Implement mcs_constrained_type

This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.

This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.

It is used by svirt and probably also by sandbox

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

policy/mcs

@@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
 #  - /proc/pid operations are not constrained.
 
 mlsconstrain file { read ioctl lock execute execute_no_trans }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain file { write setattr append unlink link rename }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+	(( t1 != mcs_constrained_type ) and (t2 == domain)));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
@@ -101,6 +117,12 @@ mlsconstrain process { ptrace }
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+mlsconstrain process { signal }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #

policy/modules/kernel/mcs.if

@@ -102,3 +102,31 @@ interface(`mcs_process_set_categories',`
 
 	typeattribute $1 mcssetcats;
 ')
+
+########################################
+## <summary>
+##	Constrain by category access control (MCS).
+## </summary>
+## <desc>
+##	<p>
+##	Constrain the specified type by category based
+##	access control (MCS) This prevents this domain from
+##	interacting with subjects and operating on objects
+##	that it otherwise would be able to interact
+##	with or operate on respectively.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be constrained by MCS.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`mcs_constrained',`
+	gen_require(`
+		attribute mcs_constrained_type;
+	')
+
+	typeattribute $1 mcs_constrained_type;
+')

policy/modules/kernel/mcs.te

@@ -10,3 +10,4 @@ attribute mcsptraceall;
 attribute mcssetcats;
 attribute mcswriteall;
 attribute mcsreadall;
+attribute mcs_constrained_type;