From 808341bb9b21c349ae1538b6049a27bb43326a24 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 7 Oct 2009 11:48:14 -0400
Subject: [PATCH] revise MCS constraints to use only MCS-specific attributes.

---
 policy/mcs                   | 25 ++++++++++++----------
 policy/modules/kernel/mcs.if | 40 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mcs.te |  4 +++-
 3 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index b8dc0d69..af90ef2b 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -64,24 +64,27 @@ gen_levels(1,mcs_num_cats)
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Note that getattr on files is always permitted.
-#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-	( h1 dom h2 );
+# Note:
+#  - getattr on dirs/files is not constrained.
+#  - /proc/pid operations are not constrained.
 
-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain file { write setattr append unlink link rename }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
-# At this time we do not restrict "ps" type operations via MCS.  This
-# will probably change in future.
-mlsconstrain file { read }
-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index a78c5519..f52faaf3 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -3,6 +3,46 @@
 ##	Contains attributes used in MCS policy.
 ## </required>
 
+########################################
+## <summary>
+##	This domain is allowed to read files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_read_all',`
+	gen_require(`
+		attribute mcsreadall;
+	')
+
+	typeattribute $1 mcsreadall;
+')
+
+########################################
+## <summary>
+##	This domain is allowed to write files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_write_all',`
+	gen_require(`
+		attribute mcswriteall;
+	')
+
+	typeattribute $1 mcswriteall;
+')
+
 ########################################
 ## <summary>
 ##	This domain is allowed to sigkill and sigstop 
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 52fa7f37..79622ec1 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
 
-policy_module(mcs, 1.1.0)
+policy_module(mcs, 1.1.1)
 
 ########################################
 #
@@ -9,3 +9,5 @@ policy_module(mcs, 1.1.0)
 attribute mcskillall;
 attribute mcsptraceall;
 attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;