diff --git a/Changelog b/Changelog index 549274cbb..6a509835f 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,9 @@ +- Add make kernel and init ranged interfaces pass the range transition MLS + constraints. Also remove calls to mls_rangetrans_target() in modules that use + the kernel and init interfaces, since its redundant. +- Add interfaces for all MLS attributes except X object classes. +- Require all sensitivities and categories for MLS and MCS policies, not just + the low and high sensitivity and category. - Database userspace object manager classes from KaiGai Kohei. - Add third-party interface for Apache CGI. - Add getserv and shmemserv nscd permissions. diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index bb31b3dc8..4995f99df 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -66,6 +66,7 @@ interface(`kernel_ranged_domtrans_to',` ifdef(`enable_mls',` range_transition kernel_t $2:process $3; + mls_rangetrans_target($1) ') ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5312cf077..b675a7b6f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,5 +1,5 @@ -policy_module(kernel,1.7.1) +policy_module(kernel,1.7.2) ######################################## # diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index 6606745ce..e6250e233 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -14,7 +14,7 @@ ######################################## ## ## Make specified domain MLS trusted -## for reading from files at higher levels. +## for reading from files up to its clearance. ## ## ## @@ -23,7 +23,53 @@ ## ## # +interface(`mls_file_read_to_clearance',` + gen_require(` + attribute mlsfilereadtoclr; + ') + + typeattribute $1 mlsfilereadtoclr; +') + +######################################## +## +## Make specified domain MLS trusted +## for reading from files at all levels. (Deprecated) +## +## +##

+## Make specified domain MLS trusted +## for reading from files at all levels. +##

+##

+## This interface has been deprecated, please use +## mls_file_read_all_levels() instead. +##

+##
+## +## +## Domain allowed access. +## +## +# interface(`mls_file_read_up',` +# refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.') + mls_file_read_all_levels($1) +') + +######################################## +## +## Make specified domain MLS trusted +## for reading from files at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_read_all_levels',` gen_require(` attribute mlsfileread; ') @@ -34,7 +80,7 @@ interface(`mls_file_read_up',` ######################################## ## ## Make specified domain MLS trusted -## for writing to files at lower levels. +## for write to files up to its clearance. ## ## ## @@ -43,7 +89,53 @@ interface(`mls_file_read_up',` ## ## # +interface(`mls_file_write_to_clearance',` + gen_require(` + attribute mlsfilewritetoclr; + ') + + typeattribute $1 mlsfilewritetoclr; +') + +######################################## +## +## Make specified domain MLS trusted +## for writing to files at all levels. (Deprecated) +## +## +##

+## Make specified domain MLS trusted +## for writing to files at all levels. +##

+##

+## This interface has been deprecated, please use +## mls_file_write_all_levels() instead. +##

+##
+## +## +## Domain allowed access. +## +## +# interface(`mls_file_write_down',` +# refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.') + mls_file_write_all_levels($1) +') + +######################################## +## +## Make specified domain MLS trusted +## for writing to files at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_write_all_levels',` gen_require(` attribute mlsfilewrite; ') @@ -103,6 +195,7 @@ interface(`mls_file_downgrade',` ## Domain allowed access. ##
## +## # interface(`mls_file_write_within_range',` gen_require(` @@ -122,6 +215,7 @@ interface(`mls_file_write_within_range',` ## Domain allowed access. ##
## +## # interface(`mls_socket_read_all_levels',` gen_require(` @@ -142,6 +236,7 @@ interface(`mls_socket_read_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_socket_read_to_clearance',` gen_require(` @@ -151,6 +246,27 @@ interface(`mls_socket_read_to_clearance',` typeattribute $1 mlsnetreadtoclr; ') +######################################## +## +## Make specified domain MLS trusted +## for writing to sockets up to +## its clearance. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_socket_write_to_clearance',` + gen_require(` + attribute mlsnetwritetoclr; + ') + + typeattribute $1 mlsnetwritetoclr; +') + ######################################## ## ## Make specified domain MLS trusted @@ -161,6 +277,7 @@ interface(`mls_socket_read_to_clearance',` ## Domain allowed access. ## ## +## # interface(`mls_socket_write_all_levels',` gen_require(` @@ -181,6 +298,7 @@ interface(`mls_socket_write_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_net_receive_all_levels',` gen_require(` @@ -190,6 +308,27 @@ interface(`mls_net_receive_all_levels',` typeattribute $1 mlsnetrecvall; ') +######################################## +## +## Make specified domain MLS trusted +## for reading from System V IPC objects +## up to its clearance. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_sysvipc_read_to_clearance',` + gen_require(` + attribute mlsipcreadtoclr; + ') + + typeattribute $1 mlsipcreadtoclr; +') + ######################################## ## ## Make specified domain MLS trusted @@ -201,6 +340,7 @@ interface(`mls_net_receive_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_sysvipc_read_all_levels',` gen_require(` @@ -210,6 +350,27 @@ interface(`mls_sysvipc_read_all_levels',` typeattribute $1 mlsipcread; ') +######################################## +## +## Make specified domain MLS trusted +## for writing to System V IPC objects +## up to its clearance. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_sysvipc_write_to_clearance',` + gen_require(` + attribute mlsipcwritetoclr; + ') + + typeattribute $1 mlsipcwritetoclr; +') + ######################################## ## ## Make specified domain MLS trusted @@ -221,6 +382,7 @@ interface(`mls_sysvipc_read_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_sysvipc_write_all_levels',` gen_require(` @@ -273,15 +435,63 @@ interface(`mls_rangetrans_target',` ######################################## ## ## Make specified domain MLS trusted -## for reading from processes at higher levels. +## for reading from processes up to +## its clearance. ## ## ## ## Domain allowed access. ## ## +## +# +interface(`mls_process_read_to_clearance',` + gen_require(` + attribute mlsprocreadtoclr; + ') + + typeattribute $1 mlsprocreadtoclr; +') + +######################################## +## +## Make specified domain MLS trusted +## for reading from processes at all levels. (Deprecated) +## +## +##

+## Make specified domain MLS trusted +## for reading from processes at all levels. +##

+##

+## This interface has been deprecated, please use +## mls_process_read_all_levels() instead. +##

+##
+## +## +## Domain allowed access. +## +## # interface(`mls_process_read_up',` +# refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.') + mls_process_read_all_levels($1) +') + +######################################## +## +## Make specified domain MLS trusted +## for reading from processes at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_process_read_all_levels',` gen_require(` attribute mlsprocread; ') @@ -292,15 +502,63 @@ interface(`mls_process_read_up',` ######################################## ## ## Make specified domain MLS trusted -## for writing to processes at lower levels. +## for writing to processes up to +## its clearance. ## ## ## ## Domain allowed access. ## ## +## +# +interface(`mls_process_write_to_clearance',` + gen_require(` + attribute mlsprocwritetoclr; + ') + + typeattribute $1 mlsprocwritetoclr; +') + +######################################## +## +## Make specified domain MLS trusted +## for writing to processes at all levels. (Deprecated) +## +## +##

+## Make specified domain MLS trusted +## for writing to processes at all levels. +##

+##

+## This interface has been deprecated, please use +## mls_process_write_all_levels() instead. +##

+##
+## +## +## Domain allowed access. +## +## # interface(`mls_process_write_down',` +# refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.') + mls_process_write_all_levels($1) +') + +######################################## +## +## Make specified domain MLS trusted +## for writing to processes at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_process_write_all_levels',` gen_require(` attribute mlsprocwrite; ') @@ -319,6 +577,7 @@ interface(`mls_process_write_down',` ## Domain allowed access. ## ## +## # interface(`mls_process_set_level',` gen_require(` @@ -338,6 +597,7 @@ interface(`mls_process_set_level',` ## Domain allowed access. ## ## +## # interface(`mls_xwin_read_all_levels',` gen_require(` @@ -357,6 +617,7 @@ interface(`mls_xwin_read_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_xwin_write_all_levels',` gen_require(` @@ -376,6 +637,7 @@ interface(`mls_xwin_write_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_colormap_read_all_levels',` gen_require(` @@ -395,6 +657,7 @@ interface(`mls_colormap_read_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_colormap_write_all_levels',` gen_require(` @@ -444,6 +707,7 @@ interface(`mls_trusted_object',` ## Domain allowed access. ## ## +## # interface(`mls_fd_use_all_levels',` gen_require(` @@ -464,6 +728,7 @@ interface(`mls_fd_use_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_fd_share_all_levels',` gen_require(` @@ -483,6 +748,7 @@ interface(`mls_fd_share_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_context_translate_all_levels',` gen_require(` @@ -502,6 +768,7 @@ interface(`mls_context_translate_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_db_read_all_levels',` gen_require(` @@ -521,6 +788,7 @@ interface(`mls_db_read_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_db_write_all_levels',` gen_require(` @@ -540,6 +808,7 @@ interface(`mls_db_write_all_levels',` ## Domain allowed access. ## ## +## # interface(`mls_db_upgrade',` gen_require(` @@ -559,6 +828,7 @@ interface(`mls_db_upgrade',` ## Domain allowed access. ## ## +## # interface(`mls_db_downgrade',` gen_require(` diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index da0d2a0ff..e10d38ea9 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.5.1) +policy_module(mls,1.5.2) ######################################## # diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index 36b64dfce..bf894350a 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,5 +1,5 @@ -policy_module(cups,1.7.0) +policy_module(cups,1.7.1) ######################################## # @@ -169,7 +169,6 @@ mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) mls_file_write_down(cupsd_t) mls_file_read_up(cupsd_t) -mls_rangetrans_target(cupsd_t) mls_socket_write_all_levels(cupsd_t) term_use_unallocated_ttys(cupsd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index ac536fc58..0c3e3ad03 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -71,6 +71,7 @@ interface(`init_ranged_domain',` ifdef(`enable_mls',` range_transition init_t $2:process $3; + mls_rangetrans_target($1) ') ') @@ -171,6 +172,7 @@ interface(`init_ranged_daemon_domain',` ifdef(`enable_mls',` range_transition initrc_t $2:process $3; + mls_rangetrans_target($1) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 59926f8cb..92ef6ba3f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.7.1) +policy_module(init,1.7.2) gen_require(` class passwd rootok; @@ -138,7 +138,10 @@ files_dontaudit_rw_root_chr_files(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) +mcs_killall(init_t) +mls_file_read_up(init_t) +mls_file_write_down(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -156,12 +159,6 @@ libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) logging_rw_generic_logs(init_t) -mcs_killall(init_t) - -mls_file_read_up(init_t) -mls_file_write_down(init_t) -mls_rangetrans_target(init_t) - seutil_read_config(init_t) miscfiles_read_localization(init_t) @@ -287,6 +284,14 @@ fs_getattr_all_fs(initrc_t) # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) +mcs_killall(initrc_t) +mcs_process_set_categories(initrc_t) + +mls_file_read_up(initrc_t) +mls_file_write_down(initrc_t) +mls_process_read_up(initrc_t) +mls_process_write_down(initrc_t) +mls_rangetrans_source(initrc_t) selinux_get_enforce_mode(initrc_t) @@ -363,16 +368,6 @@ miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript miscfiles_read_certs(initrc_t) -mcs_killall(initrc_t) -mcs_process_set_categories(initrc_t) - -mls_file_read_up(initrc_t) -mls_file_write_down(initrc_t) -mls_process_read_up(initrc_t) -mls_process_write_down(initrc_t) -mls_rangetrans_source(initrc_t) -mls_rangetrans_target(initrc_t) - modutils_read_module_config(initrc_t) modutils_domtrans_insmod(initrc_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index a16d8c31a..a4803b8bf 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.7.0) +policy_module(logging,1.7.1) ######################################## # @@ -155,7 +155,6 @@ miscfiles_read_localization(auditd_t) mls_file_read_up(auditd_t) mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory -mls_rangetrans_target(auditd_t) mls_fd_use_all_levels(auditd_t) seutil_dontaudit_read_config(auditd_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 8a3cf8879..090608641 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.6.1) +policy_module(selinuxutil,1.6.2) ifdef(`strict_policy',` gen_require(` @@ -90,10 +90,9 @@ domain_system_change_exemption(run_init_t) role system_r types run_init_t; type semanage_t; -domain_interactive_fd(semanage_t) - type semanage_exec_t; application_domain(semanage_t,semanage_exec_t) +domain_interactive_fd(semanage_t) role system_r types semanage_t; type semanage_store_t; @@ -474,7 +473,6 @@ files_read_usr_files(semanage_t) files_list_pids(semanage_t) mls_file_write_down(semanage_t) -mls_rangetrans_target(semanage_t) mls_file_read_up(semanage_t) selinux_validate_context(semanage_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 524bc695c..d070f7dd9 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,5 +1,5 @@ -policy_module(setrans,1.3.0) +policy_module(setrans,1.3.1) ######################################## # @@ -55,7 +55,6 @@ files_read_etc_runtime_files(setrans_t) mls_file_read_up(setrans_t) mls_file_write_down(setrans_t) mls_net_receive_all_levels(setrans_t) -mls_rangetrans_target(setrans_t) mls_socket_write_all_levels(setrans_t) mls_process_read_up(setrans_t) mls_socket_read_all_levels(setrans_t) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 2d31e6275..b28488e04 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -17,13 +17,13 @@ define(`policy_module',` all_kernel_class_perms ifdef(`enable_mcs',` - sensitivity s0; - category c0, c`'decr(mcs_num_cats); + decl_sens(0,0) + decl_cats(0,decr(mcs_num_cats)) ') ifdef(`enable_mls',` - sensitivity s0, s`'decr(mls_num_sens); - category c0, c`'decr(mls_num_cats); + decl_sens(0,decr(mls_num_sens)) + decl_cats(0,decr(mls_num_cats)) ') } ')