[selinux-policy: 1310/3172] Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:58:33 UTC 2010
commit 9779f092842a6cb36c1272e30ff29b23a9d1008e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Mar 29 16:23:17 2006 +0000
Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.
refpolicy/Changelog | 2 ++
refpolicy/policy/mcs | 3 +++
refpolicy/policy/modules/kernel/kernel.te | 4 +++-
refpolicy/policy/modules/kernel/mcs.if | 20 ++++++++++++++++++++
refpolicy/policy/modules/kernel/mcs.te | 3 ++-
refpolicy/policy/modules/system/getty.te | 4 +++-
refpolicy/policy/modules/system/init.te | 5 ++++-
7 files changed, 37 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 465bf76..08d37f3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Constrain transitions in MCS so unconfined_t cannot have
+ arbitrary category sets.
- Change reiserfs from xattr filesystem to genfscon as it's xattrs
are currently nonfunctional.
- Change files module to use its own interfaces to simplify the module.
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index f85736d..b61da4c 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -152,6 +152,9 @@ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfro
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
+mlsconstrain process { transition dyntransition }
+ (( h1 dom h2 ) or ( t1 == mcssetcats ));
+
mlsconstrain process { ptrace }
( h1 dom h2 );
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5d9124f..7406037 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.1)
+policy_module(kernel,1.3.2)
########################################
#
@@ -232,6 +232,8 @@ files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
+mcs_process_set_categories(kernel_t)
+
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if
index 1ceab9f..3caa6f7 100644
--- a/refpolicy/policy/modules/kernel/mcs.if
+++ b/refpolicy/policy/modules/kernel/mcs.if
@@ -21,3 +21,23 @@ interface(`mcs_killall',`
typeattribute $1 mcskillall;
')
+
+########################################
+## <summary>
+## Make specified domain MCS trusted
+## for setting any category set for
+## the processes it executes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain target for user exemption.
+## </summary>
+## </param>
+#
+interface(`mcs_process_set_categories',`
+ gen_require(`
+ attribute mcssetcats;
+ ')
+
+ typeattribute $1 mcssetcats;
+')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
index 260d950..9134434 100644
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
-policy_module(mcs,1.0.0)
+policy_module(mcs,1.0.1)
########################################
#
@@ -7,6 +7,7 @@ policy_module(mcs,1.0.0)
#
attribute mcskillall;
+attribute mcssetcats;
########################################
#
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index cea7642..d8ede07 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
-policy_module(getty,1.1.0)
+policy_module(getty,1.1.1)
########################################
#
@@ -69,6 +69,8 @@ fs_search_auto_mountpoints(getty_t)
# for error condition handling
fs_getattr_xattr_fs(getty_t)
+mcs_process_set_categories(getty_t)
+
mls_file_read_up(getty_t)
mls_file_write_down(getty_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9b45dcf..ba73a3d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.2)
+policy_module(init,1.3.3)
gen_require(`
class passwd rootok;
@@ -123,6 +123,8 @@ kernel_share_state(init_t)
dev_read_sysfs(init_t)
+mcs_process_set_categories(init_t)
+
mls_process_write_down(init_t)
selinux_set_boolean(init_t)
@@ -368,6 +370,7 @@ miscfiles_read_localization(initrc_t)
miscfiles_read_certs(initrc_t)
mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
mls_file_read_up(initrc_t)
mls_file_write_down(initrc_t)
More information about the scm-commits
mailing list