commit: ce6b9741621671f51d8af101c01101a3fbb9c405
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Oct 13 15:54:23 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ce6b9741
mcs: add additional constraints to databases
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/mcs | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index d4d984e4..9bd0166f 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -166,4 +166,23 @@ mlsconstrain db_language { drop getattr setattr
relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import
export }
( h1 dom h2 );
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+ (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+ (( l1 dom l2 ) or
+ (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
') dnl end enable_mcs
