diff --git a/policy/mcs b/policy/mcs index b8dc0d6..af90ef2 100644 --- a/policy/mcs +++ b/policy/mcs @@ -64,24 +64,27 @@ gen_levels(1,mcs_num_cats) # the high range of the file. We use the high range of the process so # that processes can always simply run at s0. # -# Note that getattr on files is always permitted. -# -mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom } - ( h1 dom h2 ); +# Note: +# - getattr on dirs/files is not constrained. +# - /proc/pid operations are not constrained. + +mlsconstrain file { read ioctl lock execute execute_no_trans } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); -mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl } - (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); +mlsconstrain file { write setattr append unlink link rename } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); + +mlsconstrain dir { search read ioctl lock } + (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); + +mlsconstrain dir { write setattr append unlink link rename add_name remove_name } + (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); -# At this time we do not restrict "ps" type operations via MCS. This -# will probably change in future. -mlsconstrain file { read } - (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread )); - # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } ( h1 dom h2 ); diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index a78c551..f52faaf 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -5,6 +5,46 @@ ######################################## ## +## This domain is allowed to read files and directories +## regardless of their MCS category set. +## +## +## +## Domain target for user exemption. +## +## +## +# +interface(`mcs_file_read_all',` + gen_require(` + attribute mcsreadall; + ') + + typeattribute $1 mcsreadall; +') + +######################################## +## +## This domain is allowed to write files and directories +## regardless of their MCS category set. +## +## +## +## Domain target for user exemption. +## +## +## +# +interface(`mcs_file_write_all',` + gen_require(` + attribute mcswriteall; + ') + + typeattribute $1 mcswriteall; +') + +######################################## +## ## This domain is allowed to sigkill and sigstop ## all domains regardless of their MCS category set. ## diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 52fa7f3..79622ec 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -1,5 +1,5 @@ -policy_module(mcs, 1.1.0) +policy_module(mcs, 1.1.1) ######################################## # @@ -9,3 +9,5 @@ policy_module(mcs, 1.1.0) attribute mcskillall; attribute mcsptraceall; attribute mcssetcats; +attribute mcswriteall; +attribute mcsreadall;