On Tue, 2006-09-12 at 09:45 -0400, Stephen Smalley wrote: > Yes, I pointed this out during the "Syscalls questions" discussion back > in June. Not sure why no one bothered adding such a constraint to MLS > policy at the time. It would be something like: > policy/mls: > # No sharing of open file descriptions between levels unless > # the process type is authorized to use fds created by > # other levels (mlsfduse) or the fd type is authorized to > # shared among levels (mlsfdshare). > mlsconstrain fd use ( l1 eq l2 or t1 == mlsfduse or t2 == mlsfdshare); > > policy/modules/kernel/mls.te: > attribute mlsfduse; > attribute mlsfdshare; > > policy/modules/kernel/mls.if: > interface(`mls_fd_use',` > gen_require(` > attribute mlsfduse; > ') > > typeattribute $1 mlsfduse; > ') > > interface(`mls_fd_share',` > gen_require(` > attribute mlsfdshare; > ') > > typeattribute $1 mlsfdshare; > ') > > > And then one would add mls_fd_use() and mls_fd_share() as appropriate to > types in the policy, e.g. > policy/modules/system/selinuxtil.te: > mls_fd_share(newrole_t) > > and likewise for login and friends. > > Naturally, one would need to exercise the system quite a bit to work out > exactly what domains require such use/sharing.
BTW, the closest equivalent in the TE policy is the 'privfd' attribute and the domain_interactive_fd() and domain_use_interactive_fd() interfaces. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
