From aedd5c314dc50dcae91b6708aa99ec8423663661 Mon Sep 17 00:00:00 2001 From: qqo Date: Thu, 7 Apr 2016 00:53:20 +0300 Subject: [PATCH] Adds attribute mlstrustedsocket, along with the interface. Sample AVC: type=AVC msg=audit(1459979143.990:219): avc: denied { sendto } for pid=1935 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0 This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html --- policy/mls | 6 ++++-- policy/modules/kernel/mls.if | 27 +++++++++++++++++++++++++++ policy/modules/kernel/mls.te | 1 + policy/modules/system/logging.te | 1 + 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/policy/mls b/policy/mls index 70ed8087d..3603de11b 100644 --- a/policy/mls +++ b/policy/mls @@ -209,14 +209,16 @@ mlsconstrain unix_stream_socket connectto (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsnetwrite ) or - ( t2 == mlstrustedobject )); + ( t2 == mlstrustedobject ) or + ( t2 == mlstrustedsocket )); mlsconstrain unix_dgram_socket sendto (( l1 eq l2 ) or (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or ( t1 == mlsnetwrite ) or - ( t2 == mlstrustedobject )); + ( t2 == mlstrustedobject ) or + ( t2 == mlstrustedsocket )); # these access vectors have no MLS restrictions # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index d178478da..27d64010a 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -800,6 +800,33 @@ interface(`mls_trusted_object',` typeattribute $1 mlstrustedobject; ') +######################################## +## +## Make specified socket MLS trusted. +## +## +##

+## Make specified socket MLS trusted. For sockets +## marked as such, this allows all levels to: +## * sendto to unix_dgram_sockets +## * connectto to unix_stream_sockets +## respectively. +##

+## +## +## +## The type of the object. +## +## +# +interface(`mls_trusted_socket',` + gen_require(` + attribute mlstrustedsocket; + ') + + typeattribute $1 mlstrustedsocket; +') + ######################################## ## ## Make the specified domain trusted diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 8c7bd90d2..832f83f84 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -56,6 +56,7 @@ attribute mlsdbupgrade; attribute mlsdbdowngrade; attribute mlstrustedobject; +attribute mlstrustedsocket; attribute privrangetrans; attribute mlsrangetrans; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 1d26a4f97..822114b64 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -68,6 +68,7 @@ type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) init_named_socket_activation(syslogd_t, syslogd_var_run_t) +mls_trusted_socket(syslogd_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t)