Red Hat uses MCS constraints for svirt separation and the upstream po…licy
reflects that goal. Very few domains are actually confined by MCS
constraints and many object classes aren't even in the mcs file.
CLIP users are using MCS to separate domains between unique filter pipelines.
It is common to have processes in different piplines run in the same domain
but with have unique category sets. These processes should not be able to
have any information flow between them. Along with this, the CLIP use case
typically allows a domain to read down to read the common libraries and other
system configuration files. This is basically what the MLS policy already does.
This patch set copies over the relevant portions of the mls constraints file
to the mcs constraints file. It modifies the appropriate modules to ensure
that domains are running with the correct level and clearance. Most of that
is really just finding the init_ranged_daemon_domain() calls that were only
for MLS. It modifies the sid for the kernel and the loopback interface so that
they are properly ranged. The last thing this patch set does is modify the
macros used for MCS to allow them to be more flexible and allow us to start
MCS processes at system low, s0, and have them be ranged.
The modifications in this commit are copyrighted works of Owl Cyber Defense.
(C) 2018 Owl Cyber Defense Solutions, LLC
Red Hat uses MCS constraints for svirt separation and the upstream po…licy
reflects that goal. Very few domains are actually confined by MCS constraints and many object classes aren't even in the mcs file.
CLIP users are using MCS to separate domains between unique filter pipelines. It is common to have processes in different piplines run in the same domain but with have unique category sets. These processes should not be able to have any information flow between them. Along with this, the CLIP use case typically allows a domain to read down to read the common libraries and other system configuration files. This is basically what the MLS policy already does.
This patch set copies over the relevant portions of the mls constraints file to the mcs constraints file. It modifies the appropriate modules to ensure that domains are running with the correct level and clearance. Most of that is really just finding the init_ranged_daemon_domain() calls that were only for MLS. It modifies the sid for the kernel and the loopback interface so that they are properly ranged. The last thing this patch set does is modify the macros used for MCS to allow them to be more flexible and allow us to start MCS processes at system low, s0, and have them be ranged.
The modifications in this commit are copyrighted works of Owl Cyber Defense. (C) 2018 Owl Cyber Defense Solutions, LLC