diff --git a/Changelog b/Changelog
index fa8709a..8cb7b33 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Update MLS constraints from LSPP evaluated policy.
- Allow initrc_t file descriptors to be inherited regardless of MLS level.
Accordingly drop MLS permissions from daemons that inherit from any level.
- Files and radvd updates from Stefan Schulze Frielinghaus.
diff --git a/policy/mls b/policy/mls
index 3ce227b..3dbbaaf 100644
--- a/policy/mls
+++ b/policy/mls
@@ -93,8 +93,10 @@ mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
+# Directory "write" ops
mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
@@ -165,6 +167,18 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+ (( l1 eq l2 ) or
+ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread )) and
+ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ))));
+
+
# the socket "read" ops (note the check is dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
@@ -178,16 +192,16 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
+# used by netlabel to restrict normal domains to same level connections
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ) or
- ( t2 == unlabeled_t ));
+ ( t1 == mlsnetread ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
@@ -275,7 +289,8 @@ mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
- (( l1 dom l2 ) and ( l1 domby h2 ));
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
# these access vectors have no MLS restrictions
# node enforce_dest
@@ -582,7 +597,8 @@ mlsconstrain association { recvfrom }
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 0b30904..eb1945e 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -310,6 +310,28 @@ interface(`mls_net_receive_all_levels',`
########################################
##
+## Make specified domain trusted to
+## write to network objects within its MLS range.
+## The subject's MLS range must be a
+## proper subset of the object's MLS range.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`mls_net_write_within_range',`
+ gen_require(`
+ attribute mlsnetwriteranged;
+ ')
+
+ typeattribute $1 mlsnetwriteranged;
+')
+
+########################################
+##
## Make specified domain MLS trusted
## for reading from System V IPC objects
## up to its clearance.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e10d38e..b1b8d80 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,5 +1,5 @@
-policy_module(mls,1.5.2)
+policy_module(mls,1.5.3)
########################################
#
@@ -18,6 +18,7 @@ attribute mlsnetread;
attribute mlsnetreadtoclr;
attribute mlsnetwrite;
attribute mlsnetwritetoclr;
+attribute mlsnetwriteranged;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
attribute mlsnetrecvall;