[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Sven Vermeulen]

commit:     ba5aeec9c3071233c4980ccd923e3e46930923b5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 29 18:04:06 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 29 18:04:06 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba5aeec9

Remove execute priv for db_schema constrain

---
 policy/mcs |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 51797b2..9be762b 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -117,7 +117,7 @@ mlsconstrain { db_tuple } { insert relabelto }
 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 	( h1 dom h2 );
 
-mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
+mlsconstrain db_schema { drop getattr setattr relabelfrom }
 	( h1 dom h2 );
 
 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock }

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Sven Vermeulen]

commit:     ee70407f0b85b271714da5ecfe4f8546b14e2f89
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Aug 26 12:30:05 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:38:46 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee70407f

Add MLS constraints for x_pointer and x_keyboard.

---
 policy/mls | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/policy/mls b/policy/mls
index d218387..f11e5e2 100644
--- a/policy/mls
+++ b/policy/mls
@@ -666,6 +666,42 @@ mlsconstrain x_application_data { paste_after_confirm }
 	( l1 dom l2 );
 
 
+#
+# MLS policy for the x_pointer class
+#
+
+# the x_pointer "read" ops
+mlsconstrain x_pointer { getattr use read getfocus grab }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_pointer "write" ops (implicit single level)
+mlsconstrain x_pointer { setattr write setfocus bell force_cursor freeze manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
+#
+# MLS policy for the x_keyboard class
+#
+
+# the x_keyboard "read" ops
+mlsconstrain x_keyboard { getattr use read getfocus grab }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsxwinread ));
+
+# the x_keyboard "write" ops (implicit single level)
+mlsconstrain x_keyboard { setattr write setfocus bell force_cursor freeze manage }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsxwinwritexinput ) or
+	 ( t1 == mlsxwinwrite ));
+
+
 
 #
 # MLS policy for the dbus class

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Sven Vermeulen]

commit:     b6f1627239205eba70ac3879a8e6d077db036062
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Apr 28 14:19:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Apr 30 17:13:00 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6f16272

Fix error in default_user example.

---
 policy/context_defaults | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/context_defaults b/policy/context_defaults
index aee96cd..a2c9a62 100644
--- a/policy/context_defaults
+++ b/policy/context_defaults
@@ -5,7 +5,7 @@
 #
 # Examples:
 #
-#default_role process user;
+#default_user process source;
 #default_role process source;
 #default_type process source;
 #default_range process source low;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Sven Vermeulen]

commit:     5b8d41a56f311e6238010a2b2d42480f904eefb6
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan 27 22:25:36 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:36:25 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5b8d41a5

Add always_check_network policy capability.

Disabled by default, as most systems don't want/need this.

---
 policy/policy_capabilities | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index db3cbca..70a4311 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -31,3 +31,13 @@ policycap network_peer_controls;
 # blk_file: open
 #
 policycap open_perms;
+
+# Always enforce network access controls, even
+# if labeling is not configured for them.
+# Available in kernel 3.13+
+#
+# Checks enabled:
+# packet: send recv
+# peer: recv
+#
+# policycap always_check_network;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     1f34c6dfe967939b8d7afa2ec9ed57c57de5c5f7
Author:     Mike Palmiotto <mike.palmiotto <AT> crunchydata <DOT> com>
AuthorDate: Wed Jan 27 20:21:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:57 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34c6df

Add mls support for some db classes

Mirror file/dir approach.

db objects which do not contain other objects at multiple levels are analogous
to files:
	db_sequence
	db_view
	db_procedure
	db_language
	db_tuple
	db_blob

db objects which are capable of holding objects at multiple levels are
analogous to dirs:
	db_database
	db_schema
	db_table
	db_column

 policy/mls | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/policy/mls b/policy/mls
index 06e5106..70ed808 100644
--- a/policy/mls
+++ b/policy/mls
@@ -763,13 +763,14 @@ mlsconstrain context contains
 #
 
 # make sure these database classes are "single level"
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
 	( l2 eq h2 );
+
 mlsconstrain { db_tuple } { insert relabelto }
 	( l2 eq h2 );
 
 # new database labels must be dominated by the relabeling subjects clearance
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
+mlsconstrain { db_database db_schema db_table db_column } { relabelto }
 	( h1 dom h2 );
 
 # the database "read" ops (note the check is dominance of the low level)
@@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
 	 ( t1 == mlsdbread ) or
 	 ( t2 == mlstrustedobject ));
 
-# the "single level" file "write" ops
+# the "single level" database "write" ops
 mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Sven Vermeulen]

commit:     a8daf242da364dcdc2f3a678daca42160d579c67
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jan 16 23:52:39 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:50 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8daf242

Enable cgroup_seclabel and nnp_nosuid_transition.

 policy/policy_capabilities | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index a6987a44..206cdda9 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -89,12 +89,12 @@ policycap extended_socket_class;
 #
 # Added checks:
 # (none)
-#policycap cgroup_seclabel;
+policycap cgroup_seclabel;
 
 # Enable NoNewPrivileges support.  Requires libsepol 2.7+
-# and kernel 4.14 (estimated).
+# and kernel 4.14.
 #
 # Checks enabled;
 # process2: nnp_transition, nosuid_transition
 #
-#policycap nnp_nosuid_transition;
+policycap nnp_nosuid_transition;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     7a1357306b6dd8d46b4b8ee2bc1c8cb3f70376b0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:27:23 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a135730

mcs: restrict create, relabelto on mcs files

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 44b57e59..d4d984e4 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -99,6 +99,9 @@ mlsconstrain file { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+	(( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     88789af6ca837b3adf9af2dcf23857373f1c5be3
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:26:23 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88789af6

mcs: deprecate mcs overrides

Deprecate mcs overrides in favor of using mcs_constrained_type.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index c0d424a9..44b57e59 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain fifo_file { open }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 )) or
+	 ( t1 != mcs_constrained_type ));
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { transition dyntransition }
-	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 == mcsptraceall ));
+	(( h1 dom h2) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { sigkill sigstop }
-	(( h1 dom h2 ) or ( t1 == mcskillall ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     240ae057dc8144fe1d97cdb21a37d12358c046b9
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Oct 14 14:21:48 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=240ae057

mcs: combine single-level object creation constraints

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 1f24fd8a..cc922a02 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -91,7 +91,7 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	((( h1 dom h2 ) and ( l2 eq h2 )) or
 	 ( t1 != mcs_constrained_type ));
 
@@ -99,9 +99,6 @@ mlsconstrain file { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
-	(( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
-
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     ce6b9741621671f51d8af101c01101a3fbb9c405
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:54:23 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ce6b9741

mcs: add additional constraints to databases

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index d4d984e4..9bd0166f 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -166,4 +166,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
 
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+	(( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
 ') dnl end enable_mcs

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     6b92f35df5abb794f9d5fb51a09f259fa986465a
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:58:45 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b92f35d

mcs: constrain misc IPC objects

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 9bd0166f..1f24fd8a 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     e65914649a2dc3fae590c9df612c70b957a6ef5d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov  9 18:59:08 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6591464

mcs: only constrain mcs_constrained_type for db accesses

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 023bd149..c9b7e83e 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -133,41 +133,41 @@ mlsconstrain context contains
 # Any database object must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { db_tuple } { insert relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type ));
 
 # Access control for any database objects based on MCS rules.
 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_schema { drop getattr setattr relabelfrom search }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_column { drop getattr setattr relabelfrom select update insert }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_tuple { relabelfrom select update delete use }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_view { drop getattr setattr relabelfrom expand }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install entrypoint }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     2f9ccaa200e55bf476c4c3e77ef548e8cedbf3b5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov  9 18:56:27 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f9ccaa2

mcs: constrain context contain access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index c8c573e9..023bd149 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain key { create link read search setattr view write }
 mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain context contains
+	((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     906ec39d92b4e6cc11ff59c1d466c294be67b0b0
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Feb  1 13:50:41 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:07:41 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=906ec39d

Revert "users: remove MCS categories from default users"

This reverts commit 7d53784332b83ee264332d9c15fa0387a483ec89.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/users | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/users b/policy/users
index 3f9d0fae..ca203758 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
+gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -25,14 +25,14 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh)
 # permit any access to such users, then remove this entry.
 #
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
 ifdef(`direct_sysadm_daemon',`
-        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh)
+        gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
-        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh)
+        gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ')
 
 #
@@ -43,7 +43,7 @@ ifdef(`direct_sysadm_daemon',`
 # not in the sysadm_r.
 #
 ifdef(`direct_sysadm_daemon',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh)
+	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 ',`
-	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh)
+	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     deb2d62e038340dcc03361b4fce83930d47f5bf7
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Tue Mar 22 16:55:16 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deb2d62e

policy_capabilities: add ioctl_skip_cloexec

Add new future policy capability ioctl_skip_cloexec.

Drop estimate comments from genfs_seclabel_symlinks.

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/policy_capabilities | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index 9e309fbf..b800997f 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -100,9 +100,17 @@ policycap cgroup_seclabel;
 policycap nnp_nosuid_transition;
 
 # Enable extended genfscon labeling for symlinks.
-# Requires libsepol 3.1 (estimated) and kernel 5.7 (estimated).
+# Requires libsepol 3.1 and kernel 5.7.
 #
 # Added checks:
 # (none)
 #
 #policycap genfs_seclabel_symlinks;
+
+# Always allow FIOCLEX and FIONCLEX ioctl.
+# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
+#
+# Removed checks:
+# common file/socket: ioctl { 0x5450 0x5451 }
+#
+#policycap ioctl_skip_cloexec;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     2de290b85e9d1c50e4e6f076a16fc803dfab4adc
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Jun 23 19:29:50 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2de290b8

mcs: Reorganize file.

Add more comments.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 53 ++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 36 insertions(+), 17 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index c3d76d09..30129dcb 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -82,10 +82,15 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	((( h1 dom h2 ) and ( l2 eq h2 )) or
 	 ( t1 != mcs_constrained_type ));
 
-
+#
+# MCS policy for process classes
+#
 mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+#
+# MCS policy for socket classes
+#
 mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
@@ -101,9 +106,16 @@ mlsconstrain unix_stream_socket connectto
 mlsconstrain unix_dgram_socket sendto
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+
+#
+# MCS policy for key class
+#
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+#
+# MCS policy for SysV IPC
+#
 mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
@@ -116,9 +128,32 @@ mlsconstrain msgq enqueue
 mlsconstrain shm lock
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+#
+# MCS policy for context class
+#
 mlsconstrain context contains
 	((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type ));
 
+#
+# MCS policy for network classes
+#
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
@@ -162,20 +197,4 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
-# because the subject in this particular case is the remote domain which is
-# writing data out the network node which is acting as the object
-mlsconstrain { node } { recvfrom sendto }
-	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { packet peer } { recv }
-	(( l1 dom l2 ) or
-	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
-
-# The netif ingress/egress ops, the ingress permission is a "write" operation
-# because the subject in this particular case is the remote domain which is
-# writing data out the network interface which is acting as the object
-mlsconstrain { netif } { egress ingress }
-	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
-
 ') dnl end enable_mcs

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     b7a2d9d84420e7f4390bf8f71b475512e28e50ef
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Mon Jun 20 14:52:30 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7a2d9d8

mcs: Add additional SysV IPC constraints.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/policy/mcs b/policy/mcs
index c9b7e83e..e8006b11 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,16 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain msg { send receive }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain msgq enqueue
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain shm lock
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain context contains

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     aa9b7bc301b4d7015743cdda1a29395588ed1200
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Jun 23 19:24:14 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa9b7bc3

mcs: Remove duplicate node_bind constraint.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index fa505d3d..c3d76d09 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -162,9 +162,6 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
 # The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
 # because the subject in this particular case is the remote domain which is
 # writing data out the network node which is acting as the object

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     1bc42bf81c5adfdbcc4c993e4d279b8e07e81094
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Mon Jun 20 14:54:46 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1bc42bf8

mcs: Collapse constraints.

Collapse file constraints as they are equivalent due to the same expresssions.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 36 ++++--------------------------------
 1 file changed, 4 insertions(+), 32 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index e8006b11..af880058 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -66,27 +66,14 @@ gen_levels(1,mcs_num_cats)
 #
 # Note:
 #  - getattr on dirs/files is not constrained.
-#  - /proc/pid operations are not constrained.
 
-mlsconstrain file { read ioctl lock execute execute_no_trans }
+mlsconstrain dir_file_class_set { open read ioctl lock write setattr append create unlink link rename relabelfrom relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain file { write setattr append unlink link rename }
+mlsconstrain file { execute execute_no_trans }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain fifo_file { open }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+mlsconstrain dir { search add_name remove_name rmdir }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
@@ -95,23 +82,8 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	((( h1 dom h2 ) and ( l2 eq h2 )) or
 	 ( t1 != mcs_constrained_type ));
 
-# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { transition dyntransition }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { sigkill sigstop }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain process { signal }
+mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     712733031648611660a45cf614edc3c5e1253c0a
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Mon Jun 20 18:50:20 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71273303

mcs: Add additional socket constraints.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index af880058..039ed224 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,9 +86,21 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain stream_socket_class_set { listen accept }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain unix_stream_socket connectto
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain unix_dgram_socket sendto
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     d0b423d30f512d496de5906810303f301fa8a241
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Jun 23 19:33:34 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d0b423d3

mls: Add setsockcreate constraint.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/mls b/policy/mls
index 8ba40c07..3cf4110d 100644
--- a/policy/mls
+++ b/policy/mls
@@ -377,7 +377,7 @@ mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
 	 ( t1 == mlsprocread ));
 
 # all the process "write" ops (note the check is equality on the low level)
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setsockcreate setcurrent ptrace share }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsprocwrite ));

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Jason Zaman]

commit:     40c53693a742b096caf7a3ad8c2e3e942a7be537
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Jun 23 19:06:27 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=40c53693

mcs: Add missing process permission constraints.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/mcs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/mcs b/policy/mcs
index 039ed224..fa505d3d 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -83,7 +83,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	 ( t1 != mcs_constrained_type ));
 
 
-mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
+mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/

[Kenton Groombridge]

commit:     28556c70623efdadf8cb93fd004bd8385638be65
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:28:11 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:37 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=28556c70

policy_capabilities: remove estimated from released versions

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/policy_capabilities | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index b800997f3..c6b84d8c7 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -108,7 +108,7 @@ policycap nnp_nosuid_transition;
 #policycap genfs_seclabel_symlinks;
 
 # Always allow FIOCLEX and FIONCLEX ioctl.
-# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
+# Requires libsepol 3.4 and kernel 5.18.
 #
 # Removed checks:
 # common file/socket: ioctl { 0x5450 0x5451 }