From mboxrd@z Thu Jan  1 00:00:00 1970
From: jason@perfinion.com (Jason Zaman)
Date: Fri,  3 Nov 2017 01:30:45 +0800
Subject: [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class
Message-ID: <20171102173047.21952-1-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
 policy/mcs                   |  3 +++
 policy/mls                   |  8 ++++++++
 policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |  3 +++
 4 files changed, 55 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain key { create link read search setattr view write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/mls b/policy/mls
index 69ca7263..2dadd205 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlskeywrite ));
 
 
 #
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc4..b09c0a5a 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
 
 ########################################
 ## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+	gen_require(`
+		attribute mlskeywritetoclr;
+	')
+
+	typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+	gen_require(`
+		attribute mlskeywrite;
+	')
+
+	typeattribute $1 mlskeywrite;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to do a MLS
 ##	range transition that changes
 ##	the current level.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a36..e879ddd3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
 attribute mlsipcwrite;
 attribute mlsipcwritetoclr;
 
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
 attribute mlsprocread;
 attribute mlsprocreadtoclr;
 attribute mlsprocwrite;
-- 
2.13.6