[selinux-policy: 703/3172] add mls privileges
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:05:40 UTC 2010
commit f0574fa9aa2237013109fab5caea02797e4e00a0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 26 20:26:32 2005 +0000
add mls privileges
refpolicy/Changelog | 2 +
refpolicy/policy/mcs | 1 -
refpolicy/policy/mls | 38 ----
refpolicy/policy/modules/admin/consoletype.te | 4 +-
refpolicy/policy/modules/admin/su.if | 11 +-
refpolicy/policy/modules/admin/sudo.if | 8 +-
refpolicy/policy/modules/kernel/devices.te | 2 +
refpolicy/policy/modules/kernel/kernel.te | 8 +-
refpolicy/policy/modules/kernel/mls.fc | 1 +
refpolicy/policy/modules/kernel/mls.if | 196 ++++++++++++++++++++++
refpolicy/policy/modules/kernel/mls.te | 45 +++++
refpolicy/policy/modules/kernel/selinux.te | 3 +-
refpolicy/policy/modules/kernel/terminal.te | 4 +-
refpolicy/policy/modules/services/remotelogin.te | 7 +-
refpolicy/policy/modules/services/ssh.if | 9 +-
refpolicy/policy/modules/system/authlogin.te | 6 +-
refpolicy/policy/modules/system/fstools.te | 3 +-
refpolicy/policy/modules/system/init.te | 16 ++-
refpolicy/policy/modules/system/locallogin.te | 7 +-
refpolicy/policy/modules/system/logging.te | 7 +-
refpolicy/policy/modules/system/modutils.te | 3 +-
refpolicy/policy/modules/system/mount.te | 5 +-
refpolicy/policy/modules/system/selinuxutil.te | 15 ++-
refpolicy/policy/modules/system/udev.te | 8 +-
24 files changed, 342 insertions(+), 67 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index a4b8ec9..4855de5 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Add MLS module to handle MLS constraint exceptions,
+ such as reading up and writing down.
- Fix errors uncovered by sediff.
- Added policies:
anaconda
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index 754753b..c23f172 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -211,5 +211,4 @@ mlsconstrain file { read write setattr append unlink link rename
# or we get a build error. Below is a dummy entry to do this.
mlsconstrain xextension query ( t1 == mlsfileread );
-attribute mlsfileread;
') dnl end enable_mcs
diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
index cd8f5fd..45b15f0 100644
--- a/refpolicy/policy/mls
+++ b/refpolicy/policy/mls
@@ -733,42 +733,4 @@ mlsconstrain xextension use
# these access vectors have no MLS restrictions
# association { sendto recvfrom }
-attribute mlsfileread;
-attribute mlsfilereadtoclr;
-attribute mlsfilewrite;
-attribute mlsfilewritetoclr;
-attribute mlsfileupgrade;
-attribute mlsfiledowngrade;
-
-attribute mlsnetread;
-attribute mlsnetreadtoclr;
-attribute mlsnetwrite;
-attribute mlsnetwritetoclr;
-attribute mlsnetupgrade;
-attribute mlsnetdowngrade;
-attribute mlsnetrecvall;
-
-attribute mlsipcread;
-attribute mlsipcreadtoclr;
-attribute mlsipcwrite;
-attribute mlsipcwritetoclr;
-
-attribute mlsprocread;
-attribute mlsprocreadtoclr;
-attribute mlsprocwrite;
-attribute mlsprocwritetoclr;
-attribute mlsprocsetsl;
-
-attribute mlsxwinread;
-attribute mlsxwinreadtoclr;
-attribute mlsxwinwrite;
-attribute mlsxwinwritetoclr;
-attribute mlsxwinupgrade;
-attribute mlsxwindowngrade;
-
-attribute mlstrustedobject;
-
-attribute privrangetrans;
-attribute mlsrangetrans;
-
') dnl end enable_mls
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 209d29c..8668d80 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -6,9 +6,11 @@ policy_module(consoletype, 1.0)
# Declarations
#
-type consoletype_t; #, mlsfileread, mlsfilewrite
+type consoletype_t;
type consoletype_exec_t;
init_domain(consoletype_t,consoletype_exec_t)
+mls_file_read_up(consoletype_t)
+mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
ifdef(`targeted_policy',`',`
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index 0ae4071..816feae 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -148,11 +148,12 @@ template(`su_per_userdomain_template',`
ifdef(`TODO',`
ifdef(`support_polyinstantiation', `
- typeattribute $1_su_t mlsfileread;
- typeattribute $1_su_t mlsfilewrite;
- typeattribute $1_su_t mlsfileupgrade;
- typeattribute $1_su_t mlsfiledowngrade;
- typeattribute $1_su_t mlsprocsetsl;
+ mls_file_read_up($1_su_t)
+ mls_file_write_down($1_su_t)
+ mls_file_upgrade($1_su_t)
+ mls_file_downgrade($1_su_t)
+ mls_process_set_level($1_su_t)
+
# Su can polyinstantiate
polyinstantiater($1_su_t)
# Su has to unmount polyinstantiated directories (like home)
diff --git a/refpolicy/policy/modules/admin/sudo.if b/refpolicy/policy/modules/admin/sudo.if
index 84e11c4..0509092 100644
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@@ -38,7 +38,7 @@ template(`sudo_per_userdomain_template',`
# Declarations
#
- type $1_sudo_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+ type $1_sudo_t;
domain_type($1_sudo_t)
domain_entry_file($1_sudo_t,sudo_exec_t)
domain_wide_inherit_fd($1_sudo_t)
@@ -128,6 +128,12 @@ template(`sudo_per_userdomain_template',`
miscfiles_read_localization($1_sudo_t)
+ mls_file_read_up($1_sudo_t)
+ mls_file_write_down($1_sudo_t)
+ mls_file_upgrade($1_sudo_t)
+ mls_file_downgrade($1_sudo_t)
+ mls_process_set_level($1_sudo_t)
+
seutil_read_config($1_sudo_t)
seutil_read_default_contexts($1_sudo_t)
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index d7f7e7f..7bfc328 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -122,6 +122,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
type null_device_t, device_node;
fs_associate(null_device_t)
fs_associate_tmpfs(null_device_t)
+mls_trusted_object(null_device_t)
sid devnull context_template(system_u:object_r:null_device_t,s0)
#
@@ -191,3 +192,4 @@ fs_associate_tmpfs(xserver_misc_device_t)
type zero_device_t, device_node;
fs_associate(zero_device_t)
fs_associate_tmpfs(zero_device_t)
+mls_trusted_object(zero_device_t)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 987a40a..8dfb298 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -25,9 +25,10 @@ attribute sysctl_type;
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
-role system_r types kernel_t;
+type kernel_t, can_load_kernmodule;
domain_base_type(kernel_t)
+mls_rangetrans_source(kernel_t)
+role system_r types kernel_t;
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
#
@@ -212,6 +213,9 @@ files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+mls_process_read_up(kernel_t)
+mls_process_write_down(kernel_t)
+
ifdef(`TODO',`
ifdef(`targeted_policy', `
unconfined_domain(kernel_t)
diff --git a/refpolicy/policy/modules/kernel/mls.fc b/refpolicy/policy/modules/kernel/mls.fc
new file mode 100644
index 0000000..13df19e
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mls.fc
@@ -0,0 +1 @@
+# No MLS file contexts.
diff --git a/refpolicy/policy/modules/kernel/mls.if b/refpolicy/policy/modules/kernel/mls.if
new file mode 100644
index 0000000..d875dde
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mls.if
@@ -0,0 +1,196 @@
+## <summary>Multilevel security policy</summary>
+## <desc>
+## <p>
+## This module contains interfaces for handling multilevel
+## security. The interfaces allow the specified subjects
+## and objects to be allowed certain privileges in the
+## MLS rules.
+## </p>
+## </desc>
+## <required val="true">
+## Contains attributes used in MLS policy.
+## </required>
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from files at higher levels.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_read_up',`
+ gen_require(`
+ attribute mlsfileread;
+ ')
+
+ typeattribute $1 mlsfileread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to files at lower levels.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_write_down',`
+ gen_require(`
+ attribute mlsfilewrite;
+ ')
+
+ typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for raising the level of files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_upgrade',`
+ gen_require(`
+ attribute mlsfileupgrade;
+ ')
+
+ typeattribute $1 mlsfileupgrade;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for lowering the level of files.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_downgrade',`
+ gen_require(`
+ attribute mlsfiledowngrade;
+ ')
+
+ typeattribute $1 mlsfiledowngrade;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to do a MLS
+## range transition that changes
+## the current level.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_rangetrans_source',`
+ gen_require(`
+ attribute privrangetrans;
+ ')
+
+ typeattribute $1 privrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain a target domain
+## for MLS range transitions that change
+## the current level.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_rangetrans_target',`
+ gen_require(`
+ attribute mlsrangetrans;
+ ')
+
+ typeattribute $1 mlsrangetrans;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for reading from processes at higher levels.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_read_up',`
+ gen_require(`
+ attribute mlsprocread;
+ ')
+
+ typeattribute $1 mlsprocread;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to processes at lower levels.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_write_down',`
+ gen_require(`
+ attribute mlsprocwrite;
+ ')
+
+ typeattribute $1 mlsprocwrite;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for setting the level of processes
+## it executes.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_set_level',`
+ gen_require(`
+ attribute mlsprocsetsl;
+ ')
+
+ typeattribute $1 mlsprocsetsl;
+')
+
+
+########################################
+## <summary>
+## Make specified object MLS trusted.
+## </summary>
+## <desc>
+## <p>
+## Make specified object MLS trusted. This
+## allows all levels to read and write the
+## object.
+## </p>
+## <p>
+## This currently only applies to filesystem
+## objects, for example, files and directories.
+## </p>
+## </desc>
+## <param name="domain">
+## The type of the object.
+## </param>
+#
+interface(`mls_trusted_object',`
+ gen_require(`
+ attribute mlstrustedobject;
+ ')
+
+ typeattribute $1 mlstrustedobject;
+')
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
new file mode 100644
index 0000000..4f29a66
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -0,0 +1,45 @@
+
+policy_module(mls,1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinupgrade;
+attribute mlsxwindowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;
diff --git a/refpolicy/policy/modules/kernel/selinux.te b/refpolicy/policy/modules/kernel/selinux.te
index 0c091b8..cfc9cbf 100644
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ b/refpolicy/policy/modules/kernel/selinux.te
@@ -15,8 +15,9 @@ attribute can_setsecparam;
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t; #, mlstrustedobject;
+type security_t;
fs_type(security_t)
+mls_trusted_object(security_t)
sid security context_template(system_u:object_r:security_t,s0)
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 90f51a0..dd2318f 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -34,12 +34,14 @@ fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
#
type devtty_t;
dev_node(devtty_t)
+mls_trusted_object(devtty_t)
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t; #, mlstrustedobject;
+type ptmx_t;
dev_node(ptmx_t)
+mls_trusted_object(ptmx_t)
#
# tty_device_t is the type of /dev/*tty*
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 1256da6..0aa6e98 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -6,7 +6,7 @@ policy_module(remotelogin,1.0)
# Declarations
#
-type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
+type remote_login_t;
domain_obj_id_change_exempt(remote_login_t)
domain_subj_id_change_exempt(remote_login_t)
domain_role_change_exempt(remote_login_t)
@@ -104,6 +104,11 @@ libs_use_shared_libs(remote_login_t)
logging_send_syslog_msg(remote_login_t)
+mls_file_write_down(remote_login_t)
+mls_file_upgrade(remote_login_t)
+mls_file_downgrade(remote_login_t)
+mls_process_set_level(remote_login_t)
+
seutil_read_config(remote_login_t)
seutil_read_default_contexts(remote_login_t)
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index d7287e8..09c19c6 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -381,7 +381,8 @@ template(`ssh_per_userdomain_template',`
## </param>
#
template(`ssh_server_template', `
- type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+ type $1_t, ssh_server;
+
domain_type($1_t)
role system_r types $1_t;
@@ -463,6 +464,12 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
+ mls_file_read_up($1_t)
+ mls_file_write_down($1_t)
+ mls_file_upgrade($1_t)
+ mls_file_downgrade($1_t)
+ mls_process_set_level($1_t)
+
seutil_read_default_contexts($1_t)
sysnet_read_config($1_t)
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index e1fb21d..88401cf 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -22,13 +22,11 @@ logging_log_file(lastlog_t)
type login_exec_t;
files_type(login_exec_t)
-type pam_console_t; #, mlsfileread
+type pam_console_t;
type pam_console_exec_t;
init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t;
-domain_entry_file(pam_console_t,pam_console_exec_t)
-
type pam_t;
domain_type(pam_t)
role system_r types pam_t;
@@ -200,6 +198,8 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t)
+mls_file_read_up(pam_console_t)
+
seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
diff --git a/refpolicy/policy/modules/system/fstools.te b/refpolicy/policy/modules/system/fstools.te
index 8dd1fe8..635e6c5 100644
--- a/refpolicy/policy/modules/system/fstools.te
+++ b/refpolicy/policy/modules/system/fstools.te
@@ -6,9 +6,10 @@ policy_module(fstools,1.0)
# Declarations
#
-type fsadm_t; #, mlsfileread;
+type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
+mls_file_read_up(fsadm_t)
role system_r types fsadm_t;
type fsadm_tmp_t;
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index cb29bc3..4d86805 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -15,7 +15,7 @@ attribute direct_init_entry;
#
# init_t is the domain of the init process.
#
-type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite;
+type init_t;
domain_type(init_t)
role system_r types init_t;
@@ -37,10 +37,11 @@ files_pid_file(init_var_run_t)
# by init during initialization. This pipe is used
# to communicate with init.
#
-type initctl_t; #, mlstrustedobject;
+type initctl_t;
files_type(initctl_t)
+mls_trusted_object(initctl_t)
-type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
+type initrc_t;
domain_type(initrc_t)
role system_r types initrc_t;
@@ -138,6 +139,10 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t)
+mls_file_read_up(init_t)
+mls_file_write_down(init_t)
+mls_rangetrans_target(init_t)
+
seutil_read_config(init_t)
miscfiles_read_localization(init_t)
@@ -325,6 +330,11 @@ logging_read_auditd_config(initrc_t)
miscfiles_read_localization(initrc_t)
+mls_file_read_up(initrc_t)
+mls_file_write_down(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+
modutils_read_module_conf(initrc_t)
seutil_read_config(initrc_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 00da42c..554404c 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
# Declarations
#
-type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
+type local_login_t;
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t)
@@ -150,6 +150,11 @@ logging_send_syslog_msg(local_login_t)
miscfiles_read_localization(local_login_t)
+mls_file_write_down(local_login_t)
+mls_file_upgrade(local_login_t)
+mls_file_downgrade(local_login_t)
+mls_process_set_level(local_login_t)
+
seutil_read_config(local_login_t)
seutil_read_default_contexts(local_login_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 4302a1c..cdc5495 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -26,10 +26,11 @@ init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
-type devlog_t; #, mlstrustedobject;
+type devlog_t;
files_type(devlog_t)
+mls_trusted_object(devlog_t)
-type klogd_t; #, mlsfileread
+type klogd_t;
type klogd_exec_t;
init_daemon_domain(klogd_t,klogd_exec_t)
@@ -139,6 +140,8 @@ libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t)
+mls_file_read_up(klogd_t)
+
userdom_dontaudit_use_unpriv_user_fd(auditd_t)
userdom_dontaudit_search_sysadm_home_dir(auditd_t)
# cjp: this is questionable
diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te
index cb1c083..f8652d9 100644
--- a/refpolicy/policy/modules/system/modutils.te
+++ b/refpolicy/policy/modules/system/modutils.te
@@ -14,10 +14,11 @@ files_type(modules_conf_t)
type modules_dep_t;
files_type(modules_dep_t)
-type insmod_t; #, mlsfilewrite
+type insmod_t;
type insmod_exec_t;
kernel_userland_entry(insmod_t,insmod_exec_t)
init_system_domain(insmod_t,insmod_exec_t)
+mls_file_write_down(insmod_t)
role system_r types insmod_t;
type depmod_t;
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 09570be..0a8770e 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -6,7 +6,7 @@ policy_module(mount,1.0)
# Declarations
#
-type mount_t; #, mlsfileread, mlsfilewrite
+type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -78,6 +78,9 @@ logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t)
+mls_file_read_up(mount_t)
+mls_file_write_down(mount_t)
+
sysnet_use_portmap(mount_t)
userdom_use_all_user_fd(mount_t)
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index 2ef6a3c..9ed52dd 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -37,7 +37,7 @@ role system_r types load_policy_t;
type load_policy_exec_t;
domain_entry_file(load_policy_t,load_policy_exec_t)
-type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t;
domain_role_change_exempt(newrole_t)
domain_obj_id_change_exempt(newrole_t)
domain_type(newrole_t)
@@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
type policy_src_t;
files_type(policy_src_t)
-type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
+type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t;
domain_obj_id_change_exempt(restorecon_t)
init_system_domain(restorecon_t,restorecon_exec_t)
@@ -206,6 +206,12 @@ dev_read_urand(newrole_t)
fs_getattr_xattr_fs(newrole_t)
fs_search_auto_mountpoints(newrole_t)
+mls_file_read_up(newrole_t)
+mls_file_write_down(newrole_t)
+mls_file_upgrade(newrole_t)
+mls_file_downgrade(newrole_t)
+mls_process_set_level(newrole_t)
+
selinux_get_fs_mount(newrole_t)
selinux_validate_context(newrole_t)
selinux_compute_access_vector(newrole_t)
@@ -305,6 +311,11 @@ libs_use_shared_libs(restorecon_t)
logging_send_syslog_msg(restorecon_t)
+mls_file_read_up(restorecon_t)
+mls_file_write_down(restorecon_t)
+mls_file_upgrade(restorecon_t)
+mls_file_downgrade(restorecon_t)
+
userdom_use_all_user_fd(restorecon_t)
# relabeling rules
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 8e7a311..4247dd3 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -6,7 +6,7 @@ policy_module(udev,1.0)
# Declarations
#
-type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
+type udev_t;
type udev_exec_t;
type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t)
@@ -115,6 +115,12 @@ logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t)
+mls_file_read_up(udev_t)
+mls_file_write_down(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
modutils_domtrans_insmod(udev_t)
seutil_read_config(udev_t)
More information about the scm-commits
mailing list