add mls privileges

refpolicy/Changelog

@@ -1,3 +1,5 @@
+- Add MLS module to handle MLS constraint exceptions,
+  such as reading up and writing down.
 - Fix errors uncovered by sediff.
 - Added policies:
 	anaconda

refpolicy/policy/mcs

@@ -211,5 +211,4 @@ mlsconstrain file { read write setattr append unlink link rename
 # or we get a build error.  Below is a dummy entry to do this.
 mlsconstrain xextension query ( t1 == mlsfileread );
 
-attribute mlsfileread;
 ') dnl end enable_mcs

refpolicy/policy/mls

@@ -733,42 +733,4 @@ mlsconstrain xextension use
 # these access vectors have no MLS restrictions
 # association { sendto recvfrom }
 
-attribute mlsfileread;
-attribute mlsfilereadtoclr;
-attribute mlsfilewrite;
-attribute mlsfilewritetoclr;
-attribute mlsfileupgrade;
-attribute mlsfiledowngrade;
-
-attribute mlsnetread;
-attribute mlsnetreadtoclr;
-attribute mlsnetwrite;
-attribute mlsnetwritetoclr;
-attribute mlsnetupgrade;
-attribute mlsnetdowngrade;
-attribute mlsnetrecvall;
-
-attribute mlsipcread;
-attribute mlsipcreadtoclr;
-attribute mlsipcwrite;
-attribute mlsipcwritetoclr;
-
-attribute mlsprocread;
-attribute mlsprocreadtoclr;
-attribute mlsprocwrite;
-attribute mlsprocwritetoclr;
-attribute mlsprocsetsl;
-
-attribute mlsxwinread;
-attribute mlsxwinreadtoclr;
-attribute mlsxwinwrite;
-attribute mlsxwinwritetoclr;
-attribute mlsxwinupgrade;
-attribute mlsxwindowngrade;
-
-attribute mlstrustedobject;
-
-attribute privrangetrans;
-attribute mlsrangetrans;
-
 ') dnl end enable_mls

refpolicy/policy/modules/admin/consoletype.te

@@ -6,9 +6,11 @@ policy_module(consoletype, 1.0)
 # Declarations
 #
 
-type consoletype_t; #, mlsfileread, mlsfilewrite
+type consoletype_t;
 type consoletype_exec_t;
 init_domain(consoletype_t,consoletype_exec_t)
+mls_file_read_up(consoletype_t)
+mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
 
 ifdef(`targeted_policy',`',`

refpolicy/policy/modules/admin/su.if

@@ -148,11 +148,12 @@ template(`su_per_userdomain_template',`
 		ifdef(`TODO',`
 
 		ifdef(`support_polyinstantiation', `
-		typeattribute $1_su_t mlsfileread;
+		mls_file_read_up($1_su_t)
-		typeattribute $1_su_t mlsfilewrite;
+		mls_file_write_down($1_su_t)
-		typeattribute $1_su_t mlsfileupgrade;
+		mls_file_upgrade($1_su_t)
-		typeattribute $1_su_t mlsfiledowngrade;
+		mls_file_downgrade($1_su_t)
-		typeattribute $1_su_t mlsprocsetsl;
+		mls_process_set_level($1_su_t)
+
 		# Su can polyinstantiate
 		polyinstantiater($1_su_t)
 		# Su has to unmount polyinstantiated directories (like home)

refpolicy/policy/modules/admin/sudo.if

@@ -38,7 +38,7 @@ template(`sudo_per_userdomain_template',`
 	# Declarations
 	#
 
-	type $1_sudo_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+	type $1_sudo_t; 
 	domain_type($1_sudo_t)
 	domain_entry_file($1_sudo_t,sudo_exec_t)
 	domain_wide_inherit_fd($1_sudo_t)
@@ -128,6 +128,12 @@ template(`sudo_per_userdomain_template',`
 
 	miscfiles_read_localization($1_sudo_t)
 
+	mls_file_read_up($1_sudo_t)
+	mls_file_write_down($1_sudo_t)
+	mls_file_upgrade($1_sudo_t)
+	mls_file_downgrade($1_sudo_t)
+	mls_process_set_level($1_sudo_t)
+
 	seutil_read_config($1_sudo_t)
 	seutil_read_default_contexts($1_sudo_t)
 

refpolicy/policy/modules/kernel/devices.te

@@ -122,6 +122,7 @@ genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
 type null_device_t, device_node;
 fs_associate(null_device_t)
 fs_associate_tmpfs(null_device_t)
+mls_trusted_object(null_device_t)
 sid devnull context_template(system_u:object_r:null_device_t,s0)
 
 #
@@ -191,3 +192,4 @@ fs_associate_tmpfs(xserver_misc_device_t)
 type zero_device_t, device_node;
 fs_associate(zero_device_t)
 fs_associate_tmpfs(zero_device_t)
+mls_trusted_object(zero_device_t)

refpolicy/policy/modules/kernel/kernel.te

@@ -25,9 +25,10 @@ attribute sysctl_type;
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
+type kernel_t, can_load_kernmodule;
-role system_r types kernel_t;
 domain_base_type(kernel_t)
+mls_rangetrans_source(kernel_t)
+role system_r types kernel_t;
 sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
 
 #
@@ -212,6 +213,9 @@ files_list_etc(kernel_t)
 files_list_home(kernel_t)
 files_read_usr_files(kernel_t)
 
+mls_process_read_up(kernel_t)
+mls_process_write_down(kernel_t)
+
 ifdef(`TODO',`
 ifdef(`targeted_policy', `
 unconfined_domain(kernel_t)

refpolicy/policy/modules/kernel/mls.fc

@@ -0,0 +1 @@
+# No MLS file contexts.

refpolicy/policy/modules/kernel/mls.if

@@ -0,0 +1,196 @@
+## <summary>Multilevel security policy</summary>
+## <desc>
+##	<p>
+##	This module contains interfaces for handling multilevel
+##	security.  The interfaces allow the specified subjects
+##	and objects to be allowed certain privileges in the
+##	MLS rules.
+##	</p>
+## </desc>
+## <required val="true">
+##	Contains attributes used in MLS policy.
+## </required>
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from files at higher levels.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_read_up',`
+	gen_require(`
+		attribute mlsfileread;
+	')
+
+	typeattribute $1 mlsfileread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at lower levels.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_write_down',`
+	gen_require(`
+		attribute mlsfilewrite;
+	')
+
+	typeattribute $1 mlsfilewrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for raising the level of files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_upgrade',`
+	gen_require(`
+		attribute mlsfileupgrade;
+	')
+
+	typeattribute $1 mlsfileupgrade;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for lowering the level of files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_file_downgrade',`
+	gen_require(`
+		attribute mlsfiledowngrade;
+	')
+
+	typeattribute $1 mlsfiledowngrade;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to do a MLS
+##	range transition that changes
+##	the current level.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_rangetrans_source',`
+	gen_require(`
+		attribute privrangetrans;
+	')
+
+	typeattribute $1 privrangetrans;
+')
+
+########################################
+## <summary>
+##	Make specified domain a target domain
+##	for MLS range transitions that change
+##	the current level.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_rangetrans_target',`
+	gen_require(`
+		attribute mlsrangetrans;
+	')
+
+	typeattribute $1 mlsrangetrans;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for reading from processes at higher levels.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_read_up',`
+	gen_require(`
+		attribute mlsprocread;
+	')
+
+	typeattribute $1 mlsprocread;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to processes at lower levels.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_write_down',`
+	gen_require(`
+		attribute mlsprocwrite;
+	')
+
+	typeattribute $1 mlsprocwrite;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for setting the level of processes
+##	it executes.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`mls_process_set_level',`
+	gen_require(`
+		attribute mlsprocsetsl;
+	')
+
+	typeattribute $1 mlsprocsetsl;
+')
+
+
+########################################
+## <summary>
+##	Make specified object MLS trusted.
+## </summary>
+## <desc>
+##	<p>
+##	Make specified object MLS trusted.  This
+##	allows all levels to read and write the
+##	object.
+##	</p>
+##	<p>
+##	This currently only applies to filesystem
+##	objects, for example, files and directories.
+##	</p>
+## </desc>
+## <param name="domain">
+##	The type of the object.
+## </param>
+#
+interface(`mls_trusted_object',`
+	gen_require(`
+		attribute mlstrustedobject;
+	')
+
+	typeattribute $1 mlstrustedobject;
+')

refpolicy/policy/modules/kernel/mls.te

@@ -0,0 +1,45 @@
+
+policy_module(mls,1.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute mlsfileread;
+attribute mlsfilereadtoclr;
+attribute mlsfilewrite;
+attribute mlsfilewritetoclr;
+attribute mlsfileupgrade;
+attribute mlsfiledowngrade;
+
+attribute mlsnetread;
+attribute mlsnetreadtoclr;
+attribute mlsnetwrite;
+attribute mlsnetwritetoclr;
+attribute mlsnetupgrade;
+attribute mlsnetdowngrade;
+attribute mlsnetrecvall;
+
+attribute mlsipcread;
+attribute mlsipcreadtoclr;
+attribute mlsipcwrite;
+attribute mlsipcwritetoclr;
+
+attribute mlsprocread;
+attribute mlsprocreadtoclr;
+attribute mlsprocwrite;
+attribute mlsprocwritetoclr;
+attribute mlsprocsetsl;
+
+attribute mlsxwinread;
+attribute mlsxwinreadtoclr;
+attribute mlsxwinwrite;
+attribute mlsxwinwritetoclr;
+attribute mlsxwinupgrade;
+attribute mlsxwindowngrade;
+
+attribute mlstrustedobject;
+
+attribute privrangetrans;
+attribute mlsrangetrans;

refpolicy/policy/modules/kernel/selinux.te

@@ -15,8 +15,9 @@ attribute can_setsecparam;
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t; #, mlstrustedobject;
+type security_t;
 fs_type(security_t)
+mls_trusted_object(security_t)
 sid security context_template(system_u:object_r:security_t,s0)
 genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
 

refpolicy/policy/modules/kernel/terminal.te

@@ -34,12 +34,14 @@ fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);
 #
 type devtty_t;
 dev_node(devtty_t)
+mls_trusted_object(devtty_t)
 
 #
 # ptmx_t is the type for /dev/ptmx.
 #
-type ptmx_t; #, mlstrustedobject;
+type ptmx_t;
 dev_node(ptmx_t)
+mls_trusted_object(ptmx_t)
 
 #
 # tty_device_t is the type of /dev/*tty*

refpolicy/policy/modules/services/remotelogin.te

@@ -6,7 +6,7 @@ policy_module(remotelogin,1.0)
 # Declarations
 #
 
-type remote_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
+type remote_login_t;
 domain_obj_id_change_exempt(remote_login_t)
 domain_subj_id_change_exempt(remote_login_t)
 domain_role_change_exempt(remote_login_t)
@@ -104,6 +104,11 @@ libs_use_shared_libs(remote_login_t)
 
 logging_send_syslog_msg(remote_login_t)
 
+mls_file_write_down(remote_login_t)
+mls_file_upgrade(remote_login_t)
+mls_file_downgrade(remote_login_t)
+mls_process_set_level(remote_login_t)
+
 seutil_read_config(remote_login_t)
 seutil_read_default_contexts(remote_login_t)
 

refpolicy/policy/modules/services/ssh.if

@@ -381,7 +381,8 @@ template(`ssh_per_userdomain_template',`
 ## </param>
 #
 template(`ssh_server_template', `
-	type $1_t, ssh_server; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+	type $1_t, ssh_server;
+
 	domain_type($1_t)
 	role system_r types $1_t;
 
@@ -463,6 +464,12 @@ template(`ssh_server_template', `
 
 	miscfiles_read_localization($1_t)
 
+	mls_file_read_up($1_t)
+	mls_file_write_down($1_t)
+	mls_file_upgrade($1_t)
+	mls_file_downgrade($1_t)
+	mls_process_set_level($1_t)
+
 	seutil_read_default_contexts($1_t)
 
 	sysnet_read_config($1_t)

refpolicy/policy/modules/system/authlogin.te

@@ -22,13 +22,11 @@ logging_log_file(lastlog_t)
 type login_exec_t;
 files_type(login_exec_t)
 
-type pam_console_t; #, mlsfileread
+type pam_console_t;
 type pam_console_exec_t;
 init_system_domain(pam_console_t,pam_console_exec_t)
 role system_r types pam_console_t;
 
-domain_entry_file(pam_console_t,pam_console_exec_t)
-
 type pam_t;
 domain_type(pam_t)
 role system_r types pam_t;
@@ -200,6 +198,8 @@ libs_use_shared_libs(pam_console_t)
 
 logging_send_syslog_msg(pam_console_t)
 
+mls_file_read_up(pam_console_t)
+
 seutil_read_file_contexts(pam_console_t)
 
 userdom_dontaudit_use_unpriv_user_fd(pam_console_t)

refpolicy/policy/modules/system/fstools.te

@@ -6,9 +6,10 @@ policy_module(fstools,1.0)
 # Declarations
 #
 
-type fsadm_t; #, mlsfileread;
+type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
+mls_file_read_up(fsadm_t)
 role system_r types fsadm_t;
 
 type fsadm_tmp_t;

refpolicy/policy/modules/system/init.te

@@ -15,7 +15,7 @@ attribute direct_init_entry;
 #
 # init_t is the domain of the init process.
 #
-type init_t; #, mlsrangetrans, mlsfileread, mlsfilewrite;
+type init_t;
 domain_type(init_t)
 role system_r types init_t;
 
@@ -37,10 +37,11 @@ files_pid_file(init_var_run_t)
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type initctl_t; #, mlstrustedobject;
+type initctl_t;
 files_type(initctl_t)
+mls_trusted_object(initctl_t)
 
-type initrc_t; #, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
+type initrc_t;
 domain_type(initrc_t)
 role system_r types initrc_t;
 
@@ -138,6 +139,10 @@ libs_rw_ld_so_cache(init_t)
 logging_send_syslog_msg(init_t)
 logging_rw_generic_logs(init_t)
 
+mls_file_read_up(init_t)
+mls_file_write_down(init_t)
+mls_rangetrans_target(init_t)
+
 seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
@@ -325,6 +330,11 @@ logging_read_auditd_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 
+mls_file_read_up(initrc_t)
+mls_file_write_down(initrc_t)
+mls_process_read_up(initrc_t)
+mls_process_write_down(initrc_t)
+
 modutils_read_module_conf(initrc_t)
 
 seutil_read_config(initrc_t)

refpolicy/policy/modules/system/locallogin.te

@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
 # Declarations
 #
 
-type local_login_t; #, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
+type local_login_t;
 auth_login_entry_type(local_login_t)
 domain_type(local_login_t)
 domain_obj_id_change_exempt(local_login_t)
@@ -150,6 +150,11 @@ logging_send_syslog_msg(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+mls_file_write_down(local_login_t)
+mls_file_upgrade(local_login_t)
+mls_file_downgrade(local_login_t)
+mls_process_set_level(local_login_t)
+
 seutil_read_config(local_login_t)
 seutil_read_default_contexts(local_login_t)
 

refpolicy/policy/modules/system/logging.te

@@ -26,10 +26,11 @@ init_daemon_domain(auditd_t,auditd_exec_t)
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 
-type devlog_t; #, mlstrustedobject;
+type devlog_t;
 files_type(devlog_t)
+mls_trusted_object(devlog_t)
 
-type klogd_t; #, mlsfileread
+type klogd_t;
 type klogd_exec_t;
 init_daemon_domain(klogd_t,klogd_exec_t)
 
@@ -139,6 +140,8 @@ libs_use_shared_libs(auditd_t)
 
 miscfiles_read_localization(auditd_t)
 
+mls_file_read_up(klogd_t)
+
 userdom_dontaudit_use_unpriv_user_fd(auditd_t)
 userdom_dontaudit_search_sysadm_home_dir(auditd_t)
 # cjp: this is questionable

refpolicy/policy/modules/system/modutils.te

@@ -14,10 +14,11 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
-type insmod_t; #, mlsfilewrite
+type insmod_t;
 type insmod_exec_t;
 kernel_userland_entry(insmod_t,insmod_exec_t)
 init_system_domain(insmod_t,insmod_exec_t)
+mls_file_write_down(insmod_t)
 role system_r types insmod_t;
 
 type depmod_t;

refpolicy/policy/modules/system/mount.te

@@ -6,7 +6,7 @@ policy_module(mount,1.0)
 # Declarations
 #
 
-type mount_t; #, mlsfileread, mlsfilewrite
+type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
 role system_r types mount_t;
@@ -78,6 +78,9 @@ logging_send_syslog_msg(mount_t)
 
 miscfiles_read_localization(mount_t)
 
+mls_file_read_up(mount_t)
+mls_file_write_down(mount_t)
+
 sysnet_use_portmap(mount_t)
 
 userdom_use_all_user_fd(mount_t)

refpolicy/policy/modules/system/selinuxutil.te

@@ -37,7 +37,7 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_entry_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t;
 domain_role_change_exempt(newrole_t)
 domain_obj_id_change_exempt(newrole_t)
 domain_type(newrole_t)
@@ -65,7 +65,7 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
 type policy_src_t;
 files_type(policy_src_t)
 
-type restorecon_t, can_relabelto_binary_policy; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
+type restorecon_t, can_relabelto_binary_policy;
 type restorecon_exec_t;
 domain_obj_id_change_exempt(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
@@ -206,6 +206,12 @@ dev_read_urand(newrole_t)
 fs_getattr_xattr_fs(newrole_t)
 fs_search_auto_mountpoints(newrole_t)
 
+mls_file_read_up(newrole_t)
+mls_file_write_down(newrole_t)
+mls_file_upgrade(newrole_t)
+mls_file_downgrade(newrole_t)
+mls_process_set_level(newrole_t)
+
 selinux_get_fs_mount(newrole_t)
 selinux_validate_context(newrole_t)
 selinux_compute_access_vector(newrole_t)
@@ -305,6 +311,11 @@ libs_use_shared_libs(restorecon_t)
 
 logging_send_syslog_msg(restorecon_t)
 
+mls_file_read_up(restorecon_t)
+mls_file_write_down(restorecon_t)
+mls_file_upgrade(restorecon_t)
+mls_file_downgrade(restorecon_t)
+
 userdom_use_all_user_fd(restorecon_t)
 
 # relabeling rules

refpolicy/policy/modules/system/udev.te

@@ -6,7 +6,7 @@ policy_module(udev,1.0)
 # Declarations
 #
 
-type udev_t; #, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocwrite')
+type udev_t;
 type udev_exec_t;
 type udev_helper_exec_t;
 kernel_userland_entry(udev_t,udev_exec_t)
@@ -115,6 +115,12 @@ logging_send_syslog_msg(udev_t)
 
 miscfiles_read_localization(udev_t)
 
+mls_file_read_up(udev_t)
+mls_file_write_down(udev_t)
+mls_file_upgrade(udev_t)
+mls_file_downgrade(udev_t)
+mls_process_write_down(udev_t)
+
 modutils_domtrans_insmod(udev_t)
 
 seutil_read_config(udev_t)