[selinux-policy: 1792/3172] Update MLS constraints from LSPP evaluated policy.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:39:52 UTC 2010 

commit d62c0881e2f12d244396ec3c9b69bf6820be0d7c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Aug 24 14:14:29 2007 +0000

    Update MLS constraints from LSPP evaluated policy.

 Changelog                    |    1 +
 policy/mls                   |   30 +++++++++++++++++++++++-------
 policy/modules/kernel/mls.if |   22 ++++++++++++++++++++++
 policy/modules/kernel/mls.te |    3 ++-
 4 files changed, 48 insertions(+), 8 deletions(-)
---
diff --git a/Changelog b/Changelog
index fa8709a..8cb7b33 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Update MLS constraints from LSPP evaluated policy.
 - Allow initrc_t file descriptors to be inherited regardless of MLS level.
   Accordingly drop MLS permissions from daemons that inherit from any level.
 - Files and radvd updates from Stefan Schulze Frielinghaus.
diff --git a/policy/mls b/policy/mls
index 3ce227b..3dbbaaf 100644
--- a/policy/mls
+++ b/policy/mls
@@ -93,8 +93,10 @@ mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
 
+# Directory "write" ops
 mlsconstrain dir { add_name remove_name reparent rmdir }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsfilewrite ) or
 	 ( t2 == mlstrustedobject ));
@@ -165,6 +167,18 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
 	( h1 dom h2 );
 
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+	(( l1 eq l2 ) or
+	 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	   ( t1 == mlsnetread )) and
+	  ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+	   (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	   ( t1 == mlsnetwrite ))));
+
+
 # the socket "read" ops (note the check is dominance of the low level)
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
 	(( l1 dom l2 ) or
@@ -178,16 +192,16 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
 
 # the socket "write" ops
 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or 
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));
 
-# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
+# used by netlabel to restrict normal domains to same level connections
 mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ) or
-	 ( t2 == unlabeled_t ));
+	 ( t1 == mlsnetread ));
 
 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
@@ -275,7 +289,8 @@ mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
 
 # the netif/node "write" ops (implicit single level socket doing the write)
 mlsconstrain { netif node } { tcp_send udp_send rawip_send }
-	(( l1 dom l2 ) and ( l1 domby h2 ));
+	(( l1 eq l2 ) or
+	(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
 
 # these access vectors have no MLS restrictions
 # node enforce_dest
@@ -582,7 +597,8 @@ mlsconstrain association { recvfrom }
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { sendto }
-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	(( l1 eq l2 ) or
+	 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
 	 ( t2 == unlabeled_t ));
 
 mlsconstrain association { polmatch }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 0b30904..eb1945e 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -310,6 +310,28 @@ interface(`mls_net_receive_all_levels',`
 
 ########################################
 ## <summary>
+##	Make specified domain trusted to
+##	write to network objects within its MLS range.
+##	The subject's MLS range must be a
+##	proper subset of the object's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_write_within_range',`
+	gen_require(`
+		attribute mlsnetwriteranged;
+	')
+
+	typeattribute $1 mlsnetwriteranged;
+')
+
+########################################
+## <summary>
 ##	Make specified domain MLS trusted
 ##	for reading from System V IPC objects
 ##	up to its clearance.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e10d38e..b1b8d80 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls,1.5.2)
+policy_module(mls,1.5.3)
 
 ########################################
 #
@@ -18,6 +18,7 @@ attribute mlsnetread;
 attribute mlsnetreadtoclr;
 attribute mlsnetwrite;
 attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
 attribute mlsnetrecvall;

More information about the scm-commits mailing list