commit: 27f9f6206cc09e345feb25ca3a1a1905b48e769b
Author: Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Wed Jul 27 15:35:03 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 31 10:39:59 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27f9f620
Add new MLS attribute to allow relabeling objects higher than system low. This
exception is needed for package managers when processing sensitive data.
Example of denial:
type=AVC msg=audit(1461664028.583:784): avc: denied { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
policy/mls | 4 +++-
policy/modules/kernel/mls.if | 20 ++++++++++++++++++++
policy/modules/kernel/mls.te | 1 +
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/policy/mls b/policy/mls
index 3603de1..db3ed90 100644
--- a/policy/mls
+++ b/policy/mls
@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file }
relabelto
- ( h1 dom h2 );
+ (( h1 dom h2 ) or
+ (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsfilewrite ));
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } {
read getattr execute }
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 27d6401..829605b 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
########################################
## <summary>
## Make specified domain MLS trusted
+## for relabelto to files up to its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_relabel_to_clearance',`
+ gen_require(`
+ attribute mlsfilerelabeltoclr;
+ ')
+
+ typeattribute $1 mlsfilerelabeltoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
## for writing to files at all levels. (Deprecated)
## </summary>
## <desc>
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index e508050..13b8625 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
attribute mlsfilewriteinrange;
attribute mlsfileupgrade;
attribute mlsfiledowngrade;
+attribute mlsfilerelabeltoclr;
attribute mlsnetread;
attribute mlsnetreadtoclr;
