mls mcs: Add constraints for key class

Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs

policy/mcs

@@ -123,6 +123,9 @@ mlsconstrain process { signal }
 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain key { create link read search setattr view write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #

policy/mls

@@ -281,6 +281,14 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlskeywrite ));
 
 
 #

policy/modules/kernel/mls.if

@@ -424,6 +424,47 @@ interface(`mls_sysvipc_write_all_levels',`
 	typeattribute $1 mlsipcwrite;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+	gen_require(`
+		attribute mlskeywritetoclr;
+	')
+
+	typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+	gen_require(`
+		attribute mlskeywrite;
+	')
+
+	typeattribute $1 mlskeywrite;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to do a MLS

policy/modules/kernel/mls.te

@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
 attribute mlsipcwrite;
 attribute mlsipcwritetoclr;
 
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
 attribute mlsprocread;
 attribute mlsprocreadtoclr;
 attribute mlsprocwrite;