[selinux-policy: 1785/3172] trunk: several MLS enhancements.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:39:16 UTC 2010 

commit 2d0c9cecaf9ec6377b0a22633ae95f6b3b55542d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Aug 20 15:15:03 2007 +0000

    trunk: several MLS enhancements.

 Changelog                            |    6 +
 policy/modules/kernel/kernel.if      |    1 +
 policy/modules/kernel/kernel.te      |    2 +-
 policy/modules/kernel/mls.if         |  278 +++++++++++++++++++++++++++++++++-
 policy/modules/kernel/mls.te         |    2 +-
 policy/modules/services/cups.te      |    3 +-
 policy/modules/system/init.if        |    2 +
 policy/modules/system/init.te        |   29 ++--
 policy/modules/system/logging.te     |    3 +-
 policy/modules/system/selinuxutil.te |    6 +-
 policy/modules/system/setrans.te     |    3 +-
 policy/support/loadable_module.spt   |    8 +-
 12 files changed, 306 insertions(+), 37 deletions(-)
---
diff --git a/Changelog b/Changelog
index 549274c..6a50983 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,9 @@
+- Add make kernel and init ranged interfaces pass the range transition MLS
+  constraints.  Also remove calls to mls_rangetrans_target() in modules that use
+  the kernel and init interfaces, since its redundant.
+- Add interfaces for all MLS attributes except X object classes.
+- Require all sensitivities and categories for MLS and MCS policies, not just
+  the low and high sensitivity and category.
 - Database userspace object manager classes from KaiGai Kohei.
 - Add third-party interface for Apache CGI.
 - Add getserv and shmemserv nscd permissions.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index bb31b3d..4995f99 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -66,6 +66,7 @@ interface(`kernel_ranged_domtrans_to',`
 
 	ifdef(`enable_mls',`
 		range_transition kernel_t $2:process $3;
+		mls_rangetrans_target($1)
 	')
 ')
 
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5312cf0..b675a7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.7.1)
+policy_module(kernel,1.7.2)
 
 ########################################
 #
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 6606745..e6250e2 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -14,7 +14,7 @@
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for reading from files at higher levels.
+##	for reading from files up to its clearance.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -23,7 +23,53 @@
 ## </param>
 ## <rolecap/>
 #
+interface(`mls_file_read_to_clearance',`
+	gen_require(`
+		attribute mlsfilereadtoclr;
+	')
+
+	typeattribute $1 mlsfilereadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_file_read_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`mls_file_read_up',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
+	mls_file_read_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_read_all_levels',`
 	gen_require(`
 		attribute mlsfileread;
 	')
@@ -34,7 +80,7 @@ interface(`mls_file_read_up',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for writing to files at lower levels.
+##	for write to files up to its clearance.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -43,7 +89,53 @@ interface(`mls_file_read_up',`
 ## </param>
 ## <rolecap/>
 #
+interface(`mls_file_write_to_clearance',`
+	gen_require(`
+		attribute mlsfilewritetoclr;
+	')
+
+	typeattribute $1 mlsfilewritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_file_write_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
 interface(`mls_file_write_down',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
+	mls_file_write_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_all_levels',`
 	gen_require(`
 		attribute mlsfilewrite;
 	')
@@ -103,6 +195,7 @@ interface(`mls_file_downgrade',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_file_write_within_range',`
 	gen_require(`
@@ -122,6 +215,7 @@ interface(`mls_file_write_within_range',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_socket_read_all_levels',`
 	gen_require(`
@@ -142,6 +236,7 @@ interface(`mls_socket_read_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_socket_read_to_clearance',`
 	gen_require(`
@@ -154,6 +249,27 @@ interface(`mls_socket_read_to_clearance',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
+##	for writing to sockets up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_socket_write_to_clearance',`
+	gen_require(`
+		attribute mlsnetwritetoclr;
+	')
+
+	typeattribute $1 mlsnetwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
 ##	for writing to sockets at any level.
 ## </summary>
 ## <param name="domain">
@@ -161,6 +277,7 @@ interface(`mls_socket_read_to_clearance',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_socket_write_all_levels',`
 	gen_require(`
@@ -181,6 +298,7 @@ interface(`mls_socket_write_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_net_receive_all_levels',`
 	gen_require(`
@@ -194,6 +312,27 @@ interface(`mls_net_receive_all_levels',`
 ## <summary>
 ##	Make specified domain MLS trusted
 ##	for reading from System V IPC objects
+##	up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_read_to_clearance',`
+	gen_require(`
+		attribute mlsipcreadtoclr;
+	')
+
+	typeattribute $1 mlsipcreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from System V IPC objects
 ##	at any level.
 ## </summary>
 ## <param name="domain">
@@ -201,6 +340,7 @@ interface(`mls_net_receive_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_sysvipc_read_all_levels',`
 	gen_require(`
@@ -214,6 +354,27 @@ interface(`mls_sysvipc_read_all_levels',`
 ## <summary>
 ##	Make specified domain MLS trusted
 ##	for writing to System V IPC objects
+##	up to its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_sysvipc_write_to_clearance',`
+	gen_require(`
+		attribute mlsipcwritetoclr;
+	')
+
+	typeattribute $1 mlsipcwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to System V IPC objects
 ##	at any level.
 ## </summary>
 ## <param name="domain">
@@ -221,6 +382,7 @@ interface(`mls_sysvipc_read_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_sysvipc_write_all_levels',`
 	gen_require(`
@@ -273,15 +435,63 @@ interface(`mls_rangetrans_target',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for reading from processes at higher levels.
+##	for reading from processes up to
+##	its clearance.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_to_clearance',`
+	gen_require(`
+		attribute mlsprocreadtoclr;
+	')
+
+	typeattribute $1 mlsprocreadtoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.  (Deprecated)
+## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_process_read_all_levels() instead.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
 #
 interface(`mls_process_read_up',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
+	mls_process_read_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_read_all_levels',`
 	gen_require(`
 		attribute mlsprocread;
 	')
@@ -292,8 +502,39 @@ interface(`mls_process_read_up',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for writing to processes at lower levels.
+##	for writing to processes up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_to_clearance',`
+	gen_require(`
+		attribute mlsprocwritetoclr;
+	')
+
+	typeattribute $1 mlsprocwritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.  (Deprecated)
 ## </summary>
+## <desc>
+##	<p>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.
+##	</p>
+##	<p>
+##	This interface has been deprecated, please use
+##	mls_process_write_all_levels() instead.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@@ -301,6 +542,23 @@ interface(`mls_process_read_up',`
 ## </param>
 #
 interface(`mls_process_write_down',`
+#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
+	mls_process_write_all_levels($1)
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_process_write_all_levels',`
 	gen_require(`
 		attribute mlsprocwrite;
 	')
@@ -319,6 +577,7 @@ interface(`mls_process_write_down',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_process_set_level',`
 	gen_require(`
@@ -338,6 +597,7 @@ interface(`mls_process_set_level',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_xwin_read_all_levels',`
 	gen_require(`
@@ -357,6 +617,7 @@ interface(`mls_xwin_read_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_xwin_write_all_levels',`
 	gen_require(`
@@ -376,6 +637,7 @@ interface(`mls_xwin_write_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_colormap_read_all_levels',`
 	gen_require(`
@@ -395,6 +657,7 @@ interface(`mls_colormap_read_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_colormap_write_all_levels',`
 	gen_require(`
@@ -444,6 +707,7 @@ interface(`mls_trusted_object',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_fd_use_all_levels',`
 	gen_require(`
@@ -464,6 +728,7 @@ interface(`mls_fd_use_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_fd_share_all_levels',`
 	gen_require(`
@@ -483,6 +748,7 @@ interface(`mls_fd_share_all_levels',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_context_translate_all_levels',`
 	gen_require(`
@@ -502,6 +768,7 @@ interface(`mls_context_translate_all_levels',`
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_db_read_all_levels',`
 	gen_require(`
@@ -521,6 +788,7 @@ interface(`mls_db_read_all_levels',`
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_db_write_all_levels',`
 	gen_require(`
@@ -540,6 +808,7 @@ interface(`mls_db_write_all_levels',`
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_db_upgrade',`
 	gen_require(`
@@ -559,6 +828,7 @@ interface(`mls_db_upgrade',`
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
+## <rolecap/>
 #
 interface(`mls_db_downgrade',`
 	gen_require(`
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index da0d2a0..e10d38e 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.5.1)
+policy_module(mls,1.5.2)
 
 ########################################
 #
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 36b64df..bf89435 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
 
-policy_module(cups,1.7.0)
+policy_module(cups,1.7.1)
 
 ########################################
 #
@@ -169,7 +169,6 @@ mls_fd_use_all_levels(cupsd_t)
 mls_file_downgrade(cupsd_t)
 mls_file_write_down(cupsd_t)
 mls_file_read_up(cupsd_t)
-mls_rangetrans_target(cupsd_t)
 mls_socket_write_all_levels(cupsd_t)
 
 term_use_unallocated_ttys(cupsd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ac536fc..0c3e3ad 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -71,6 +71,7 @@ interface(`init_ranged_domain',`
 
 	ifdef(`enable_mls',`
 		range_transition init_t $2:process $3;
+		mls_rangetrans_target($1)
 	')
 ')
 
@@ -171,6 +172,7 @@ interface(`init_ranged_daemon_domain',`
 
 	ifdef(`enable_mls',`
 		range_transition initrc_t $2:process $3;
+		mls_rangetrans_target($1)
 	')
 ')
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 59926f8..92ef6ba 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
 
-policy_module(init,1.7.1)
+policy_module(init,1.7.2)
 
 gen_require(`
 	class passwd rootok;
@@ -138,7 +138,10 @@ files_dontaudit_rw_root_chr_files(init_t)
 fs_write_ramfs_sockets(init_t)
 
 mcs_process_set_categories(init_t)
+mcs_killall(init_t)
 
+mls_file_read_up(init_t)
+mls_file_write_down(init_t)
 mls_process_write_down(init_t)
 mls_fd_use_all_levels(init_t)
 
@@ -156,12 +159,6 @@ libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
 logging_rw_generic_logs(init_t)
 
-mcs_killall(init_t)
-
-mls_file_read_up(init_t)
-mls_file_write_down(init_t)
-mls_rangetrans_target(init_t)
-
 seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
@@ -287,6 +284,14 @@ fs_getattr_all_fs(initrc_t)
 
 # initrc_t needs to do a pidof which requires ptrace
 mcs_ptrace_all(initrc_t)
+mcs_killall(initrc_t)
+mcs_process_set_categories(initrc_t)
+
+mls_file_read_up(initrc_t)
+mls_file_write_down(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+mls_rangetrans_source(initrc_t)
 
 selinux_get_enforce_mode(initrc_t)
 
@@ -363,16 +368,6 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_certs(initrc_t)
 
-mcs_killall(initrc_t)
-mcs_process_set_categories(initrc_t)
-
-mls_file_read_up(initrc_t)
-mls_file_write_down(initrc_t)
-mls_process_read_up(initrc_t)
-mls_process_write_down(initrc_t)
-mls_rangetrans_source(initrc_t)
-mls_rangetrans_target(initrc_t)
-
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
 
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a16d8c3..a4803b8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.7.0)
+policy_module(logging,1.7.1)
 
 ########################################
 #
@@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t)
 
 mls_file_read_up(auditd_t)
 mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
-mls_rangetrans_target(auditd_t)
 mls_fd_use_all_levels(auditd_t)
 
 seutil_dontaudit_read_config(auditd_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 8a3cf88..0906086 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
 
-policy_module(selinuxutil,1.6.1)
+policy_module(selinuxutil,1.6.2)
 
 ifdef(`strict_policy',`
 	gen_require(`
@@ -90,10 +90,9 @@ domain_system_change_exemption(run_init_t)
 role system_r types run_init_t;
 
 type semanage_t;
-domain_interactive_fd(semanage_t)
-
 type semanage_exec_t;
 application_domain(semanage_t,semanage_exec_t)
+domain_interactive_fd(semanage_t)
 role system_r types semanage_t;
 
 type semanage_store_t;
@@ -474,7 +473,6 @@ files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
 
 mls_file_write_down(semanage_t)
-mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
 
 selinux_validate_context(semanage_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 524bc69..d070f7d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,5 +1,5 @@
 
-policy_module(setrans,1.3.0)
+policy_module(setrans,1.3.1)
 
 ########################################
 #
@@ -55,7 +55,6 @@ files_read_etc_runtime_files(setrans_t)
 mls_file_read_up(setrans_t)
 mls_file_write_down(setrans_t)
 mls_net_receive_all_levels(setrans_t)
-mls_rangetrans_target(setrans_t)
 mls_socket_write_all_levels(setrans_t)
 mls_process_read_up(setrans_t)
 mls_socket_read_all_levels(setrans_t)
diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
index 2d31e62..b28488e 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -17,13 +17,13 @@ define(`policy_module',`
 			all_kernel_class_perms
 
 			ifdef(`enable_mcs',`
-				sensitivity s0;
-				category c0, c`'decr(mcs_num_cats);
+				decl_sens(0,0)
+				decl_cats(0,decr(mcs_num_cats))
 			')
 
 			ifdef(`enable_mls',`
-				sensitivity s0, s`'decr(mls_num_sens);
-				category c0, c`'decr(mls_num_cats);
+				decl_sens(0,decr(mls_num_sens))
+				decl_cats(0,decr(mls_num_cats))
 			')
 		}
 	')

More information about the scm-commits mailing list