trunk: add MLS constrains for ingress/egress permissions from Paul Moore.

Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls.  Based on
the following post to the SELinux Reference Policy mailing list:

 * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
This commit is contained in:
Chris PeBenito 2009-03-02 15:16:49 +00:00
parent 156204a385
commit e1a70f1dde
4 changed files with 97 additions and 1 deletions

View File

@ -1,3 +1,4 @@
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
- Patch for RadSec port from Glen Turner.

View File

@ -298,6 +298,57 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
#
# MLS policy for the network ingress/egress controls
#
# the netif ingress/egress ops, the ingress permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network interface which is acting as the object
mlsconstrain { netif } { ingress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { netif } { egress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { node } { sendto }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the forward ops, the forward_in permission is a "write" operation because the
# subject in this particular case is the remote domain which is writing data
# to the network with a secmark label, the object in this case
mlsconstrain { packet } { forward_in }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { packet } { forward_out }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ) or
( t1 == unlabeled_t ));
#
# MLS policy for the secmark and peer controls
#
# the peer/packet recv op
mlsconstrain { peer packet } { recv }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
#
# MLS policy for the process class
#

View File

@ -330,6 +330,48 @@ interface(`mls_net_write_within_range',`
typeattribute $1 mlsnetwriteranged;
')
########################################
## <summary>
## Make specified domain trusted to
## write inbound packets regardless of the
## network's or node's MLS range.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_net_inbound_all_levels',`
gen_require(`
attribute mlsnetinbound;
')
typeattribute $1 mlsnetinbound;
')
########################################
## <summary>
## Make specified domain trusted to
## write outbound packets regardless of the
## network's or node's MLS range.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_net_outbound_all_levels',`
gen_require(`
attribute mlsnetoutbound;
')
typeattribute $1 mlsnetoutbound;
')
########################################
## <summary>
## Make specified domain MLS trusted

View File

@ -1,5 +1,5 @@
policy_module(mls, 1.7.0)
policy_module(mls, 1.7.1)
########################################
#
@ -22,6 +22,8 @@ attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;
attribute mlsnetinbound;
attribute mlsnetoutbound;
attribute mlsipcread;
attribute mlsipcreadtoclr;