diff --git a/policy/mcs b/policy/mcs
index b8dc0d6..af90ef2 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -64,24 +64,27 @@ gen_levels(1,mcs_num_cats)
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
-# Note that getattr on files is always permitted.
-#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
- ( h1 dom h2 );
+# Note:
+# - getattr on dirs/files is not constrained.
+# - /proc/pid operations are not constrained.
+
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+mlsconstrain file { write setattr append unlink link rename }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
-# At this time we do not restrict "ps" type operations via MCS. This
-# will probably change in future.
-mlsconstrain file { read }
- (( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
( h1 dom h2 );
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index a78c551..f52faaf 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -5,6 +5,46 @@
########################################
##
+## This domain is allowed to read files and directories
+## regardless of their MCS category set.
+##
+##
+##
+## Domain target for user exemption.
+##
+##
+##
+#
+interface(`mcs_file_read_all',`
+ gen_require(`
+ attribute mcsreadall;
+ ')
+
+ typeattribute $1 mcsreadall;
+')
+
+########################################
+##
+## This domain is allowed to write files and directories
+## regardless of their MCS category set.
+##
+##
+##
+## Domain target for user exemption.
+##
+##
+##
+#
+interface(`mcs_file_write_all',`
+ gen_require(`
+ attribute mcswriteall;
+ ')
+
+ typeattribute $1 mcswriteall;
+')
+
+########################################
+##
## This domain is allowed to sigkill and sigstop
## all domains regardless of their MCS category set.
##
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 52fa7f3..79622ec 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
-policy_module(mcs, 1.1.0)
+policy_module(mcs, 1.1.1)
########################################
#
@@ -9,3 +9,5 @@ policy_module(mcs, 1.1.0)
attribute mcskillall;
attribute mcsptraceall;
attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;