From 09ae441706850d63e657dbbd0c28e695a762f492 Mon Sep 17 00:00:00 2001
From: Jason Zaman <jason@perfinion.com>
Date: Fri, 3 Nov 2017 01:30:45 +0800
Subject: [PATCH] mls mcs: Add constraints for key class

Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
 policy/mcs                   |  3 +++
 policy/mls                   |  8 +++++++
 policy/modules/kernel/mls.if | 41 ++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/mls.te |  3 +++
 4 files changed, 55 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 4d0301125..94319570d 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain key { create link read search setattr view write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/mls b/policy/mls
index 69ca7263a..2dadd2059 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlskeywrite ));
 
 
 #
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc46..b09c0a5a9 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -424,6 +424,47 @@ interface(`mls_sysvipc_write_all_levels',`
 	typeattribute $1 mlsipcwrite;
 ')
 
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys up to
+##	its clearance.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+	gen_require(`
+		attribute mlskeywritetoclr;
+	')
+
+	typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+##	Make specified domain MLS trusted
+##	for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+	gen_require(`
+		attribute mlskeywrite;
+	')
+
+	typeattribute $1 mlskeywrite;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to do a MLS
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a361..e879ddd36 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
 attribute mlsipcwrite;
 attribute mlsipcwritetoclr;
 
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
 attribute mlsprocread;
 attribute mlsprocreadtoclr;
 attribute mlsprocwrite;