[PATCH 0/7] mcs, various: pull in changes from Fedora policy

[PATCH 0/7] mcs, various: pull in changes from Fedora policy

[Kenton Groombridge]

Pull in some changes from the Fedora policy's MCS constraints.

Most notably, the MCS override attributes were deprecated in favor of
mcs_constrained_type. This means that domains will have unchecked
access to objects with categories UNLESS the domain is
mcs_constrained_type. This alleviates confusion between the MCS
overrides and mcs_constrained_type to imply that a domain must be
MCS-constrained to have MCS checks at all.

Other changes include additional constraints to miscellaneous IPC
objects, node "write" operations, and netif egress/ingress operations.

Kenton Groombridge (7):
  mcs: deprecate mcs overrides
  mcs: restrict create, relabelto on mcs files
  mcs: add additional constraints to databases
  mcs: constrain misc IPC objects
  mcs: combine single-level object creation constraints
  various: deprecate mcs override interfaces
  corenet: make netlabel_peer_t mcs constrained

 policy/mcs                              | 61 ++++++++++++++++---------
 policy/modules/admin/rpm.te             |  2 -
 policy/modules/admin/tmpreaper.te       |  2 -
 policy/modules/kernel/corenetwork.te.in |  1 +
 policy/modules/kernel/mcs.if            | 24 ++--------
 policy/modules/services/policykit.te    |  2 -
 policy/modules/services/postfix.te      | 10 ----
 policy/modules/services/watchdog.te     |  2 -
 policy/modules/system/init.te           |  6 ---
 policy/modules/system/systemd.te        |  1 -
 policy/modules/system/udev.te           |  2 -
 policy/modules/system/unconfined.te     |  3 --
 12 files changed, 45 insertions(+), 71 deletions(-)

-- 
2.33.1

[PATCH 1/7] mcs: deprecate mcs overrides

[Kenton Groombridge]

Deprecate mcs overrides in favor of using mcs_constrained_type.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 34 ++++++++++++++--------------------
 1 file changed, 14 insertions(+), 20 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index c0d424a97..44b57e594 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -69,53 +69,47 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain fifo_file { open }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	((( h1 dom h2 ) and ( l2 eq h2 )) or
+	 ( t1 != mcs_constrained_type ));
 
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	( h1 dom h2 );
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) and ( l2 eq h2 ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { transition dyntransition }
-	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 == mcsptraceall ));
+	(( h1 dom h2) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { sigkill sigstop }
-	(( h1 dom h2 ) or ( t1 == mcskillall ));
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain process { signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-- 
2.33.1

[PATCH 2/7] mcs: restrict create, relabelto on mcs files

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 44b57e594..d4d984e47 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -99,6 +99,9 @@ mlsconstrain file { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+	(( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-- 
2.33.1

[PATCH 3/7] mcs: add additional constraints to databases

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index d4d984e47..8db3838f5 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -135,6 +135,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
 mlsconstrain { db_tuple } { insert relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
+mlsconstrain context contains
+	(( h1 dom h2 ) and ( l1 domby l2 ));
+
 # Access control for any database objects based on MCS rules.
 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 	( h1 dom h2 );
@@ -166,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 	( h1 dom h2 );
 
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+	(( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
 ') dnl end enable_mcs
-- 
2.33.1

[PATCH 4/7] mcs: constrain misc IPC objects

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 8db3838f5..6207b2734 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
-- 
2.33.1

[PATCH 5/7] mcs: combine single-level object creation constraints

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 6207b2734..54d06f292 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -91,7 +91,7 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
-mlsconstrain file { create relabelto }
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	((( h1 dom h2 ) and ( l2 eq h2 )) or
 	 ( t1 != mcs_constrained_type ));
 
@@ -99,9 +99,6 @@ mlsconstrain file { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { file lnk_file fifo_file } { create relabelto }
-	(( l2 eq h2 ) or ( t1 != mcs_constrained_type ));
-
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-- 
2.33.1

[PATCH 6/7] various: deprecate mcs override interfaces

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/mcs                           |  2 +-
 policy/modules/admin/rpm.te          |  2 --
 policy/modules/admin/tmpreaper.te    |  2 --
 policy/modules/kernel/mcs.if         | 24 ++++--------------------
 policy/modules/services/policykit.te |  2 --
 policy/modules/services/postfix.te   | 10 ----------
 policy/modules/services/watchdog.te  |  2 --
 policy/modules/system/init.te        |  6 ------
 policy/modules/system/systemd.te     |  1 -
 policy/modules/system/udev.te        |  2 --
 policy/modules/system/unconfined.te  |  3 ---
 11 files changed, 5 insertions(+), 51 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index 54d06f292..860c8fcc1 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -176,7 +176,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 # because the subject in this particular case is the remote domain which is
 # writing data out the network node which is acting as the object
 mlsconstrain { node } { recvfrom sendto }
-	(( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+	(( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { packet peer } { recv }
 	(( l1 dom l2 ) or
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index f82fd21f2..274052958 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
-mcs_killall(rpm_script_t)
-
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
index f4ce8dba9..1acefd7fe 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
 files_setattr_all_tmp_dirs(tmpreaper_t)
 
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcbe..55b5a7fe1 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
 ## <rolecap/>
 #
 interface(`mcs_file_read_all',`
-	gen_require(`
-		attribute mcsreadall;
-	')
-
-	typeattribute $1 mcsreadall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
 ## <rolecap/>
 #
 interface(`mcs_file_write_all',`
-	gen_require(`
-		attribute mcswriteall;
-	')
-
-	typeattribute $1 mcswriteall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
 ## <rolecap/>
 #
 interface(`mcs_killall',`
-	gen_require(`
-		attribute mcskillall;
-	')
-
-	typeattribute $1 mcskillall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
 ## </param>
 #
 interface(`mcs_ptrace_all',`
-	gen_require(`
-		attribute mcsptraceall;
-	')
-
-	typeattribute $1 mcsptraceall;
+	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 ')
 
 ########################################
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 721534a0b..7ba8dbb13 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -265,8 +265,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
 
 domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
 
-mcs_ptrace_all(policykit_resolve_t)
-
 auth_use_nsswitch(policykit_resolve_t)
 
 userdom_read_all_users_state(policykit_resolve_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 067d42f08..23c8c0ef1 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
 
 files_search_tmp(postfix_master_t)
 
-mcs_file_read_all(postfix_master_t)
-
 term_dontaudit_search_ptys(postfix_master_t)
 
 hostname_exec(postfix_master_t)
@@ -564,9 +562,6 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
-mcs_file_read_all(postfix_pickup_t)
-mcs_file_write_all(postfix_pickup_t)
-
 optional_policy(`
 	dbus_system_bus_client(postfix_pickup_t)
 	init_dbus_chat(postfix_pickup_t)
@@ -635,9 +630,6 @@ allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 # for /var/spool/postfix/public/pickup
 stream_connect_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t, postfix_master_t)
 
-mcs_file_read_all(postfix_postdrop_t)
-mcs_file_write_all(postfix_postdrop_t)
-
 term_dontaudit_use_all_ptys(postfix_postdrop_t)
 term_dontaudit_use_all_ttys(postfix_postdrop_t)
 
@@ -743,8 +735,6 @@ allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
 
-mcs_file_read_all(postfix_showq_t)
-
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 6ad408584..ab9d94585 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,8 +76,6 @@ auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
-mcs_killall(watchdog_t)
-
 miscfiles_read_localization(watchdog_t)
 
 sysnet_dns_name_resolve(watchdog_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 649f431dc..6093de7f5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -212,7 +212,6 @@ fs_list_inotifyfs(init_t)
 fs_write_ramfs_sockets(init_t)
 
 mcs_process_set_categories(init_t)
-mcs_killall(init_t)
 
 mls_file_read_all_levels(init_t)
 mls_file_write_all_levels(init_t)
@@ -790,11 +789,6 @@ fs_getattr_all_fs(initrc_t)
 fs_search_all(initrc_t)
 fs_getattr_nfsd_files(initrc_t)
 
-# initrc_t needs to do a pidof which requires ptrace
-mcs_ptrace_all(initrc_t)
-mcs_file_read_all(initrc_t)
-mcs_file_write_all(initrc_t)
-mcs_killall(initrc_t)
 mcs_process_set_categories(initrc_t)
 
 mls_file_read_all_levels(initrc_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 30d23c3fe..fe493277b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -193,7 +193,6 @@ init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
 type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
-mcs_killall(systemd_nspawn_t)
 
 type systemd_nspawn_runtime_t alias systemd_nspawn_var_run_t;
 files_runtime_file(systemd_nspawn_runtime_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4463f086b..81b0dd1fe 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -141,8 +141,6 @@ fs_read_cgroup_files(udev_t)
 fs_rw_anon_inodefs_files(udev_t)
 fs_search_tracefs(udev_t)
 
-mcs_ptrace_all(udev_t)
-
 mls_file_read_all_levels(udev_t)
 mls_file_write_all_levels(udev_t)
 mls_file_upgrade(udev_t)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 385c88695..9df73ac76 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -30,9 +30,6 @@ domtrans_pattern(unconfined_t, unconfined_execmem_exec_t, unconfined_execmem_t)
 
 files_create_boot_flag(unconfined_t)
 
-mcs_killall(unconfined_t)
-mcs_ptrace_all(unconfined_t)
-
 libs_run_ldconfig(unconfined_t, unconfined_r)
 
 logging_send_syslog_msg(unconfined_t)
-- 
2.33.1

[PATCH 7/7] corenet: make netlabel_peer_t mcs constrained

[Kenton Groombridge]

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 010fc808e..42bbfc8df 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -53,6 +53,7 @@ network_packet_simple(icmp)
 #
 type netlabel_peer_t;
 sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+mcs_constrained(netlabel_peer_t)
 
 #
 # port_t is the default type of INET port numbers.
-- 
2.33.1