Adding constraints to the rules
We already know that root can read the temp files of the myapp program (or myapp_se)
That's because there are rules that allow the root user to read the files.
If you want, you can add a constraint condition to disable the rules, so that root cannot read the files.
When you do this, you have already interfered deeply with the policy, because constraints are only in the base module and you have to modify the base module.
Constraints that affect the security level have the following general form:
mlsconstrain class perm_set expression;
The default constraint in the base module involves reading files as follows
mlsconstrain file { read ioctl lock execute execute_no_trans }
(( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain)));
The expression reads as follow
See security context.
Now we add a condition to the expression that must satisfy:
(( u1 == u2 ) or ( t2 != mcs_constrained_type ))
It reads as follows:
The source user and target user are the same, or
The target type does not belong to the mcs_constrained_type group.
The whole constraint becomes:
mlsconstrain file { read ioctl lock execute execute_no_trans }
((( h1 dom h2 ) or ( t1 == mcsreadall ) or
(( t1 != mcs_constrained_type ) and (t2 == domain))) and
(( u1 == u2 ) or ( t2 != mcs_constrained_type )));
Suppose the type mapp_tmp_t (or mapp_se_tmp_t) belongs to the mcs_constrained_type group. When root reads such a temp file, u1 is root, u2 is staff_u. So the new condition is not satisfied. Therefore root cannot read the temp files of the myapp program or myapp_se program even if it has permissions to read them.
Share on Twitter Share on Facebook Share on Linked In
Contact: tuyen@omarine.org
Comments
There are currently no comments
New Comment