trunk: add MLS constrains for ingress/egress permissions from Paul Moore.
Add MLS constraints for several network related access controls including the new ingress/egress controls and the older Secmark controls. Based on the following post to the SELinux Reference Policy mailing list: * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
This commit is contained in:
parent
156204a385
commit
e1a70f1dde
@ -1,3 +1,4 @@
|
|||||||
|
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
|
||||||
- Drop write permission from fs_read_rpc_sockets().
|
- Drop write permission from fs_read_rpc_sockets().
|
||||||
- Remove unused udev_runtime_t type.
|
- Remove unused udev_runtime_t type.
|
||||||
- Patch for RadSec port from Glen Turner.
|
- Patch for RadSec port from Glen Turner.
|
||||||
|
51
policy/mls
51
policy/mls
@ -298,6 +298,57 @@ mlsconstrain { netif node } { tcp_send udp_send rawip_send }
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# MLS policy for the network ingress/egress controls
|
||||||
|
#
|
||||||
|
|
||||||
|
# the netif ingress/egress ops, the ingress permission is a "write" operation
|
||||||
|
# because the subject in this particular case is the remote domain which is
|
||||||
|
# writing data out the network interface which is acting as the object
|
||||||
|
mlsconstrain { netif } { ingress }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetinbound ) or
|
||||||
|
( t1 == unlabeled_t ));
|
||||||
|
mlsconstrain { netif } { egress }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetoutbound ));
|
||||||
|
|
||||||
|
# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
|
||||||
|
# because the subject in this particular case is the remote domain which is
|
||||||
|
# writing data out the network node which is acting as the object
|
||||||
|
mlsconstrain { node } { recvfrom }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetinbound ) or
|
||||||
|
( t1 == unlabeled_t ));
|
||||||
|
mlsconstrain { node } { sendto }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetoutbound ));
|
||||||
|
|
||||||
|
# the forward ops, the forward_in permission is a "write" operation because the
|
||||||
|
# subject in this particular case is the remote domain which is writing data
|
||||||
|
# to the network with a secmark label, the object in this case
|
||||||
|
mlsconstrain { packet } { forward_in }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetinbound ) or
|
||||||
|
( t1 == unlabeled_t ));
|
||||||
|
mlsconstrain { packet } { forward_out }
|
||||||
|
((( l1 dom l2 ) and ( l1 domby h2 )) or
|
||||||
|
( t1 == mlsnetoutbound ) or
|
||||||
|
( t1 == unlabeled_t ));
|
||||||
|
|
||||||
|
#
|
||||||
|
# MLS policy for the secmark and peer controls
|
||||||
|
#
|
||||||
|
|
||||||
|
# the peer/packet recv op
|
||||||
|
mlsconstrain { peer packet } { recv }
|
||||||
|
(( l1 dom l2 ) or
|
||||||
|
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
|
||||||
|
( t1 == mlsnetread ));
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# MLS policy for the process class
|
# MLS policy for the process class
|
||||||
#
|
#
|
||||||
|
@ -330,6 +330,48 @@ interface(`mls_net_write_within_range',`
|
|||||||
typeattribute $1 mlsnetwriteranged;
|
typeattribute $1 mlsnetwriteranged;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain trusted to
|
||||||
|
## write inbound packets regardless of the
|
||||||
|
## network's or node's MLS range.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_net_inbound_all_levels',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsnetinbound;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsnetinbound;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Make specified domain trusted to
|
||||||
|
## write outbound packets regardless of the
|
||||||
|
## network's or node's MLS range.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`mls_net_outbound_all_levels',`
|
||||||
|
gen_require(`
|
||||||
|
attribute mlsnetoutbound;
|
||||||
|
')
|
||||||
|
|
||||||
|
typeattribute $1 mlsnetoutbound;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Make specified domain MLS trusted
|
## Make specified domain MLS trusted
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(mls, 1.7.0)
|
policy_module(mls, 1.7.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -22,6 +22,8 @@ attribute mlsnetwriteranged;
|
|||||||
attribute mlsnetupgrade;
|
attribute mlsnetupgrade;
|
||||||
attribute mlsnetdowngrade;
|
attribute mlsnetdowngrade;
|
||||||
attribute mlsnetrecvall;
|
attribute mlsnetrecvall;
|
||||||
|
attribute mlsnetinbound;
|
||||||
|
attribute mlsnetoutbound;
|
||||||
|
|
||||||
attribute mlsipcread;
|
attribute mlsipcread;
|
||||||
attribute mlsipcreadtoclr;
|
attribute mlsipcreadtoclr;
|
||||||
|
Loading…
Reference in New Issue
Block a user