[people/stevee/selinux-policy.git] / policy / mcs

ifdef(`enable_mcs',`
#
# Define sensitivities 
#
# MCS is single-sensitivity.

gen_sens(1)

#
# Define the categories
#
# Generate declarations

gen_cats(mcs_num_cats)

#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#

gen_levels(1,mcs_num_cats)

#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_mls_op r2
#	     | t1 op t2
#	     | l1 role_mls_op l2
#	     | l1 role_mls_op h2
#	     | h1 role_mls_op l2
#	     | h1 role_mls_op h2
#	     | l1 role_mls_op h1
#	     | l2 role_mls_op h2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#

#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file.  We use the high range of the process so
# that processes can always simply run at s0.
#
# Note:
#  - getattr on dirs/files is not constrained.
#  - /proc/pid operations are not constrained.

mlsconstrain file { read ioctl lock execute execute_no_trans }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or 
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain file { write setattr append unlink link rename }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain dir { search read ioctl lock }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or 
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain fifo_file { open }
    (( h1 dom h2 ) or ( t1 == mcsreadall ) or
     (( t1 != mcsuntrustedproc ) and ( t2 == domain )));

mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
    (( h1 dom h2 ) or ( t1 == mcsreadall ) or
     (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
    (( h1 dom h2 ) or ( t1 == mcswriteall ) or
     (( t1 != mcsuntrustedproc ) and (t2 == domain)));

# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
	(( h1 dom h2 ) or ( t1 == mcswriteall ));

mlsconstrain { file lnk_file fifo_file } { create relabelto }
	( l2 eq h2 );

mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
	( h1 dom h2 );

mlsconstrain process { transition dyntransition }
	(( h1 dom h2 ) or ( t1 == mcssetcats ));

mlsconstrain process { ptrace }
	(( h1 dom h2) or ( t1 == mcsptraceall ));

mlsconstrain process { sigkill sigstop }
	(( h1 dom h2 ) or ( t1 == mcskillall ));

mlsconstrain process { signal }
	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));

#
# MCS policy for SELinux-enabled databases
#

# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain { db_tuple } { insert relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
	( h1 dom h2 );

mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	( h1 dom h2 );

mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
	( h1 dom h2 );

mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
	( h1 dom h2 );

mlsconstrain db_tuple { relabelfrom select update delete use }
	( h1 dom h2 );

mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
	( h1 dom h2 );

mlsconstrain db_view { drop getattr setattr relabelfrom expand }
	( h1 dom h2 );

mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
	( h1 dom h2 );

mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	( h1 dom h2 );

mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
	( h1 dom h2 );

mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));

# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom }
	((( l1 dom l2 ) and ( l1 domby h2 )) or
	 ( t1 == mcsnetwrite ) or
	 ( t1 == unlabeled_t ));
mlsconstrain { node } { sendto }
	((( l1 dom l2 ) and ( l1 domby h2 )) or
	 ( t1 == mcsnetwrite ));

mlsconstrain packet { send recv }
	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));

') dnl end enable_mcs
Commit	Line	Data
a0824843 CP	1	ifdef(`enable_mcs',`
	2	#
	3	# Define sensitivities
	4	#
a0824843	5	# MCS is single-sensitivity.
a0824843	6
e070dd2d	7	gen_sens(1)
a0824843 CP	8
	9	#
	10	# Define the categories
	11	#
e070dd2d	12	# Generate declarations
a9e03b37	13
e070dd2d	14	gen_cats(mcs_num_cats)
a0824843 CP	15
	16	#
	17	# Each MCS level specifies a sensitivity and zero or more categories which may
	18	# be associated with that sensitivity.
	19	#
e070dd2d CP	20
e070dd2d CP	21	gen_levels(1,mcs_num_cats)
a0824843 CP	22
	23	#
	24	# Define the MCS policy
	25	#
	26	# mlsconstrain class_set perm_set expression ;
	27	#
	28	# mlsvalidatetrans class_set expression ;
	29	#
	30	# expression : ( expression )
	31	# \| not expression
	32	# \| expression and expression
	33	# \| expression or expression
	34	# \| u1 op u2
	35	# \| r1 role_mls_op r2
	36	# \| t1 op t2
	37	# \| l1 role_mls_op l2
	38	# \| l1 role_mls_op h2
	39	# \| h1 role_mls_op l2
	40	# \| h1 role_mls_op h2
	41	# \| l1 role_mls_op h1
	42	# \| l2 role_mls_op h2
	43	# \| u1 op names
	44	# \| u2 op names
	45	# \| r1 op names
	46	# \| r2 op names
	47	# \| t1 op names
	48	# \| t2 op names
	49	# \| u3 op names (NOTE: this is only available for mlsvalidatetrans)
	50	# \| r3 op names (NOTE: this is only available for mlsvalidatetrans)
	51	# \| t3 op names (NOTE: this is only available for mlsvalidatetrans)
	52	#
	53	# op : == \| !=
	54	# role_mls_op : == \| != \| eq \| dom \| domby \| incomp
	55	#
	56	# names : name \| { name_list }
	57	# name_list : name \| name_list name
	58	#
	59
	60	#
	61	# MCS policy for the file classes
	62	#
	63	# Constrain file access so that the high range of the process dominates
	64	# the high range of the file. We use the high range of the process so
	65	# that processes can always simply run at s0.
	66	#
808341bb CP	67	# Note:
	68	# - getattr on dirs/files is not constrained.
	69	# - /proc/pid operations are not constrained.
	70
	71	mlsconstrain file { read ioctl lock execute execute_no_trans }
f441bdc2 DW	72	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
f441bdc2 DW	73	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
8cf67141	74
808341bb	75	mlsconstrain file { write setattr append unlink link rename }
ed00b68a	76	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
f441bdc2	77	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
808341bb CP	78
808341bb CP	79	mlsconstrain dir { search read ioctl lock }
f441bdc2 DW	80	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
f441bdc2 DW	81	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
808341bb CP	82
808341bb CP	83	mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
f441bdc2 DW	84	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
f441bdc2 DW	85	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
8708d9be	86
620e4b70 MG	87	mlsconstrain fifo_file { open }
	88	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
	89	(( t1 != mcsuntrustedproc ) and ( t2 == domain )));
	90
	91	mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
8953255e MG	92	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
	93	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
	94
620e4b70	95	mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
8953255e MG	96	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	97	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
	98
cdc86ee5 CP	99	# New filesystem object labels must be dominated by the relabeling subject
cdc86ee5 CP	100	# clearance, also the objects are single-level.
8e788ed2 CP	101	mlsconstrain file { create relabelto }
8e788ed2 CP	102	(( h1 dom h2 ) and ( l2 eq h2 ));
a0824843	103
77f6e2cd	104	# new file labels must be dominated by the relabeling subject clearance
515889b1	105	mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
d4e347f8 DW	106	(( h1 dom h2 ) or ( t1 == mcswriteall ));
	107
	108	mlsconstrain { file lnk_file fifo_file } { create relabelto }
	109	( l2 eq h2 );
8e788ed2	110
515889b1	111	mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
d4e347f8	112	( h1 dom h2 );
8cf67141	113
9779f092 CP	114	mlsconstrain process { transition dyntransition }
	115	(( h1 dom h2 ) or ( t1 == mcssetcats ));
	116
8e788ed2	117	mlsconstrain process { ptrace }
46551033	118	(( h1 dom h2) or ( t1 == mcsptraceall ));
a0824843	119
6ed3f15e	120	mlsconstrain process { sigkill sigstop }
8e788ed2	121	(( h1 dom h2 ) or ( t1 == mcskillall ));
a0824843	122
6ed3f15e DW	123	mlsconstrain process { signal }
	124	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
	125
9760cbec CP	126	#
	127	# MCS policy for SELinux-enabled databases
	128	#
	129
	130	# Any database object must be dominated by the relabeling subject
	131	# clearance, also the objects are single-level.
82c32d5c	132	mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
9760cbec CP	133	(( h1 dom h2 ) and ( l2 eq h2 ));
	134
	135	mlsconstrain { db_tuple } { insert relabelto }
	136	(( h1 dom h2 ) and ( l2 eq h2 ));
	137
	138	# Access control for any database objects based on MCS rules.
350ed891	139	mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
9760cbec CP	140	( h1 dom h2 );
9760cbec CP	141
82c32d5c KK	142	mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	143	( h1 dom h2 );
	144
350ed891	145	mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
9760cbec CP	146	( h1 dom h2 );
9760cbec CP	147
350ed891	148	mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
9760cbec CP	149	( h1 dom h2 );
	150
	151	mlsconstrain db_tuple { relabelfrom select update delete use }
	152	( h1 dom h2 );
	153
82c32d5c KK	154	mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
	155	( h1 dom h2 );
	156
	157	mlsconstrain db_view { drop getattr setattr relabelfrom expand }
	158	( h1 dom h2 );
	159
	160	mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
	161	( h1 dom h2 );
	162
	163	mlsconstrain db_language { drop getattr setattr relabelfrom execute }
9760cbec CP	164	( h1 dom h2 );
9760cbec CP	165
350ed891	166	mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
9760cbec CP	167	( h1 dom h2 );
9760cbec CP	168
74df3513 DW	169	mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
	170	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
	171
d93ac322 DW	172	# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
	173	# because the subject in this particular case is the remote domain which is
	174	# writing data out the network node which is acting as the object
	175	mlsconstrain { node } { recvfrom }
	176	((( l1 dom l2 ) and ( l1 domby h2 )) or
	177	( t1 == mcsnetwrite ) or
	178	( t1 == unlabeled_t ));
	179	mlsconstrain { node } { sendto }
	180	((( l1 dom l2 ) and ( l1 domby h2 )) or
	181	( t1 == mcsnetwrite ));
	182
1fb98d57	183	mlsconstrain packet { send recv }
5218e768	184	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
1fb98d57	185
a0824843	186	') dnl end enable_mcs