scripts/selinux: add basic mls support to mdp

Message ID	20190214191417.1469-1-sds@tycho.nsa.gov (mailing list archive)
State	Superseded
Headers	show Return-Path: <selinux-owner@kernel.org> IronPort-PHdr: 9a23:NNUU5BM5svUDlSAFeHAl6mtUPXoX/o7sNwtQ0KIMzox0LfT8rarrMEGX3/hxlliBBdydt6oUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr86QzSi67pgRgHuhikJKjU19HjbhtJsgK5eph+quh5xzJPOYIyNNPRwYL7Tc90ZS2RGUclfWDdMDp+/YoYVE+YMJ/pUo5X7qlATrRW+Hw6sBOb3xzFVmn/5w7U60+Q/HgHAwQcuAtcOv27QrNXxKqgTUf2+wa7TzTredPNbwiv96YjUfRAhpvGAR7RwcdHLxkU1GAPFiUuQpJXjMjiI1eoNq3CW4/dvWO+gkWIqqxx9riKxysojlIXFnJ8Zx1bZ/itj2ok1P8e3SEtjbN6hF5tfqj+VOpNtQsMnX2FooCE6yqAauZKjfCgF1pAnxxnHZvybaYeI+BPjVPuKITtimHJkeK6whxa18US6zO3zStK030pQoipAk9nMsmgB1x3V6seZVvtw5lqt1DmA2gzJ6uxIPFo4mbTUJpI/2LI8i4IfsUHZES/3nEX2grWWdkIh+uWw8OTof67mq4SAN450lg7+MqMulta5AeQjKAcCRWeb+eOi1LH75032XK1KjuEqkqneqJ3aPtoUpqq4Aw9Tz4Yi5A2yDymp0NsGh3kLNlFFdwydj4jvJV7OJOr0DfClg1SjiD1r3ezJPqX9ApXRKXjOiK/hcqxg605Y0wcz1cpQ549QCr0YJfLzXUjxtMbGARMjLwO0xOPnW51B0dYGUH+LKreQLaeXtFiP/O9pKO6JN6EPvzOoEOQo//7jizcCnFYZeaS4lc8MZGuQAuVtI0LfZ2HlxNgGDzFZ7UIFUOX2hQjaAnZobHGoUvd5vGk2 From: Stephen Smalley <sds@tycho.nsa.gov> To: paul@paul-moore.com Cc: selinux@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov> Subject: [PATCH] scripts/selinux: add basic mls support to mdp Date: Thu, 14 Feb 2019 14:14:17 -0500 Message-Id: <20190214191417.1469-1-sds@tycho.nsa.gov> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	scripts/selinux: add basic mls support to mdp \| expand scripts/selinux: add basic mls support to mdp

Message ID

20190214191417.1469-1-sds@tycho.nsa.gov (mailing list archive)

State

Superseded

Headers

IronPort-PHdr: 
 9a23:NNUU5BM5svUDlSAFeHAl6mtUPXoX/o7sNwtQ0KIMzox0LfT8rarrMEGX3/hxlliBBdydt6oUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr86QzSi67pgRgHuhikJKjU19HjbhtJsgK5eph+quh5xzJPOYIyNNPRwYL7Tc90ZS2RGUclfWDdMDp+/YoYVE+YMJ/pUo5X7qlATrRW+Hw6sBOb3xzFVmn/5w7U60+Q/HgHAwQcuAtcOv27QrNXxKqgTUf2+wa7TzTredPNbwiv96YjUfRAhpvGAR7RwcdHLxkU1GAPFiUuQpJXjMjiI1eoNq3CW4/dvWO+gkWIqqxx9riKxysojlIXFnJ8Zx1bZ/itj2ok1P8e3SEtjbN6hF5tfqj+VOpNtQsMnX2FooCE6yqAauZKjfCgF1pAnxxnHZvybaYeI+BPjVPuKITtimHJkeK6whxa18US6zO3zStK030pQoipAk9nMsmgB1x3V6seZVvtw5lqt1DmA2gzJ6uxIPFo4mbTUJpI/2LI8i4IfsUHZES/3nEX2grWWdkIh+uWw8OTof67mq4SAN450lg7+MqMulta5AeQjKAcCRWeb+eOi1LH75032XK1KjuEqkqneqJ3aPtoUpqq4Aw9Tz4Yi5A2yDymp0NsGh3kLNlFFdwydj4jvJV7OJOr0DfClg1SjiD1r3ezJPqX9ApXRKXjOiK/hcqxg605Y0wcz1cpQ549QCr0YJfLzXUjxtMbGARMjLwO0xOPnW51B0dYGUH+LKreQLaeXtFiP/O9pKO6JN6EPvzOoEOQo//7jizcCnFYZeaS4lc8MZGuQAuVtI0LfZ2HlxNgGDzFZ7UIFUOX2hQjaAnZobHGoUvd5vGk2
From: Stephen Smalley <sds@tycho.nsa.gov>
To: paul@paul-moore.com
Cc: selinux@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH] scripts/selinux: add basic mls support to mdp
Date: Thu, 14 Feb 2019 14:14:17 -0500
Message-Id: <20190214191417.1469-1-sds@tycho.nsa.gov>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

scripts/selinux: add basic mls support to mdp | expand

Commit Message

Stephen Smalley Feb. 14, 2019, 7:14 p.m. UTC

Add basic MLS support to mdp.  Usage:
scripts/selinux/mdp/mdp -m policy.conf file_contexts
checkpolicy -M -o policy policy.conf

Then install the resulting policy and file_contexts as usual.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
 1 file changed, 103 insertions(+), 28 deletions(-)

Comments

Stephen Smalley Feb. 14, 2019, 7:35 p.m. UTC | #1

On 2/14/19 2:14 PM, Stephen Smalley wrote:
> Add basic MLS support to mdp.  Usage:
> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> checkpolicy -M -o policy policy.conf
> 
> Then install the resulting policy and file_contexts as usual.
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>   scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
>   1 file changed, 103 insertions(+), 28 deletions(-)
> 
> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
> index 073fe7537f6c..4672ee5cc1bd 100644
> --- a/scripts/selinux/mdp/mdp.c
> +++ b/scripts/selinux/mdp/mdp.c
> @@ -97,8 +97,19 @@ int main(int argc, char *argv[])
>   
>   	/* NOW PRINT OUT MLS STUFF */
>   	if (mls) {
> -		printf("MLS not yet implemented\n");
> -		exit(1);
> +		fprintf(fout, "sensitivity s0;\n");

Do we want more than one sensitivity for this example?

> +		fprintf(fout, "dominance { s0 }\n"); > +		fprintf(fout, "category c0;\n");
> +		fprintf(fout, "category c1;\n");
> +		fprintf(fout, "level s0:c0.c1;\n\n");
> +		for (i = 0; secclass_map[i].name; i++) {
> +			struct security_class_mapping *map = &secclass_map[i];
> +
> +			fprintf(fout, "mlsconstrain %s {\n", map->name);
> +			for (j = 0; map->perms[j]; j++)
> +				fprintf(fout, "\t%s\n", map->perms[j]);
> +			fprintf(fout, "} (l1 eq l2 and h1 eq h2);\n\n");

This constraint prohibits all permissions between s0:c0.c1 and s0:c0 
(and vice versa) or between s0:c0 and s0 (or vice versa), for example. 
It requires both low and high levels to be identical for any access to 
be granted.  Not very useful.

Alternatively, we could require dominance (dom), in which case s0:c0.c1 
would have all permissions to s0:c0, s0:c1, or just s0, while s0:c0 
would no permissions to s0:c0.c1 or to s0:c1.  A little more interesting 
but still probably not usable for anything.

Or we could split up the constraints into separate constraints on the 
"read" operations versus the "write" operations like MCS or MLS.  But 
that requires manually writing the constraints; we can't auto-generate 
them for all classes/permissions that way without a separate 
specification of which ones are reads and which ones are writes.  And we 
would also likely need/want separate constraints on "create", 
"transition", etc in order to ensure properly handling of the low/high 
relationships.

Also, since there is only one domain/type defined by mdp, we can't have 
some domains/types exempted and others not, so it is all or nothing.

Kind of hard to create a useful mls policy example without a richer TE 
policy for mdp.

> +		}
>   	}
>   
>   	/* types, roles, and allows */
> @@ -108,34 +119,92 @@ int main(int argc, char *argv[])
>   	for (i = 0; secclass_map[i].name; i++)
>   		fprintf(fout, "allow base_t base_t:%s *;\n",
>   			secclass_map[i].name);
> -	fprintf(fout, "user user_u roles { base_r };\n");
> -	fprintf(fout, "\n");
> +	fprintf(fout, "user user_u roles { base_r }");
> +	if (mls)
> +		fprintf(fout, " level s0 range s0 - s0:c0.c1");
> +	fprintf(fout, ";\n");
>   
>   	/* default sids */
> -	for (i = 1; i < initial_sid_to_string_len; i++)
> -		fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
> +	for (i = 1; i < initial_sid_to_string_len; i++) {
> +		fprintf(fout, "sid %s user_u:base_r:base_t",
> +			initial_sid_to_string[i]);
> +		if (mls)
> +			fprintf(fout, ":s0");
> +		fprintf(fout, "\n");
> +	}
>   	fprintf(fout, "\n");
>   
> -	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
> -
> -	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
> -
> -	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
> -	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
> -
> -	fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
> +	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +
> +	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +
> +	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, ";\n");
> +
> +	fprintf(fout, "genfscon proc / user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, "\n");
>   
>   	fclose(fout);
>   
> @@ -144,8 +213,14 @@ int main(int argc, char *argv[])
>   		printf("Wrote policy, but cannot open %s for writing\n", ctxout);
>   		usage(argv[0]);
>   	}
> -	fprintf(fout, "/ user_u:base_r:base_t\n");
> -	fprintf(fout, "/.* user_u:base_r:base_t\n");
> +	fprintf(fout, "/ user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, "\n");
> +	fprintf(fout, "/.* user_u:base_r:base_t");
> +	if (mls)
> +		fprintf(fout, ":s0");
> +	fprintf(fout, "\n");
>   	fclose(fout);
>   
>   	return 0;
>

Stephen Smalley Feb. 14, 2019, 8:22 p.m. UTC | #2

On 2/14/19 2:35 PM, Stephen Smalley wrote:
> On 2/14/19 2:14 PM, Stephen Smalley wrote:
>> Add basic MLS support to mdp.  Usage:
>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>> checkpolicy -M -o policy policy.conf
>>
>> Then install the resulting policy and file_contexts as usual.
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>   scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
>>   1 file changed, 103 insertions(+), 28 deletions(-)
>>
>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>> index 073fe7537f6c..4672ee5cc1bd 100644
>> --- a/scripts/selinux/mdp/mdp.c
>> +++ b/scripts/selinux/mdp/mdp.c
>> @@ -97,8 +97,19 @@ int main(int argc, char *argv[])
>>       /* NOW PRINT OUT MLS STUFF */
>>       if (mls) {
>> -        printf("MLS not yet implemented\n");
>> -        exit(1);
>> +        fprintf(fout, "sensitivity s0;\n");
> 
> Do we want more than one sensitivity for this example?
> 
>> +        fprintf(fout, "dominance { s0 }\n"); > +        fprintf(fout, 
>> "category c0;\n");
>> +        fprintf(fout, "category c1;\n");
>> +        fprintf(fout, "level s0:c0.c1;\n\n");
>> +        for (i = 0; secclass_map[i].name; i++) {
>> +            struct security_class_mapping *map = &secclass_map[i];
>> +
>> +            fprintf(fout, "mlsconstrain %s {\n", map->name);
>> +            for (j = 0; map->perms[j]; j++)
>> +                fprintf(fout, "\t%s\n", map->perms[j]);
>> +            fprintf(fout, "} (l1 eq l2 and h1 eq h2);\n\n");
> 
> This constraint prohibits all permissions between s0:c0.c1 and s0:c0 
> (and vice versa) or between s0:c0 and s0 (or vice versa), for example. 
> It requires both low and high levels to be identical for any access to 
> be granted.  Not very useful.
> 
> Alternatively, we could require dominance (dom), in which case s0:c0.c1 
> would have all permissions to s0:c0, s0:c1, or just s0, while s0:c0 
> would no permissions to s0:c0.c1 or to s0:c1.  A little more interesting 
> but still probably not usable for anything.

OTOH, the MCS constraints are almost entirely written using dominance 
only, with a few exceptions.  If we included the highest sensitivity and 
all categories in the kernel initial SID context, then init would 
inherit that context (no domain transitions defined by mdp) and one 
could manually start a process with fewer or no categories via runcon or 
similar to exercise the constraints.  Still not very usable but might 
suffice for demonstration purposes.

> 
> Or we could split up the constraints into separate constraints on the 
> "read" operations versus the "write" operations like MCS or MLS.  But 
> that requires manually writing the constraints; we can't auto-generate 
> them for all classes/permissions that way without a separate 
> specification of which ones are reads and which ones are writes.  And we 
> would also likely need/want separate constraints on "create", 
> "transition", etc in order to ensure properly handling of the low/high 
> relationships.
> 
> Also, since there is only one domain/type defined by mdp, we can't have 
> some domains/types exempted and others not, so it is all or nothing.
> 
> Kind of hard to create a useful mls policy example without a richer TE 
> policy for mdp.
> 
>> +        }
>>       }
>>       /* types, roles, and allows */
>> @@ -108,34 +119,92 @@ int main(int argc, char *argv[])
>>       for (i = 0; secclass_map[i].name; i++)
>>           fprintf(fout, "allow base_t base_t:%s *;\n",
>>               secclass_map[i].name);
>> -    fprintf(fout, "user user_u roles { base_r };\n");
>> -    fprintf(fout, "\n");
>> +    fprintf(fout, "user user_u roles { base_r }");
>> +    if (mls)
>> +        fprintf(fout, " level s0 range s0 - s0:c0.c1");
>> +    fprintf(fout, ";\n");
>>       /* default sids */
>> -    for (i = 1; i < initial_sid_to_string_len; i++)
>> -        fprintf(fout, "sid %s user_u:base_r:base_t\n", 
>> initial_sid_to_string[i]);
>> +    for (i = 1; i < initial_sid_to_string_len; i++) {
>> +        fprintf(fout, "sid %s user_u:base_r:base_t",
>> +            initial_sid_to_string[i]);
>> +        if (mls)
>> +            fprintf(fout, ":s0");
>> +        fprintf(fout, "\n");
>> +    }
>>       fprintf(fout, "\n");
>> -    fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>> -
>> -    fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>> -
>> -    fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>> -    fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>> -
>> -    fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>> +    fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +
>> +    fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +
>> +    fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +    fprintf(fout, "fs_use_trans shm user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, ";\n");
>> +
>> +    fprintf(fout, "genfscon proc / user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, "\n");
>>       fclose(fout);
>> @@ -144,8 +213,14 @@ int main(int argc, char *argv[])
>>           printf("Wrote policy, but cannot open %s for writing\n", 
>> ctxout);
>>           usage(argv[0]);
>>       }
>> -    fprintf(fout, "/ user_u:base_r:base_t\n");
>> -    fprintf(fout, "/.* user_u:base_r:base_t\n");
>> +    fprintf(fout, "/ user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, "\n");
>> +    fprintf(fout, "/.* user_u:base_r:base_t");
>> +    if (mls)
>> +        fprintf(fout, ":s0");
>> +    fprintf(fout, "\n");
>>       fclose(fout);
>>       return 0;
>>
>

diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..4672ee5cc1bd 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -97,8 +97,19 @@  int main(int argc, char *argv[])
 
 	/* NOW PRINT OUT MLS STUFF */
 	if (mls) {
-		printf("MLS not yet implemented\n");
-		exit(1);
+		fprintf(fout, "sensitivity s0;\n");
+		fprintf(fout, "dominance { s0 }\n");
+		fprintf(fout, "category c0;\n");
+		fprintf(fout, "category c1;\n");
+		fprintf(fout, "level s0:c0.c1;\n\n");
+		for (i = 0; secclass_map[i].name; i++) {
+			struct security_class_mapping *map = &secclass_map[i];
+
+			fprintf(fout, "mlsconstrain %s {\n", map->name);
+			for (j = 0; map->perms[j]; j++)
+				fprintf(fout, "\t%s\n", map->perms[j]);
+			fprintf(fout, "} (l1 eq l2 and h1 eq h2);\n\n");
+		}
 	}
 
 	/* types, roles, and allows */
@@ -108,34 +119,92 @@  int main(int argc, char *argv[])
 	for (i = 0; secclass_map[i].name; i++)
 		fprintf(fout, "allow base_t base_t:%s *;\n",
 			secclass_map[i].name);
-	fprintf(fout, "user user_u roles { base_r };\n");
-	fprintf(fout, "\n");
+	fprintf(fout, "user user_u roles { base_r }");
+	if (mls)
+		fprintf(fout, " level s0 range s0 - s0:c0.c1");
+	fprintf(fout, ";\n");
 
 	/* default sids */
-	for (i = 1; i < initial_sid_to_string_len; i++)
-		fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+	for (i = 1; i < initial_sid_to_string_len; i++) {
+		fprintf(fout, "sid %s user_u:base_r:base_t",
+			initial_sid_to_string[i]);
+		if (mls)
+			fprintf(fout, ":s0");
+		fprintf(fout, "\n");
+	}
 	fprintf(fout, "\n");
 
-	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
-
-	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
-
-	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
-	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-
-	fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+	fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+
+	fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+
+	fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+	fprintf(fout, "fs_use_trans shm user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, ";\n");
+
+	fprintf(fout, "genfscon proc / user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, "\n");
 
 	fclose(fout);
 
@@ -144,8 +213,14 @@  int main(int argc, char *argv[])
 		printf("Wrote policy, but cannot open %s for writing\n", ctxout);
 		usage(argv[0]);
 	}
-	fprintf(fout, "/ user_u:base_r:base_t\n");
-	fprintf(fout, "/.* user_u:base_r:base_t\n");
+	fprintf(fout, "/ user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, "\n");
+	fprintf(fout, "/.* user_u:base_r:base_t");
+	if (mls)
+		fprintf(fout, ":s0");
+	fprintf(fout, "\n");
 	fclose(fout);
 
 	return 0;

scripts/selinux: add basic mls support to mdp

Commit Message

Comments

Patch