[selinux-policy: 1310/3172] Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.

Thu Oct 7 20:58:33 UTC 2010

commit 9779f092842a6cb36c1272e30ff29b23a9d1008e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Mar 29 16:23:17 2006 +0000

    Constrain transitions in MCS so unconfined_t cannot have arbitrary category sets.

 refpolicy/Changelog                       |    2 ++
 refpolicy/policy/mcs                      |    3 +++
 refpolicy/policy/modules/kernel/kernel.te |    4 +++-
 refpolicy/policy/modules/kernel/mcs.if    |   20 ++++++++++++++++++++
 refpolicy/policy/modules/kernel/mcs.te    |    3 ++-
 refpolicy/policy/modules/system/getty.te  |    4 +++-
 refpolicy/policy/modules/system/init.te   |    5 ++++-
 7 files changed, 37 insertions(+), 4 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 465bf76..08d37f3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,5 @@
+- Constrain transitions in MCS so unconfined_t cannot have
+  arbitrary category sets.
 - Change reiserfs from xattr filesystem to genfscon as it's xattrs
   are currently nonfunctional.
 - Change files module to use its own interfaces to simplify the module.
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index f85736d..b61da4c 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -152,6 +152,9 @@ mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfro
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+mlsconstrain process { transition dyntransition }
+	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+
 mlsconstrain process { ptrace }
 	( h1 dom h2 );
 
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 5d9124f..7406037 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.1)
+policy_module(kernel,1.3.2)
 
 ########################################
 #
@@ -232,6 +232,8 @@ files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
+mcs_process_set_categories(kernel_t)
+
 mls_process_read_up(kernel_t)
 mls_process_write_down(kernel_t)
 
diff --git a/refpolicy/policy/modules/kernel/mcs.if b/refpolicy/policy/modules/kernel/mcs.if
index 1ceab9f..3caa6f7 100644
--- a/refpolicy/policy/modules/kernel/mcs.if
+++ b/refpolicy/policy/modules/kernel/mcs.if
@@ -21,3 +21,23 @@ interface(`mcs_killall',`
 
 	typeattribute $1 mcskillall;
 ')
+
+########################################
+## <summary>
+##	Make specified domain MCS trusted
+##	for setting any category set for
+##	the processes it executes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+#
+interface(`mcs_process_set_categories',`
+	gen_require(`
+		attribute mcssetcats;
+	')
+
+	typeattribute $1 mcssetcats;
+')
diff --git a/refpolicy/policy/modules/kernel/mcs.te b/refpolicy/policy/modules/kernel/mcs.te
index 260d950..9134434 100644
--- a/refpolicy/policy/modules/kernel/mcs.te
+++ b/refpolicy/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
 
-policy_module(mcs,1.0.0)
+policy_module(mcs,1.0.1)
 
 ########################################
 #
@@ -7,6 +7,7 @@ policy_module(mcs,1.0.0)
 #
 
 attribute mcskillall;
+attribute mcssetcats;
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index cea7642..d8ede07 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
 
-policy_module(getty,1.1.0)
+policy_module(getty,1.1.1)
 
 ########################################
 #
@@ -69,6 +69,8 @@ fs_search_auto_mountpoints(getty_t)
 # for error condition handling
 fs_getattr_xattr_fs(getty_t)
 
+mcs_process_set_categories(getty_t)
+
 mls_file_read_up(getty_t)
 mls_file_write_down(getty_t)
 
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 9b45dcf..ba73a3d 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.2)
+policy_module(init,1.3.3)
 
 gen_require(`
 	class passwd rootok;
@@ -123,6 +123,8 @@ kernel_share_state(init_t)
 
 dev_read_sysfs(init_t)
 
+mcs_process_set_categories(init_t)
+
 mls_process_write_down(init_t)
 
 selinux_set_boolean(init_t)
@@ -368,6 +370,7 @@ miscfiles_read_localization(initrc_t)
 miscfiles_read_certs(initrc_t)
 
 mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
 
 mls_file_read_up(initrc_t)
 mls_file_write_down(initrc_t)
