From e1a70f1dde1f2a08e3070f6f7a7e373e3fe89606 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 2 Mar 2009 15:16:49 +0000
Subject: [PATCH] trunk: add MLS constrains for ingress/egress permissions from
 Paul Moore.

Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls.  Based on
the following post to the SELinux Reference Policy mailing list:

 * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
---
 Changelog                    |  1 +
 policy/mls                   | 51 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.if | 42 +++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |  4 ++-
 4 files changed, 97 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 6c85f15b..b2cfb6c7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add MLS constrains for ingress/egress and secmark from Paul Moore.
 - Drop write permission from fs_read_rpc_sockets().
 - Remove unused udev_runtime_t type.
 - Patch for RadSec port from Glen Turner.
diff --git a/policy/mls b/policy/mls
index 80b3a431..d8a3c3cd 100644
--- a/policy/mls
+++ b/policy/mls
@@ -298,6 +298,57 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
 
 
 
+#
+# MLS policy for the network ingress/egress controls
+#
+
+# the netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { ingress }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { netif } { egress }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ));
+
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ));
+
+# the forward ops, the forward_in permission is a "write" operation because the
+# subject in this particular case is the remote domain which is writing data
+# to the network with a secmark label, the object in this case
+mlsconstrain { packet } { forward_in }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetinbound ) or
+	 ( t1 == unlabeled_t ));
+mlsconstrain { packet } { forward_out }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t1 == mlsnetoutbound ) or
+	 ( t1 == unlabeled_t ));
+
+#
+# MLS policy for the secmark and peer controls
+#
+
+# the peer/packet recv op
+mlsconstrain { peer packet } { recv }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ));
+
+
+
+
 #
 # MLS policy for the process class
 #
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index c2706def..af86516d 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -330,6 +330,48 @@ interface(`mls_net_write_within_range',`
 	typeattribute $1 mlsnetwriteranged;
 ')
 
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	write inbound packets regardless of the
+##	network's or node's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_inbound_all_levels',`
+	gen_require(`
+		attribute mlsnetinbound;
+	')
+
+	typeattribute $1 mlsnetinbound;
+')
+
+########################################
+## <summary>
+##	Make specified domain trusted to
+##	write outbound packets regardless of the
+##	network's or node's MLS range.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_net_outbound_all_levels',`
+	gen_require(`
+		attribute mlsnetoutbound;
+	')
+
+	typeattribute $1 mlsnetoutbound;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 10b5e5a0..252deef1 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
 
-policy_module(mls, 1.7.0)
+policy_module(mls, 1.7.1)
 
 ########################################
 #
@@ -22,6 +22,8 @@ attribute mlsnetwriteranged;
 attribute mlsnetupgrade;
 attribute mlsnetdowngrade;
 attribute mlsnetrecvall;
+attribute mlsnetinbound;
+attribute mlsnetoutbound;
 
 attribute mlsipcread;
 attribute mlsipcreadtoclr;