]>
Commit | Line | Data |
---|---|---|
a0824843 CP |
1 | ifdef(`enable_mcs',` |
2 | # | |
3 | # Define sensitivities | |
4 | # | |
a0824843 | 5 | # MCS is single-sensitivity. |
a0824843 | 6 | |
e070dd2d | 7 | gen_sens(1) |
a0824843 CP |
8 | |
9 | # | |
10 | # Define the categories | |
11 | # | |
e070dd2d | 12 | # Generate declarations |
a9e03b37 | 13 | |
e070dd2d | 14 | gen_cats(mcs_num_cats) |
a0824843 CP |
15 | |
16 | # | |
17 | # Each MCS level specifies a sensitivity and zero or more categories which may | |
18 | # be associated with that sensitivity. | |
19 | # | |
e070dd2d CP |
20 | |
21 | gen_levels(1,mcs_num_cats) | |
a0824843 CP |
22 | |
23 | # | |
24 | # Define the MCS policy | |
25 | # | |
26 | # mlsconstrain class_set perm_set expression ; | |
27 | # | |
28 | # mlsvalidatetrans class_set expression ; | |
29 | # | |
30 | # expression : ( expression ) | |
31 | # | not expression | |
32 | # | expression and expression | |
33 | # | expression or expression | |
34 | # | u1 op u2 | |
35 | # | r1 role_mls_op r2 | |
36 | # | t1 op t2 | |
37 | # | l1 role_mls_op l2 | |
38 | # | l1 role_mls_op h2 | |
39 | # | h1 role_mls_op l2 | |
40 | # | h1 role_mls_op h2 | |
41 | # | l1 role_mls_op h1 | |
42 | # | l2 role_mls_op h2 | |
43 | # | u1 op names | |
44 | # | u2 op names | |
45 | # | r1 op names | |
46 | # | r2 op names | |
47 | # | t1 op names | |
48 | # | t2 op names | |
49 | # | u3 op names (NOTE: this is only available for mlsvalidatetrans) | |
50 | # | r3 op names (NOTE: this is only available for mlsvalidatetrans) | |
51 | # | t3 op names (NOTE: this is only available for mlsvalidatetrans) | |
52 | # | |
53 | # op : == | != | |
54 | # role_mls_op : == | != | eq | dom | domby | incomp | |
55 | # | |
56 | # names : name | { name_list } | |
57 | # name_list : name | name_list name | |
58 | # | |
59 | ||
60 | # | |
61 | # MCS policy for the file classes | |
62 | # | |
63 | # Constrain file access so that the high range of the process dominates | |
64 | # the high range of the file. We use the high range of the process so | |
65 | # that processes can always simply run at s0. | |
66 | # | |
808341bb CP |
67 | # Note: |
68 | # - getattr on dirs/files is not constrained. | |
69 | # - /proc/pid operations are not constrained. | |
70 | ||
71 | mlsconstrain file { read ioctl lock execute execute_no_trans } | |
f441bdc2 DW |
72 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
73 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
8cf67141 | 74 | |
808341bb | 75 | mlsconstrain file { write setattr append unlink link rename } |
ed00b68a | 76 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
f441bdc2 | 77 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); |
808341bb CP |
78 | |
79 | mlsconstrain dir { search read ioctl lock } | |
f441bdc2 DW |
80 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
81 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
808341bb CP |
82 | |
83 | mlsconstrain dir { write setattr append unlink link rename add_name remove_name } | |
f441bdc2 DW |
84 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
85 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
8708d9be | 86 | |
620e4b70 MG |
87 | mlsconstrain fifo_file { open } |
88 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or | |
89 | (( t1 != mcsuntrustedproc ) and ( t2 == domain ))); | |
90 | ||
91 | mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } | |
8953255e MG |
92 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
93 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
94 | ||
620e4b70 | 95 | mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } |
8953255e MG |
96 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
97 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
98 | ||
cdc86ee5 CP |
99 | # New filesystem object labels must be dominated by the relabeling subject |
100 | # clearance, also the objects are single-level. | |
8e788ed2 CP |
101 | mlsconstrain file { create relabelto } |
102 | (( h1 dom h2 ) and ( l2 eq h2 )); | |
a0824843 | 103 | |
77f6e2cd | 104 | # new file labels must be dominated by the relabeling subject clearance |
515889b1 | 105 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } |
d4e347f8 DW |
106 | (( h1 dom h2 ) or ( t1 == mcswriteall )); |
107 | ||
108 | mlsconstrain { file lnk_file fifo_file } { create relabelto } | |
109 | ( l2 eq h2 ); | |
8e788ed2 | 110 | |
515889b1 | 111 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } |
d4e347f8 | 112 | ( h1 dom h2 ); |
8cf67141 | 113 | |
9779f092 CP |
114 | mlsconstrain process { transition dyntransition } |
115 | (( h1 dom h2 ) or ( t1 == mcssetcats )); | |
116 | ||
8e788ed2 | 117 | mlsconstrain process { ptrace } |
46551033 | 118 | (( h1 dom h2) or ( t1 == mcsptraceall )); |
a0824843 | 119 | |
6ed3f15e | 120 | mlsconstrain process { sigkill sigstop } |
8e788ed2 | 121 | (( h1 dom h2 ) or ( t1 == mcskillall )); |
a0824843 | 122 | |
6ed3f15e DW |
123 | mlsconstrain process { signal } |
124 | (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); | |
125 | ||
9760cbec CP |
126 | # |
127 | # MCS policy for SELinux-enabled databases | |
128 | # | |
129 | ||
130 | # Any database object must be dominated by the relabeling subject | |
131 | # clearance, also the objects are single-level. | |
82c32d5c | 132 | mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } |
9760cbec CP |
133 | (( h1 dom h2 ) and ( l2 eq h2 )); |
134 | ||
135 | mlsconstrain { db_tuple } { insert relabelto } | |
136 | (( h1 dom h2 ) and ( l2 eq h2 )); | |
137 | ||
138 | # Access control for any database objects based on MCS rules. | |
350ed891 | 139 | mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } |
9760cbec CP |
140 | ( h1 dom h2 ); |
141 | ||
82c32d5c KK |
142 | mlsconstrain db_language { drop getattr setattr relabelfrom execute } |
143 | ( h1 dom h2 ); | |
144 | ||
350ed891 | 145 | mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } |
9760cbec CP |
146 | ( h1 dom h2 ); |
147 | ||
350ed891 | 148 | mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } |
9760cbec CP |
149 | ( h1 dom h2 ); |
150 | ||
151 | mlsconstrain db_tuple { relabelfrom select update delete use } | |
152 | ( h1 dom h2 ); | |
153 | ||
82c32d5c KK |
154 | mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } |
155 | ( h1 dom h2 ); | |
156 | ||
157 | mlsconstrain db_view { drop getattr setattr relabelfrom expand } | |
158 | ( h1 dom h2 ); | |
159 | ||
160 | mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } | |
161 | ( h1 dom h2 ); | |
162 | ||
163 | mlsconstrain db_language { drop getattr setattr relabelfrom execute } | |
9760cbec CP |
164 | ( h1 dom h2 ); |
165 | ||
350ed891 | 166 | mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } |
9760cbec CP |
167 | ( h1 dom h2 ); |
168 | ||
74df3513 DW |
169 | mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind |
170 | (( h1 dom h2 ) or ( t1 == mcsnetwrite )); | |
171 | ||
d93ac322 DW |
172 | # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation |
173 | # because the subject in this particular case is the remote domain which is | |
174 | # writing data out the network node which is acting as the object | |
175 | mlsconstrain { node } { recvfrom } | |
176 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
177 | ( t1 == mcsnetwrite ) or | |
178 | ( t1 == unlabeled_t )); | |
179 | mlsconstrain { node } { sendto } | |
180 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
181 | ( t1 == mcsnetwrite )); | |
182 | ||
1fb98d57 | 183 | mlsconstrain packet { send recv } |
5218e768 | 184 | (( h1 dom h2 ) or ( t1 == mcsnetwrite )); |
1fb98d57 | 185 | |
a0824843 | 186 | ') dnl end enable_mcs |