* [PATCH 0/7] mcs, various: pull in changes from Fedora policy @ 2021-10-29 21:04 Kenton Groombridge 2021-10-29 21:04 ` [PATCH 1/7] mcs: deprecate mcs overrides Kenton Groombridge ` (6 more replies) 0 siblings, 7 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Pull in some changes from the Fedora policy's MCS constraints. Most notably, the MCS override attributes were deprecated in favor of mcs_constrained_type. This means that domains will have unchecked access to objects with categories UNLESS the domain is mcs_constrained_type. This alleviates confusion between the MCS overrides and mcs_constrained_type to imply that a domain must be MCS-constrained to have MCS checks at all. Other changes include additional constraints to miscellaneous IPC objects, node "write" operations, and netif egress/ingress operations. Kenton Groombridge (7): mcs: deprecate mcs overrides mcs: restrict create, relabelto on mcs files mcs: add additional constraints to databases mcs: constrain misc IPC objects mcs: combine single-level object creation constraints various: deprecate mcs override interfaces corenet: make netlabel_peer_t mcs constrained policy/mcs | 61 ++++++++++++++++--------- policy/modules/admin/rpm.te | 2 - policy/modules/admin/tmpreaper.te | 2 - policy/modules/kernel/corenetwork.te.in | 1 + policy/modules/kernel/mcs.if | 24 ++-------- policy/modules/services/policykit.te | 2 - policy/modules/services/postfix.te | 10 ---- policy/modules/services/watchdog.te | 2 - policy/modules/system/init.te | 6 --- policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 - policy/modules/system/unconfined.te | 3 -- 12 files changed, 45 insertions(+), 71 deletions(-) -- 2.33.1 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/7] mcs: deprecate mcs overrides 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 2/7] mcs: restrict create, relabelto on mcs files Kenton Groombridge ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Deprecate mcs overrides in favor of using mcs_constrained_type. Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 34 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/policy/mcs b/policy/mcs index c0d424a97..44b57e594 100644 --- a/policy/mcs +++ b/policy/mcs @@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats) # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain file { write setattr append unlink link rename } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { search read ioctl lock } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain fifo_file { open } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and ( t2 == domain ))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } - (( h1 dom h2 ) or ( t1 == mcsreadall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - (( h1 dom h2 ) or ( t1 == mcswriteall ) or - (( t1 != mcs_constrained_type ) and (t2 == domain))); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + ((( h1 dom h2 ) and ( l2 eq h2 )) or + ( t1 != mcs_constrained_type )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } - ( h1 dom h2 ); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { ptrace } - (( h1 dom h2) or ( t1 == mcsptraceall )); + (( h1 dom h2) or ( t1 != mcs_constrained_type )); mlsconstrain process { sigkill sigstop } - (( h1 dom h2 ) or ( t1 == mcskillall )); + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain process { signal } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/7] mcs: restrict create, relabelto on mcs files 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge 2021-10-29 21:04 ` [PATCH 1/7] mcs: deprecate mcs overrides Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 3/7] mcs: add additional constraints to databases Kenton Groombridge ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/mcs b/policy/mcs index 44b57e594..d4d984e47 100644 --- a/policy/mcs +++ b/policy/mcs @@ -99,6 +99,9 @@ mlsconstrain file { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain { file lnk_file fifo_file } { create relabelto } + (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); + mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/7] mcs: add additional constraints to databases 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge 2021-10-29 21:04 ` [PATCH 1/7] mcs: deprecate mcs overrides Kenton Groombridge 2021-10-29 21:04 ` [PATCH 2/7] mcs: restrict create, relabelto on mcs files Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 4/7] mcs: constrain misc IPC objects Kenton Groombridge ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/policy/mcs b/policy/mcs index d4d984e47..8db3838f5 100644 --- a/policy/mcs +++ b/policy/mcs @@ -135,6 +135,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); +mlsconstrain context contains + (( h1 dom h2 ) and ( l1 domby l2 )); + # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); @@ -166,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute } mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); +mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + +# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network node which is acting as the object +mlsconstrain { node } { recvfrom sendto } + (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + +mlsconstrain { packet peer } { recv } + (( l1 dom l2 ) or + (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ))); + +# The netif ingress/egress ops, the ingress permission is a "write" operation +# because the subject in this particular case is the remote domain which is +# writing data out the network interface which is acting as the object +mlsconstrain { netif } { egress ingress } + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); + ') dnl end enable_mcs -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/7] mcs: constrain misc IPC objects 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge ` (2 preceding siblings ...) 2021-10-29 21:04 ` [PATCH 3/7] mcs: add additional constraints to databases Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 5/7] mcs: combine single-level object creation constraints Kenton Groombridge ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/mcs b/policy/mcs index 8db3838f5..6207b2734 100644 --- a/policy/mcs +++ b/policy/mcs @@ -123,6 +123,9 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind mlsconstrain key { create link read search setattr view write } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # # MCS policy for SELinux-enabled databases # -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/7] mcs: combine single-level object creation constraints 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge ` (3 preceding siblings ...) 2021-10-29 21:04 ` [PATCH 4/7] mcs: constrain misc IPC objects Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 6/7] various: deprecate mcs override interfaces Kenton Groombridge 2021-10-29 21:04 ` [PATCH 7/7] corenet: make netlabel_peer_t mcs constrained Kenton Groombridge 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/policy/mcs b/policy/mcs index 6207b2734..54d06f292 100644 --- a/policy/mcs +++ b/policy/mcs @@ -91,7 +91,7 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. -mlsconstrain file { create relabelto } +mlsconstrain { file lnk_file fifo_file } { create relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); @@ -99,9 +99,6 @@ mlsconstrain file { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -mlsconstrain { file lnk_file fifo_file } { create relabelto } - (( l2 eq h2 ) or ( t1 != mcs_constrained_type )); - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/7] various: deprecate mcs override interfaces 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge ` (4 preceding siblings ...) 2021-10-29 21:04 ` [PATCH 5/7] mcs: combine single-level object creation constraints Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 2021-10-29 21:04 ` [PATCH 7/7] corenet: make netlabel_peer_t mcs constrained Kenton Groombridge 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/mcs | 2 +- policy/modules/admin/rpm.te | 2 -- policy/modules/admin/tmpreaper.te | 2 -- policy/modules/kernel/mcs.if | 24 ++++-------------------- policy/modules/services/policykit.te | 2 -- policy/modules/services/postfix.te | 10 ---------- policy/modules/services/watchdog.te | 2 -- policy/modules/system/init.te | 6 ------ policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te | 2 -- policy/modules/system/unconfined.te | 3 --- 11 files changed, 5 insertions(+), 51 deletions(-) diff --git a/policy/mcs b/policy/mcs index 54d06f292..860c8fcc1 100644 --- a/policy/mcs +++ b/policy/mcs @@ -176,7 +176,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } - (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index f82fd21f2..274052958 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index f4ce8dba9..1acefd7fe 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) files_setattr_all_tmp_dirs(tmpreaper_t) -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index eb4bcfcbe..55b5a7fe1 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## <rolecap/> # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## <rolecap/> # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## <rolecap/> # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## </param> # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') ######################################## diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 721534a0b..7ba8dbb13 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -265,8 +265,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t) domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -mcs_ptrace_all(policykit_resolve_t) - auth_use_nsswitch(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 067d42f08..23c8c0ef1 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t) files_search_tmp(postfix_master_t) -mcs_file_read_all(postfix_master_t) - term_dontaudit_search_ptys(postfix_master_t) hostname_exec(postfix_master_t) @@ -564,9 +562,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -mcs_file_read_all(postfix_pickup_t) -mcs_file_write_all(postfix_pickup_t) - optional_policy(` dbus_system_bus_client(postfix_pickup_t) init_dbus_chat(postfix_pickup_t) @@ -635,9 +630,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write }; # for /var/spool/postfix/public/pickup stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t) -mcs_file_read_all(postfix_postdrop_t) -mcs_file_write_all(postfix_postdrop_t) - term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) @@ -743,8 +735,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; allow postfix_showq_t postfix_spool_t:file read_file_perms; -mcs_file_read_all(postfix_showq_t) - term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index 6ad408584..ab9d94585 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t) logging_send_syslog_msg(watchdog_t) -mcs_killall(watchdog_t) - miscfiles_read_localization(watchdog_t) sysnet_dns_name_resolve(watchdog_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 649f431dc..6093de7f5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) -mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) @@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t) fs_search_all(initrc_t) fs_getattr_nfsd_files(initrc_t) -# initrc_t needs to do a pidof which requires ptrace -mcs_ptrace_all(initrc_t) -mcs_file_read_all(initrc_t) -mcs_file_write_all(initrc_t) -mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 30d23c3fe..fe493277b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -193,7 +193,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) type systemd_nspawn_t; type systemd_nspawn_exec_t; init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t) -mcs_killall(systemd_nspawn_t) type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t; files_runtime_file(systemd_nspawn_runtime_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 4463f086b..81b0dd1fe 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -141,8 +141,6 @@ fs_read_cgroup_files(udev_t) fs_rw_anon_inodefs_files(udev_t) fs_search_tracefs(udev_t) -mcs_ptrace_all(udev_t) - mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) mls_file_upgrade(udev_t) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 385c88695..9df73ac76 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t) files_create_boot_flag(unconfined_t) -mcs_killall(unconfined_t) -mcs_ptrace_all(unconfined_t) - libs_run_ldconfig(unconfined_t, unconfined_r) logging_send_syslog_msg(unconfined_t) -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 7/7] corenet: make netlabel_peer_t mcs constrained 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge ` (5 preceding siblings ...) 2021-10-29 21:04 ` [PATCH 6/7] various: deprecate mcs override interfaces Kenton Groombridge @ 2021-10-29 21:04 ` Kenton Groombridge 6 siblings, 0 replies; 8+ messages in thread From: Kenton Groombridge @ 2021-10-29 21:04 UTC (permalink / raw) To: selinux-refpolicy; +Cc: Kenton Groombridge Signed-off-by: Kenton Groombridge <me@concord.sh> --- policy/modules/kernel/corenetwork.te.in | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 010fc808e..42bbfc8df 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -53,6 +53,7 @@ network_packet_simple(icmp) # type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +mcs_constrained(netlabel_peer_t) # # port_t is the default type of INET port numbers. -- 2.33.1 ^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-10-29 21:13 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-29 21:04 [PATCH 0/7] mcs, various: pull in changes from Fedora policy Kenton Groombridge 2021-10-29 21:04 ` [PATCH 1/7] mcs: deprecate mcs overrides Kenton Groombridge 2021-10-29 21:04 ` [PATCH 2/7] mcs: restrict create, relabelto on mcs files Kenton Groombridge 2021-10-29 21:04 ` [PATCH 3/7] mcs: add additional constraints to databases Kenton Groombridge 2021-10-29 21:04 ` [PATCH 4/7] mcs: constrain misc IPC objects Kenton Groombridge 2021-10-29 21:04 ` [PATCH 5/7] mcs: combine single-level object creation constraints Kenton Groombridge 2021-10-29 21:04 ` [PATCH 6/7] various: deprecate mcs override interfaces Kenton Groombridge 2021-10-29 21:04 ` [PATCH 7/7] corenet: make netlabel_peer_t mcs constrained Kenton Groombridge
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).