From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 8ED3C138331 for ; Thu, 18 Jan 2018 16:15:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DC905E088D; Thu, 18 Jan 2018 16:15:43 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A124EE088D for ; Thu, 18 Jan 2018 16:15:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 52C32335C39 for ; Thu, 18 Jan 2018 16:15:42 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1A56F1B8 for ; Thu, 18 Jan 2018 16:15:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1513166365.414de294634f9a02b072c433c1aab4387f60925e.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/mls policy/modules/kernel/mls.if policy/modules/kernel/mls.te X-VCS-Directories: policy/ policy/modules/kernel/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 414de294634f9a02b072c433c1aab4387f60925e X-VCS-Branch: swift Date: Thu, 18 Jan 2018 16:15:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 165c387d-b174-4326-93e6-db97c6fb58b9 X-Archives-Hash: f6ca5b1ef1485e31fd1b3ff4817a9807 commit: 414de294634f9a02b072c433c1aab4387f60925e Author: Chad Hanson gmail com> AuthorDate: Mon Dec 11 04:02:15 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Dec 13 11:59:25 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=414de294 Fix implementation of MLS file relabel attributes This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below. Signed-off-by: Chad Hanson gmail.com> policy/mls | 2 +- policy/modules/kernel/mls.if | 28 ++++++++++++++++++++++++---- policy/modules/kernel/mls.te | 3 ++- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/policy/mls b/policy/mls index 2dadd205..73ff301b 100644 --- a/policy/mls +++ b/policy/mls @@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto (( h1 dom h2 ) or (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfilewrite )); + ( t1 == mlsfilerelabel )); # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index b09c0a5a..2e2bebc2 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -74,6 +74,26 @@ interface(`mls_file_write_to_clearance',` ######################################## ## ## Make specified domain MLS trusted +## for writing to files at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_write_all_levels',` + gen_require(` + attribute mlsfilewrite; + ') + + typeattribute $1 mlsfilewrite; +') + +######################################## +## +## Make specified domain MLS trusted ## for relabelto to files up to its clearance. ## ## @@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',` ######################################## ## ## Make specified domain MLS trusted -## for writing to files at all levels. +## for relabelto to files at all levels. ## ## ## @@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',` ## ## # -interface(`mls_file_write_all_levels',` +interface(`mls_file_relabel',` gen_require(` - attribute mlsfilewrite; + attribute mlsfilerelabel; ') - typeattribute $1 mlsfilewrite; + typeattribute $1 mlsfilerelabel; ') ######################################## diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index ad74e81f..7c50e75c 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -10,9 +10,10 @@ attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; attribute mlsfilewriteinrange; +attribute mlsfilerelabel; +attribute mlsfilerelabeltoclr; attribute mlsfileupgrade; attribute mlsfiledowngrade; -attribute mlsfilerelabeltoclr; attribute mlsnetread; attribute mlsnetreadtoclr;