]>
Commit | Line | Data |
---|---|---|
a0824843 | 1 | ifdef(`enable_mcs',` |
a9cf611b DW |
2 | default_range dir_file_class_set target low; |
3 | ||
a0824843 CP |
4 | # |
5 | # Define sensitivities | |
6 | # | |
a0824843 | 7 | # MCS is single-sensitivity. |
a0824843 | 8 | |
e070dd2d | 9 | gen_sens(1) |
a0824843 CP |
10 | |
11 | # | |
12 | # Define the categories | |
13 | # | |
e070dd2d | 14 | # Generate declarations |
a9e03b37 | 15 | |
e070dd2d | 16 | gen_cats(mcs_num_cats) |
a0824843 CP |
17 | |
18 | # | |
19 | # Each MCS level specifies a sensitivity and zero or more categories which may | |
20 | # be associated with that sensitivity. | |
21 | # | |
e070dd2d CP |
22 | |
23 | gen_levels(1,mcs_num_cats) | |
a0824843 CP |
24 | |
25 | # | |
26 | # Define the MCS policy | |
27 | # | |
28 | # mlsconstrain class_set perm_set expression ; | |
29 | # | |
30 | # mlsvalidatetrans class_set expression ; | |
31 | # | |
32 | # expression : ( expression ) | |
33 | # | not expression | |
34 | # | expression and expression | |
35 | # | expression or expression | |
36 | # | u1 op u2 | |
37 | # | r1 role_mls_op r2 | |
38 | # | t1 op t2 | |
39 | # | l1 role_mls_op l2 | |
40 | # | l1 role_mls_op h2 | |
41 | # | h1 role_mls_op l2 | |
42 | # | h1 role_mls_op h2 | |
43 | # | l1 role_mls_op h1 | |
44 | # | l2 role_mls_op h2 | |
45 | # | u1 op names | |
46 | # | u2 op names | |
47 | # | r1 op names | |
48 | # | r2 op names | |
49 | # | t1 op names | |
50 | # | t2 op names | |
51 | # | u3 op names (NOTE: this is only available for mlsvalidatetrans) | |
52 | # | r3 op names (NOTE: this is only available for mlsvalidatetrans) | |
53 | # | t3 op names (NOTE: this is only available for mlsvalidatetrans) | |
54 | # | |
55 | # op : == | != | |
56 | # role_mls_op : == | != | eq | dom | domby | incomp | |
57 | # | |
58 | # names : name | { name_list } | |
59 | # name_list : name | name_list name | |
60 | # | |
61 | ||
62 | # | |
63 | # MCS policy for the file classes | |
64 | # | |
65 | # Constrain file access so that the high range of the process dominates | |
66 | # the high range of the file. We use the high range of the process so | |
67 | # that processes can always simply run at s0. | |
68 | # | |
808341bb CP |
69 | # Note: |
70 | # - getattr on dirs/files is not constrained. | |
71 | # - /proc/pid operations are not constrained. | |
72 | ||
73 | mlsconstrain file { read ioctl lock execute execute_no_trans } | |
f441bdc2 DW |
74 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
75 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
8cf67141 | 76 | |
808341bb | 77 | mlsconstrain file { write setattr append unlink link rename } |
ed00b68a | 78 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
f441bdc2 | 79 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); |
808341bb CP |
80 | |
81 | mlsconstrain dir { search read ioctl lock } | |
f441bdc2 DW |
82 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
83 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
808341bb CP |
84 | |
85 | mlsconstrain dir { write setattr append unlink link rename add_name remove_name } | |
f441bdc2 DW |
86 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
87 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
8708d9be | 88 | |
620e4b70 MG |
89 | mlsconstrain fifo_file { open } |
90 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or | |
91 | (( t1 != mcsuntrustedproc ) and ( t2 == domain ))); | |
92 | ||
93 | mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl } | |
8953255e MG |
94 | (( h1 dom h2 ) or ( t1 == mcsreadall ) or |
95 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
96 | ||
620e4b70 | 97 | mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } |
8953255e MG |
98 | (( h1 dom h2 ) or ( t1 == mcswriteall ) or |
99 | (( t1 != mcsuntrustedproc ) and (t2 == domain))); | |
100 | ||
cdc86ee5 CP |
101 | # New filesystem object labels must be dominated by the relabeling subject |
102 | # clearance, also the objects are single-level. | |
8e788ed2 CP |
103 | mlsconstrain file { create relabelto } |
104 | (( h1 dom h2 ) and ( l2 eq h2 )); | |
a0824843 | 105 | |
77f6e2cd | 106 | # new file labels must be dominated by the relabeling subject clearance |
515889b1 | 107 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } |
d4e347f8 DW |
108 | (( h1 dom h2 ) or ( t1 == mcswriteall )); |
109 | ||
110 | mlsconstrain { file lnk_file fifo_file } { create relabelto } | |
111 | ( l2 eq h2 ); | |
8e788ed2 | 112 | |
515889b1 | 113 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } |
d4e347f8 | 114 | ( h1 dom h2 ); |
8cf67141 | 115 | |
9779f092 CP |
116 | mlsconstrain process { transition dyntransition } |
117 | (( h1 dom h2 ) or ( t1 == mcssetcats )); | |
118 | ||
8e788ed2 | 119 | mlsconstrain process { ptrace } |
46551033 | 120 | (( h1 dom h2) or ( t1 == mcsptraceall )); |
a0824843 | 121 | |
6ed3f15e | 122 | mlsconstrain process { sigkill sigstop } |
8e788ed2 | 123 | (( h1 dom h2 ) or ( t1 == mcskillall )); |
a0824843 | 124 | |
6ed3f15e DW |
125 | mlsconstrain process { signal } |
126 | (( h1 dom h2 ) or ( t1 != mcsuntrustedproc )); | |
127 | ||
9760cbec CP |
128 | # |
129 | # MCS policy for SELinux-enabled databases | |
130 | # | |
131 | ||
132 | # Any database object must be dominated by the relabeling subject | |
133 | # clearance, also the objects are single-level. | |
82c32d5c | 134 | mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } |
9760cbec CP |
135 | (( h1 dom h2 ) and ( l2 eq h2 )); |
136 | ||
137 | mlsconstrain { db_tuple } { insert relabelto } | |
138 | (( h1 dom h2 ) and ( l2 eq h2 )); | |
139 | ||
140 | # Access control for any database objects based on MCS rules. | |
350ed891 | 141 | mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } |
9760cbec CP |
142 | ( h1 dom h2 ); |
143 | ||
82c32d5c KK |
144 | mlsconstrain db_language { drop getattr setattr relabelfrom execute } |
145 | ( h1 dom h2 ); | |
146 | ||
350ed891 | 147 | mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } |
9760cbec CP |
148 | ( h1 dom h2 ); |
149 | ||
350ed891 | 150 | mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } |
9760cbec CP |
151 | ( h1 dom h2 ); |
152 | ||
153 | mlsconstrain db_tuple { relabelfrom select update delete use } | |
154 | ( h1 dom h2 ); | |
155 | ||
82c32d5c KK |
156 | mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } |
157 | ( h1 dom h2 ); | |
158 | ||
159 | mlsconstrain db_view { drop getattr setattr relabelfrom expand } | |
160 | ( h1 dom h2 ); | |
161 | ||
162 | mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } | |
163 | ( h1 dom h2 ); | |
164 | ||
165 | mlsconstrain db_language { drop getattr setattr relabelfrom execute } | |
9760cbec CP |
166 | ( h1 dom h2 ); |
167 | ||
350ed891 | 168 | mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } |
9760cbec CP |
169 | ( h1 dom h2 ); |
170 | ||
74df3513 DW |
171 | mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind |
172 | (( h1 dom h2 ) or ( t1 == mcsnetwrite )); | |
173 | ||
d93ac322 DW |
174 | # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation |
175 | # because the subject in this particular case is the remote domain which is | |
176 | # writing data out the network node which is acting as the object | |
177 | mlsconstrain { node } { recvfrom } | |
178 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
179 | ( t1 == mcsnetwrite ) or | |
180 | ( t1 == unlabeled_t )); | |
181 | mlsconstrain { node } { sendto } | |
182 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
183 | ( t1 == mcsnetwrite )); | |
184 | ||
1fb98d57 | 185 | mlsconstrain packet { send recv } |
5218e768 | 186 | (( h1 dom h2 ) or ( t1 == mcsnetwrite )); |
1fb98d57 | 187 | |
a0824843 | 188 | ') dnl end enable_mcs |