commit: 414de294634f9a02b072c433c1aab4387f60925e Author: Chad Hanson <dahchanson <AT> gmail <DOT> com> AuthorDate: Mon Dec 11 04:02:15 2017 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Wed Dec 13 11:59:25 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=414de294
Fix implementation of MLS file relabel attributes This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below. Signed-off-by: Chad Hanson <dahchanson <AT> gmail.com> policy/mls | 2 +- policy/modules/kernel/mls.if | 28 ++++++++++++++++++++++++---- policy/modules/kernel/mls.te | 3 ++- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/policy/mls b/policy/mls index 2dadd205..73ff301b 100644 --- a/policy/mls +++ b/policy/mls @@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto (( h1 dom h2 ) or (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfilewrite )); + ( t1 == mlsfilerelabel )); # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index b09c0a5a..2e2bebc2 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -74,6 +74,26 @@ interface(`mls_file_write_to_clearance',` ######################################## ## <summary> ## Make specified domain MLS trusted +## for writing to files at all levels. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mls_file_write_all_levels',` + gen_require(` + attribute mlsfilewrite; + ') + + typeattribute $1 mlsfilewrite; +') + +######################################## +## <summary> +## Make specified domain MLS trusted ## for relabelto to files up to its clearance. ## </summary> ## <param name="domain"> @@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',` ######################################## ## <summary> ## Make specified domain MLS trusted -## for writing to files at all levels. +## for relabelto to files at all levels. ## </summary> ## <param name="domain"> ## <summary> @@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',` ## </param> ## <rolecap/> # -interface(`mls_file_write_all_levels',` +interface(`mls_file_relabel',` gen_require(` - attribute mlsfilewrite; + attribute mlsfilerelabel; ') - typeattribute $1 mlsfilewrite; + typeattribute $1 mlsfilerelabel; ') ######################################## diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index ad74e81f..7c50e75c 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -10,9 +10,10 @@ attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; attribute mlsfilewriteinrange; +attribute mlsfilerelabel; +attribute mlsfilerelabeltoclr; attribute mlsfileupgrade; attribute mlsfiledowngrade; -attribute mlsfilerelabeltoclr; attribute mlsnetread; attribute mlsnetreadtoclr;
