[selinux-policy: 1583/3172] This patch adds a polmatch avperm to arbitrate flow/state's access to a xfrm policy. It also defines

Thu Oct 7 21:22:02 UTC 2010

commit 9b45c603081f858278482fd56a2894876db35fe1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 1 17:06:53 2006 +0000

    This patch adds a polmatch avperm to arbitrate flow/state's access to
    a xfrm policy. It also defines MLS policy for association { sendto,
    recvfrom, polmatch }.
    
    NOTE: When an inbound packet is not using an IPSec SA, a check is performed
    between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
    MLS purposes however, the target of the check should be the MLS label taken
    from the node sid (or secmark in the new secmark world). This would present
    a severe performance overhead (to make a new sid based on the unlabeled sid
    with the MLS taken from the node sid or secmark and then using this sid as
    the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
    I have chosen to currently make an exception for unlabeled_t SAs if TE policy
    allowed it. A similar problem exists for the outbound case and it has been similarly
    handled in the policy below (by making an exception for unlabeled_t).
    
    I am submitting the below limited patch pending a comprehensive patch from
    Joy Latten at IBM (latten at austin.ibm.com).
    
    I am not sure if I needed to manually do a "make tolib" in the flask subdir
    and submit the results as well. Please let me know if I needed to.
    
    Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>

 policy/flask/access_vectors |    1 +
 policy/mls                  |   15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)
---

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6a847d1..0ad632b 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -603,6 +603,7 @@ class association
 	sendto
 	recvfrom
 	setcontext
+	polmatch
 }
 
 # Updated Netlink class for KOBJECT_UEVENT family.
diff --git a/policy/mls b/policy/mls
index f9cd671..ddd5812 100644
--- a/policy/mls
+++ b/policy/mls
@@ -661,7 +661,18 @@ mlsconstrain xinput { setattr relabelinput }
 # MLS policy for the association class
 #
 
-# these access vectors have no MLS restrictions
-# association *
+mlsconstrain association { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+	((( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
 
 ') dnl end enable_mls
