[selinux-policy: 1599/3172] add mls fd constraints

Thu Oct 7 21:23:23 UTC 2010

commit cf7af137c07bbd2185f6c449d999cad67c3ec963
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Sep 15 19:05:03 2006 +0000

    add mls fd constraints

 policy/mls                   |   14 +++++++++-----
 policy/modules/kernel/mls.if |   40 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |    5 ++++-
 3 files changed, 53 insertions(+), 6 deletions(-)
---

diff --git a/policy/mls b/policy/mls
index ddd5812..a8e2a90 100644
--- a/policy/mls
+++ b/policy/mls
@@ -344,11 +344,15 @@ mlsconstrain msg send
 # MLS policy for the fd class
 #
 
-# these access vectors have no MLS restrictions
-# fd use
-
-
-
+# No sharing of open file descriptors between levels unless
+# the process type is authorized to use fds created by 
+# other levels (mlsfduse) or the fd type is authorized to
+# shared among levels (mlsfdshare). 
+mlsconstrain fd use (
+	l1 eq l2
+	or t1 == mlsfduse
+	or t2 == mlsfdshare
+);
 
 #
 # MLS policy for the network object classes
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 8a1e89c..5ca509e 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -411,3 +411,43 @@ interface(`mls_trusted_object',`
 
 	typeattribute $1 mlstrustedobject;
 ')
+
+########################################
+## <summary>
+##	Make the specified domain trusted
+##	to inherit and use file descriptors
+##	from all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_fd_use_all_levels',`
+	gen_require(`
+		attribute mlsfduse;
+	')
+
+	typeattribute $1 mlsfduse;
+')
+
+########################################
+## <summary>
+##	Make the file descriptors from the
+##	specifed domain inheritable by
+##	all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mls_fd_share_all_levels',`
+	gen_require(`
+		attribute mlsfdshare;
+	')
+
+	typeattribute $1 mlsfdshare;
+')
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 819a2df..971d38e 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.3.1)
+policy_module(mls,1.3.2)
 
 ########################################
 #
@@ -47,6 +47,9 @@ attribute mlstrustedobject;
 attribute privrangetrans;
 attribute mlsrangetrans;
 
+attribute mlsfduse; 
+attribute mlsfdshare;
+
 ########################################
 #
 # THIS IS A HACK
