commit 025b7df2987cb086fa0f67383569414961679260
author Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 13 17:07:39 2015 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Fri Mar 13 17:07:39 2015 -0400
tree 92c01e9598eae52cd5896f0b6c09883eca7a6832
parent eaece936f297e1c77939c0ff0ad4d741de6990b4

sepolicy:  Clean up mls constraints.

Require equivalence for all write operations.  We were already
doing this for app_data_file as a result of restricting open
rather than read/write, so this makes the model consistent across
all objects and operations.  It also addresses the scenario where
we have mixed usage of levelFrom=all and levelFrom=user for
different apps on the same device where the dominated-by (domby)
relation may not be sufficiently restrictive.

Drop the System V IPC constraints since System V IPC is never allowed
by TE and thus these constraints are dead policy.

Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

mls

diff --git a/mls b/mls
index 474bd72..5589b4b 100644
--- a/mls
+++ b/mls
@@ -26,9 +26,9 @@
 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
 	     (l1 dom l2 or t1 == mlstrustedsubject);
 
-# Process write operations:  No write down unless trusted.
+# Process write operations:  Require equivalence unless trusted.
 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
-	     (l1 domby l2 or t1 == mlstrustedsubject);
+	     (l1 eq l2 or t1 == mlstrustedsubject);
 
 #
 # Socket constraints
@@ -39,10 +39,10 @@
 mlsconstrain socket_class_set { create relabelfrom relabelto }
 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
 
-# Datagram send: Sender must be dominated by receiver unless one of them is
-# trusted.
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
 mlsconstrain unix_dgram_socket { sendto }
-	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
 
 # Stream connect:  Client must be equivalent to server unless one of them
 # is trusted.
@@ -83,13 +83,13 @@
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
 	     (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
-# Write operations: Subject must be dominated by the object unless the
+# Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
-	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
-	     (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+	     (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the
@@ -100,23 +100,7 @@
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
 
 mlsconstrain fifo_file { write setattr append unlink link rename }
-	     (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# IPC constraints
-#
-
-# Create/destroy: equivalence or trusted.
-mlsconstrain ipc_class_set { create destroy }
-	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-# Read ops: No read up unless trusted.
-mlsconstrain ipc_class_set r_ipc_perms
-	     (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Write ops: No write down unless trusted.
-mlsconstrain ipc_class_set w_ipc_perms
-	     (l1 domby l2 or t1 == mlstrustedsubject);
+	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
 
 #
 # Binder IPC constraints