( h1 dom h2 ) or
 	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
-	( t1 == mlsfilewrite ));
+	( t1 == mlsfilerelabel ));
 
 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index b09c0a5a..2e2bebc2 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -74,6 +74,26 @@ interface(`mls_file_write_to_clearance',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_all_levels',`
+	gen_require(`
+		attribute mlsfilewrite;
+	')
+
+	typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
 ##	for relabelto to files up to its clearance.
 ## </summary>
 ## <param name="domain">
@@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for writing to files at all levels.
+##	for relabelto to files at all levels.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',`
 ## </param>
 ## <rolecap/>
 #
-interface(`mls_file_write_all_levels',`
+interface(`mls_file_relabel',`
 	gen_require(`
-		attribute mlsfilewrite;
+		attribute mlsfilerelabel;
 	')
 
-	typeattribute $1 mlsfilewrite;
+	typeattribute $1 mlsfilerelabel;
 ')
 
 ########################################

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index ad74e81f..7c50e75c 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -10,9 +10,10 @@ attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
+attribute mlsfilerelabel;
+attribute mlsfilerelabeltoclr;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
-attribute mlsfilerelabeltoclr;
 
 attribute mlsnetread;
 attribute mlsnetreadtoclr;