commit 356f4be679544363466dad93e7bee68b2a6f2cf0
author Stephen Smalley <sds@tycho.nsa.gov> Fri May 23 11:26:19 2014 -0400
committer Stephen Smalley <sds@tycho.nsa.gov> Fri May 23 13:14:22 2014 -0400
tree c8546dcc31738c6fac03d7c1ce6ba65665aad45e
parent 4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf

Restrict requesting contexts other than policy-defined defaults.

Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

diff --git a/domain.te b/domain.te
index 5fef04b..f7e8692 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,7 @@
 allow domain tmpfs:dir r_dir_perms;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace };
+allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;