trunk: Database userspace object manager classes from KaiGai Kohei.

[people/stevee/selinux-policy.git] / policy / mcs

ifdef(`enable_mcs',`
#
# Define sensitivities 
#
# MCS is single-sensitivity.

gen_sens(1)

#
# Define the categories
#
# Generate declarations

gen_cats(mcs_num_cats)

#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#

gen_levels(1,mcs_num_cats)

#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_mls_op r2
#	     | t1 op t2
#	     | l1 role_mls_op l2
#	     | l1 role_mls_op h2
#	     | h1 role_mls_op l2
#	     | h1 role_mls_op h2
#	     | l1 role_mls_op h1
#	     | l2 role_mls_op h2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#

#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file.  We use the high range of the process so
# that processes can always simply run at s0.
#
# Note that getattr on files is always permitted.
#
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
	( h1 dom h2 );

mlsconstrain dir { create getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl }
	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));

# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# At this time we do not restrict "ps" type operations via MCS.  This
# will probably change in future.
mlsconstrain file { read }
	(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));

# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
	( h1 dom h2 );

mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain process { transition dyntransition }
	(( h1 dom h2 ) or ( t1 == mcssetcats ));

mlsconstrain process { ptrace }
	(( h1 dom h2) or ( t1 == mcsptraceall ));

mlsconstrain process { sigkill sigstop }
	(( h1 dom h2 ) or ( t1 == mcskillall ));

#
# MCS policy for SELinux-enabled databases
#

# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain { db_tuple } { insert relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
	( h1 dom h2 );

mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
	( h1 dom h2 );

mlsconstrain db_column { drop setattr relabelfrom select update insert use }
	( h1 dom h2 );

mlsconstrain db_tuple { relabelfrom select update delete use }
	( h1 dom h2 );

mlsconstrain db_procedure { execute }
	( h1 dom h2 );

mlsconstrain db_blob { drop setattr relabelfrom read write }
	( h1 dom h2 );

') dnl end enable_mcs