[refpolicy] [PATCH 1/5] mls mcs: Add constraints for key class

Jason Zaman jason at perfinion.com
Tue Oct 31 05:37:03 UTC 2017


Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
 policy/mcs | 3 +++
 policy/mls | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain key { create link read search setattr view write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 #
 # MCS policy for SELinux-enabled databases
 #
diff --git a/policy/mls b/policy/mls
index 69ca7263..c9be3125 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
 # { ipc sem msgq shm } associate
 
 
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 ( t1 == mlsprocwrite ));
 
 
 #
-- 
2.13.6



More information about the refpolicy mailing list