commit: c12c719d9ac0789fa319eaf9aa06731bfdf47827 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Thu Nov 2 17:30:45 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Nov 5 06:38:35 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12c719d
mls mcs: Add constraints for key class Taken from fedoras policy https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs policy/mcs | 3 +++ policy/mls | 8 ++++++++ policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++ policy/modules/kernel/mls.te | 3 +++ 4 files changed, 55 insertions(+) diff --git a/policy/mcs b/policy/mcs index 4d030112..94319570 100644 --- a/policy/mcs +++ b/policy/mcs @@ -123,6 +123,9 @@ mlsconstrain process { signal } mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain key { create link read search setattr view write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # # MCS policy for SELinux-enabled databases # diff --git a/policy/mls b/policy/mls index 69ca7263..2dadd205 100644 --- a/policy/mls +++ b/policy/mls @@ -281,6 +281,14 @@ mlsconstrain msg send # { ipc sem msgq shm } associate +# +# MLS policy for the key class +# + +mlsconstrain key { create link read search setattr view write } + (( l1 eq l2 ) or + (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlskeywrite )); # diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index 3929ffc4..b09c0a5a 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',` ######################################## ## <summary> +## Make specified domain MLS trusted +## for writing to keys up to +## its clearance. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mls_key_write_to_clearance',` + gen_require(` + attribute mlskeywritetoclr; + ') + + typeattribute $1 mlskeywritetoclr; +') + +######################################## +## <summary> +## Make specified domain MLS trusted +## for writing to keys at all levels. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mls_key_write_all_levels',` + gen_require(` + attribute mlskeywrite; + ') + + typeattribute $1 mlskeywrite; +') + +######################################## +## <summary> ## Allow the specified domain to do a MLS ## range transition that changes ## the current level. diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 15e50a36..e879ddd3 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -30,6 +30,9 @@ attribute mlsipcreadtoclr; attribute mlsipcwrite; attribute mlsipcwritetoclr; +attribute mlskeywrite; +attribute mlskeywritetoclr; + attribute mlsprocread; attribute mlsprocreadtoclr; attribute mlsprocwrite;
