revise MCS constraints to use only MCS-specific attributes.

3 files changed, 57 insertions, 12 deletions

diff --git a/policy/mcs b/policy/mcs
index b8dc0d69..af90ef2b 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -64,24 +64,27 @@ gen_levels(1,mcs_num_cats)
 # the high range of the file.  We use the high range of the process so
 # that processes can always simply run at s0.
 #
-# Note that getattr on files is always permitted.
-#
-mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
-	( h1 dom h2 );
+# Note:
+#  - getattr on dirs/files is not constrained.
+#  - /proc/pid operations are not constrained.
+
+mlsconstrain file { read ioctl lock execute execute_no_trans }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
 
-mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
+mlsconstrain file { write setattr append unlink link rename }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+
+mlsconstrain dir { search read ioctl lock }
+	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+
+mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
 
 # New filesystem object labels must be dominated by the relabeling subject
 # clearance, also the objects are single-level.
 mlsconstrain file { create relabelto }
 	(( h1 dom h2 ) and ( l2 eq h2 ));
 
-# At this time we do not restrict "ps" type operations via MCS.  This
-# will probably change in future.
-mlsconstrain file { read }
-	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
-
 # new file labels must be dominated by the relabeling subject clearance
 mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 	( h1 dom h2 );
diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index a78c5519..f52faaf3 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -5,6 +5,46 @@
 
 ########################################
 ## <summary>
+##	This domain is allowed to read files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_read_all',`
+	gen_require(`
+		attribute mcsreadall;
+	')
+
+	typeattribute $1 mcsreadall;
+')
+
+########################################
+## <summary>
+##	This domain is allowed to write files and directories
+##	regardless of their MCS category set.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain target for user exemption.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mcs_file_write_all',`
+	gen_require(`
+		attribute mcswriteall;
+	')
+
+	typeattribute $1 mcswriteall;
+')
+
+########################################
+## <summary>
 ##	This domain is allowed to sigkill and sigstop 
 ##	all domains regardless of their MCS category set.
 ## </summary>
diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 52fa7f37..79622ec1 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,5 +1,5 @@
 
-policy_module(mcs, 1.1.0)
+policy_module(mcs, 1.1.1)
 
 ########################################
 #
@@ -9,3 +9,5 @@ policy_module(mcs, 1.1.0)
 attribute mcskillall;
 attribute mcsptraceall;
 attribute mcssetcats;
+attribute mcswriteall;
+attribute mcsreadall;