trunk: add MLS constrains for ingress/egress permissions from Paul Moore.
Add MLS constraints for several network related access controls including the new ingress/egress controls and the older Secmark controls. Based on the following post to the SELinux Reference Policy mailing list: * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
This commit is contained in:
parent
156204a385
commit
e1a70f1dde
@ -1,3 +1,4 @@
|
||||
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
|
||||
- Drop write permission from fs_read_rpc_sockets().
|
||||
- Remove unused udev_runtime_t type.
|
||||
- Patch for RadSec port from Glen Turner.
|
||||
|
51
policy/mls
51
policy/mls
@ -298,6 +298,57 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
|
||||
|
||||
|
||||
|
||||
#
|
||||
# MLS policy for the network ingress/egress controls
|
||||
#
|
||||
|
||||
# the netif ingress/egress ops, the ingress permission is a "write" operation
|
||||
# because the subject in this particular case is the remote domain which is
|
||||
# writing data out the network interface which is acting as the object
|
||||
mlsconstrain { netif } { ingress }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetinbound ) or
|
||||
( t1 == unlabeled_t ));
|
||||
mlsconstrain { netif } { egress }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetoutbound ));
|
||||
|
||||
# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
|
||||
# because the subject in this particular case is the remote domain which is
|
||||
# writing data out the network node which is acting as the object
|
||||
mlsconstrain { node } { recvfrom }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetinbound ) or
|
||||
( t1 == unlabeled_t ));
|
||||
mlsconstrain { node } { sendto }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetoutbound ));
|
||||
|
||||
# the forward ops, the forward_in permission is a "write" operation because the
|
||||
# subject in this particular case is the remote domain which is writing data
|
||||
# to the network with a secmark label, the object in this case
|
||||
mlsconstrain { packet } { forward_in }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetinbound ) or
|
||||
( t1 == unlabeled_t ));
|
||||
mlsconstrain { packet } { forward_out }
|
||||
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||
( t1 == mlsnetoutbound ) or
|
||||
( t1 == unlabeled_t ));
|
||||
|
||||
#
|
||||
# MLS policy for the secmark and peer controls
|
||||
#
|
||||
|
||||
# the peer/packet recv op
|
||||
mlsconstrain { peer packet } { recv }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsnetread ));
|
||||
|
||||
|
||||
|
||||
|
||||
#
|
||||
# MLS policy for the process class
|
||||
#
|
||||
|
@ -330,6 +330,48 @@ interface(`mls_net_write_within_range',`
|
||||
typeattribute $1 mlsnetwriteranged;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain trusted to
|
||||
## write inbound packets regardless of the
|
||||
## network's or node's MLS range.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`mls_net_inbound_all_levels',`
|
||||
gen_require(`
|
||||
attribute mlsnetinbound;
|
||||
')
|
||||
|
||||
typeattribute $1 mlsnetinbound;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain trusted to
|
||||
## write outbound packets regardless of the
|
||||
## network's or node's MLS range.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`mls_net_outbound_all_levels',`
|
||||
gen_require(`
|
||||
attribute mlsnetoutbound;
|
||||
')
|
||||
|
||||
typeattribute $1 mlsnetoutbound;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain MLS trusted
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(mls, 1.7.0)
|
||||
policy_module(mls, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -22,6 +22,8 @@ attribute mlsnetwriteranged;
|
||||
attribute mlsnetupgrade;
|
||||
attribute mlsnetdowngrade;
|
||||
attribute mlsnetrecvall;
|
||||
attribute mlsnetinbound;
|
||||
attribute mlsnetoutbound;
|
||||
|
||||
attribute mlsipcread;
|
||||
attribute mlsipcreadtoclr;
|
||||
|
Loading…
Reference in New Issue
Block a user