From f497b8df50e903a88fd42deb18784ee82eb3728d Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 1 Nov 2006 15:42:22 +0000 Subject: [PATCH] Christopher J. PeBenito wrote: > We could add another 'or' on the above constraint: > > or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) ) > > I believe that would be the constraint you were looking for. I don't > like the name of that attribute, but I couldn't come up with a better > one off the top of my head. :) > Attached is a patch which I've tested against selinux-policy-2.4.2-1 that implements this additional constraint. The name is still a bit forced, but it works. -matt --- Changelog | 3 +++ policy/mls | 1 + policy/modules/kernel/devices.te | 3 ++- policy/modules/kernel/mls.if | 21 +++++++++++++++++++++ policy/modules/kernel/mls.te | 3 ++- 5 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 9552a2a1..d363eac5 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,6 @@ +- Patch from Matt Anderson for a MLS constraint exemption on a + file that can be written to from a subject whose range is + within the object's range. - Enhanced setransd support from Darrel Goeddel. - Patches from Dan Walsh: Tue, 24 Oct 2006 diff --git a/policy/mls b/policy/mls index 021a4ff3..8ab1332f 100644 --- a/policy/mls +++ b/policy/mls @@ -89,6 +89,7 @@ mlsconstrain dir search mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } (( l1 eq l2 ) or (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or ( t1 == mlsfilewrite ) or ( t2 == mlstrustedobject )); diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 693ae0eb..d6695771 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices,1.2.1) +policy_module(devices,1.2.2) ######################################## # @@ -119,6 +119,7 @@ dev_node(power_device_t) type printer_device_t; dev_node(printer_device_t) +mls_file_write_within_range(printer_device_t) # # random_device_t is the type of /dev/random diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index d8de57eb..769ef1fa 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -91,6 +91,27 @@ interface(`mls_file_downgrade',` typeattribute $1 mlsfiledowngrade; ') +######################################## +## +## Make specified domain trusted to +## be written to within its MLS range. +## The subject's MLS range must be a +## proper subset of the object's MLS range. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_file_write_within_range',` + gen_require(` + attribute mlsfilewriteinrange; + ') + + typeattribute $1 mlsfilewriteinrange; +') + ######################################## ## ## Make specified domain MLS trusted diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 5254f325..01c67405 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.4.1) +policy_module(mls,1.4.2) ######################################## # @@ -10,6 +10,7 @@ attribute mlsfileread; attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; +attribute mlsfilewriteinrange; attribute mlsfileupgrade; attribute mlsfiledowngrade;