ifdef(`enable_mcs',`
+default_range dir_file_class_set target low;
+
#
# Define sensitivities
#
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain file { write setattr append unlink link rename }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { search read ioctl lock }
- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain fifo_file { open }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
- ( h1 dom h2 );
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+ (( h1 dom h2 ) or ( t1 == mcswriteall ));
-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ ( l2 eq h2 );
+
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+ ( h1 dom h2 );
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mcsnetwrite ) or
+ ( t1 == unlabeled_t ));
+mlsconstrain { node } { sendto }
+ ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ ( t1 == mcsnetwrite ));
+
mlsconstrain packet { send recv }
(( h1 dom h2 ) or ( t1 == mcsnetwrite ));