Fix implementation of MLS file relabel attributes

This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below. Signed-off-by: Chad Hanson <dahchanson@gmail.com>
2025-03-25 04:26:37 +00:00 · 2017-12-10 23:02:15 -05:00 · 2017-12-10 23:02:15 -05:00 · 5a4f511ff4
commit 5a4f511ff4
parent 1461e89016
3 changed files with 27 additions and 6 deletions
--- a/policy/mls
+++ b/policy/mls
@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
 	(( h1 dom h2 ) or
 	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
-	( t1 == mlsfilewrite ));
+	( t1 == mlsfilerelabel ));

 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@ -71,6 +71,26 @@ interface(`mls_file_write_to_clearance',`
 	typeattribute $1 mlsfilewritetoclr;
 ')

+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to files at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_file_write_all_levels',`
+	gen_require(`
+		attribute mlsfilewrite;
+	')
+
+	typeattribute $1 mlsfilewrite;
+')
+
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',`
 ########################################
 ## <summary>
 ##	Make specified domain MLS trusted
-##	for writing to files at all levels.
+##	for relabelto to files at all levels.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',`
 ## </param>
 ## <rolecap/>
 #
-interface(`mls_file_write_all_levels',`
+interface(`mls_file_relabel',`
 	gen_require(`
-		attribute mlsfilewrite;
+		attribute mlsfilerelabel;
 	')

-	typeattribute $1 mlsfilewrite;
+	typeattribute $1 mlsfilerelabel;
 ')

 ########################################
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@ -10,9 +10,10 @@ attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
+attribute mlsfilerelabel;
+attribute mlsfilerelabeltoclr;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
-attribute mlsfilerelabeltoclr;

 attribute mlsnetread;
 attribute mlsnetreadtoclr;