From mboxrd@z Thu Jan 1 00:00:00 1970
From: jason@perfinion.com (Jason Zaman)
Date: Fri, 3 Nov 2017 01:30:45 +0800
Subject: [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class
Message-ID: <20171102173047.21952-1-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
policy/mcs | 3 +++
policy/mls | 8 ++++++++
policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/mls.te | 3 +++
4 files changed, 55 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+mlsconstrain key { create link read search setattr view write }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/mls b/policy/mls
index 69ca7263..2dadd205 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+ (( l1 eq l2 ) or
+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlskeywrite ));
#
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc4..b09c0a5a 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
########################################
##
+## Make specified domain MLS trusted
+## for writing to keys up to
+## its clearance.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_key_write_to_clearance',`
+ gen_require(`
+ attribute mlskeywritetoclr;
+ ')
+
+ typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+##
+## Make specified domain MLS trusted
+## for writing to keys at all levels.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_key_write_all_levels',`
+ gen_require(`
+ attribute mlskeywrite;
+ ')
+
+ typeattribute $1 mlskeywrite;
+')
+
+########################################
+##
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a36..e879ddd3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
--
2.13.6