Signed-off-by: Kenton Groombridge <me@xxxxxxxxxx>
---
policy/mcs | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index d4d984e47..8db3838f5 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -135,6 +135,9 @@ mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure d
mlsconstrain { db_tuple } { insert relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
+mlsconstrain context contains
+ (( h1 dom h2 ) and ( l1 domby l2 ));
+
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
( h1 dom h2 );
@@ -166,4 +169,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
+mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+# The node recvfrom/sendto ops, the recvfrom permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network node which is acting as the object
+mlsconstrain { node } { recvfrom sendto }
+ (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+
+mlsconstrain { packet peer } { recv }
+ (( l1 dom l2 ) or
+ (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type )));
+
+# The netif ingress/egress ops, the ingress permission is a "write" operation
+# because the subject in this particular case is the remote domain which is
+# writing data out the network interface which is acting as the object
+mlsconstrain { netif } { egress ingress }
+ (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
+
') dnl end enable_mcs
--
2.33.1
