Hello,
On Fri, Jun 30, 2006 at 06:46:27PM -0500, Klaus Weidner wrote:
> currently the MLS policy supports multilevel objects (using a range where
> the upper level is not equal to the lower level), for example
> directories, sockets, and character devices.
>
> In a LSPP system, untrusted processes should not be able to write such
> objects since it's a data flow that bypasses the MLS restrictions, and
> access should be limited to trusted processes with an appropriate
> override attribute. For example, you can currently easily use filenames
> in /tmp to exchange information, or automatically declassify information
> using multilevel ptys.
In the discussion, I don't recall anybody making a strong case why
multilevel objects should still be necessary - should we proceed to
disable them?
I tested the patch below which treats ranged objects as single level
object (using the lower level) for unprivileged processes.
The system still boots and permits login in enforcing mode afterwards, so
this doesn't appear to have too drastic effects on first glance. Note
that it'll break write access to /tmp and your home directory if you
don't have polyinstantiation configured.
-Klaus
--- serefpolicy-2.3.3/policy/mls.shipped 2006-07-18 10:29:12.000000000
-0500
+++ serefpolicy-2.3.3/policy/mls 2006-07-18 11:43:32.000000000 -0500
@@ -183,20 +183,16 @@
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
-# the "single level" file "write" ops
-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom
append unlink link rename mounton }
+# file "write" ops
+mlsconstrain {
+ file lnk_file fifo_file
+ dir chr_file blk_file sock_file
+} { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
-# the "ranged" file "write" ops
-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr
relabelfrom append unlink link rename mounton }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
- (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- ( t1 == mlsfilewrite ) or
- ( t2 == mlstrustedobject ));
-
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
