commit: fcac712fc021f879207385feb4f55aea5c8bd3b8 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Fri Feb 10 16:26:10 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun May 7 17:40:30 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fcac712f
mls mcs: Add constraints for key class Taken from fedoras policy https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs policy/mcs | 3 +++ policy/mls | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/policy/mcs b/policy/mcs index 4d030112..94319570 100644 --- a/policy/mcs +++ b/policy/mcs @@ -123,6 +123,9 @@ mlsconstrain process { signal } mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); +mlsconstrain key { create link read search setattr view write } + (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); + # # MCS policy for SELinux-enabled databases # diff --git a/policy/mls b/policy/mls index 69ca7263..c9be3125 100644 --- a/policy/mls +++ b/policy/mls @@ -281,6 +281,14 @@ mlsconstrain msg send # { ipc sem msgq shm } associate +# +# MLS policy for the key class +# + +mlsconstrain key { create link read search setattr view write } + (( l1 eq l2 ) or + (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + ( t1 == mlsprocwrite )); #
