[people/stevee/selinux-policy.git] / policy / mcs

ifdef(`enable_mcs',`
default_range dir_file_class_set target low;

#
# Define sensitivities 
#
# MCS is single-sensitivity.

gen_sens(1)

#
# Define the categories
#
# Generate declarations

gen_cats(mcs_num_cats)

#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#

gen_levels(1,mcs_num_cats)

#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_mls_op r2
#	     | t1 op t2
#	     | l1 role_mls_op l2
#	     | l1 role_mls_op h2
#	     | h1 role_mls_op l2
#	     | h1 role_mls_op h2
#	     | l1 role_mls_op h1
#	     | l2 role_mls_op h2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#

#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file.  We use the high range of the process so
# that processes can always simply run at s0.
#
# Note:
#  - getattr on dirs/files is not constrained.
#  - /proc/pid operations are not constrained.

mlsconstrain file { read ioctl lock execute execute_no_trans }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or 
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain file { write setattr append unlink link rename }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain dir { search read ioctl lock }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or 
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	 (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain fifo_file { open }
    (( h1 dom h2 ) or ( t1 == mcsreadall ) or
     (( t1 != mcsuntrustedproc ) and ( t2 == domain )));

mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
    (( h1 dom h2 ) or ( t1 == mcsreadall ) or
     (( t1 != mcsuntrustedproc ) and (t2 == domain)));

mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
    (( h1 dom h2 ) or ( t1 == mcswriteall ) or
     (( t1 != mcsuntrustedproc ) and (t2 == domain)));

# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
	(( h1 dom h2 ) or ( t1 == mcswriteall ));

mlsconstrain { file lnk_file fifo_file } { create relabelto }
	( l2 eq h2 );

mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
	( h1 dom h2 );

mlsconstrain process { transition dyntransition }
	(( h1 dom h2 ) or ( t1 == mcssetcats ));

mlsconstrain process { ptrace }
	(( h1 dom h2) or ( t1 == mcsptraceall ));

mlsconstrain process { sigkill sigstop }
	(( h1 dom h2 ) or ( t1 == mcskillall ));

mlsconstrain process { signal }
	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));

#
# MCS policy for SELinux-enabled databases
#

# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain { db_tuple } { insert relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
	( h1 dom h2 );

mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	( h1 dom h2 );

mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
	( h1 dom h2 );

mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
	( h1 dom h2 );

mlsconstrain db_tuple { relabelfrom select update delete use }
	( h1 dom h2 );

mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
	( h1 dom h2 );

mlsconstrain db_view { drop getattr setattr relabelfrom expand }
	( h1 dom h2 );

mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
	( h1 dom h2 );

mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	( h1 dom h2 );

mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
	( h1 dom h2 );

mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));

# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom }
	((( l1 dom l2 ) and ( l1 domby h2 )) or
	 ( t1 == mcsnetwrite ) or
	 ( t1 == unlabeled_t ));
mlsconstrain { node } { sendto }
	((( l1 dom l2 ) and ( l1 domby h2 )) or
	 ( t1 == mcsnetwrite ));

mlsconstrain packet { send recv }
	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));

') dnl end enable_mcs
Commit	Line	Data
a0824843	1	ifdef(`enable_mcs',`
a9cf611b DW	2	default_range dir_file_class_set target low;
a9cf611b DW	3
a0824843 CP	4	#
	5	# Define sensitivities
	6	#
a0824843	7	# MCS is single-sensitivity.
a0824843	8
e070dd2d	9	gen_sens(1)
a0824843 CP	10
	11	#
	12	# Define the categories
	13	#
e070dd2d	14	# Generate declarations
a9e03b37	15
e070dd2d	16	gen_cats(mcs_num_cats)
a0824843 CP	17
	18	#
	19	# Each MCS level specifies a sensitivity and zero or more categories which may
	20	# be associated with that sensitivity.
	21	#
e070dd2d CP	22
e070dd2d CP	23	gen_levels(1,mcs_num_cats)
a0824843 CP	24
	25	#
	26	# Define the MCS policy
	27	#
	28	# mlsconstrain class_set perm_set expression ;
	29	#
	30	# mlsvalidatetrans class_set expression ;
	31	#
	32	# expression : ( expression )
	33	# \| not expression
	34	# \| expression and expression
	35	# \| expression or expression
	36	# \| u1 op u2
	37	# \| r1 role_mls_op r2
	38	# \| t1 op t2
	39	# \| l1 role_mls_op l2
	40	# \| l1 role_mls_op h2
	41	# \| h1 role_mls_op l2
	42	# \| h1 role_mls_op h2
	43	# \| l1 role_mls_op h1
	44	# \| l2 role_mls_op h2
	45	# \| u1 op names
	46	# \| u2 op names
	47	# \| r1 op names
	48	# \| r2 op names
	49	# \| t1 op names
	50	# \| t2 op names
	51	# \| u3 op names (NOTE: this is only available for mlsvalidatetrans)
	52	# \| r3 op names (NOTE: this is only available for mlsvalidatetrans)
	53	# \| t3 op names (NOTE: this is only available for mlsvalidatetrans)
	54	#
	55	# op : == \| !=
	56	# role_mls_op : == \| != \| eq \| dom \| domby \| incomp
	57	#
	58	# names : name \| { name_list }
	59	# name_list : name \| name_list name
	60	#
	61
	62	#
	63	# MCS policy for the file classes
	64	#
	65	# Constrain file access so that the high range of the process dominates
	66	# the high range of the file. We use the high range of the process so
	67	# that processes can always simply run at s0.
	68	#
808341bb CP	69	# Note:
	70	# - getattr on dirs/files is not constrained.
	71	# - /proc/pid operations are not constrained.
	72
	73	mlsconstrain file { read ioctl lock execute execute_no_trans }
f441bdc2 DW	74	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
f441bdc2 DW	75	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
8cf67141	76
808341bb	77	mlsconstrain file { write setattr append unlink link rename }
ed00b68a	78	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
f441bdc2	79	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
808341bb CP	80
808341bb CP	81	mlsconstrain dir { search read ioctl lock }
f441bdc2 DW	82	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
f441bdc2 DW	83	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
808341bb CP	84
808341bb CP	85	mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
f441bdc2 DW	86	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
f441bdc2 DW	87	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
8708d9be	88
620e4b70 MG	89	mlsconstrain fifo_file { open }
	90	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
	91	(( t1 != mcsuntrustedproc ) and ( t2 == domain )));
	92
	93	mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
8953255e MG	94	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
	95	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
	96
620e4b70	97	mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
8953255e MG	98	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
	99	(( t1 != mcsuntrustedproc ) and (t2 == domain)));
	100
cdc86ee5 CP	101	# New filesystem object labels must be dominated by the relabeling subject
cdc86ee5 CP	102	# clearance, also the objects are single-level.
8e788ed2 CP	103	mlsconstrain file { create relabelto }
8e788ed2 CP	104	(( h1 dom h2 ) and ( l2 eq h2 ));
a0824843	105
77f6e2cd	106	# new file labels must be dominated by the relabeling subject clearance
515889b1	107	mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
d4e347f8 DW	108	(( h1 dom h2 ) or ( t1 == mcswriteall ));
	109
	110	mlsconstrain { file lnk_file fifo_file } { create relabelto }
	111	( l2 eq h2 );
8e788ed2	112
515889b1	113	mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
d4e347f8	114	( h1 dom h2 );
8cf67141	115
9779f092 CP	116	mlsconstrain process { transition dyntransition }
	117	(( h1 dom h2 ) or ( t1 == mcssetcats ));
	118
8e788ed2	119	mlsconstrain process { ptrace }
46551033	120	(( h1 dom h2) or ( t1 == mcsptraceall ));
a0824843	121
6ed3f15e	122	mlsconstrain process { sigkill sigstop }
8e788ed2	123	(( h1 dom h2 ) or ( t1 == mcskillall ));
a0824843	124
6ed3f15e DW	125	mlsconstrain process { signal }
	126	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
	127
9760cbec CP	128	#
	129	# MCS policy for SELinux-enabled databases
	130	#
	131
	132	# Any database object must be dominated by the relabeling subject
	133	# clearance, also the objects are single-level.
82c32d5c	134	mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
9760cbec CP	135	(( h1 dom h2 ) and ( l2 eq h2 ));
	136
	137	mlsconstrain { db_tuple } { insert relabelto }
	138	(( h1 dom h2 ) and ( l2 eq h2 ));
	139
	140	# Access control for any database objects based on MCS rules.
350ed891	141	mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
9760cbec CP	142	( h1 dom h2 );
9760cbec CP	143
82c32d5c KK	144	mlsconstrain db_language { drop getattr setattr relabelfrom execute }
	145	( h1 dom h2 );
	146
350ed891	147	mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
9760cbec CP	148	( h1 dom h2 );
9760cbec CP	149
350ed891	150	mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
9760cbec CP	151	( h1 dom h2 );
	152
	153	mlsconstrain db_tuple { relabelfrom select update delete use }
	154	( h1 dom h2 );
	155
82c32d5c KK	156	mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
	157	( h1 dom h2 );
	158
	159	mlsconstrain db_view { drop getattr setattr relabelfrom expand }
	160	( h1 dom h2 );
	161
	162	mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
	163	( h1 dom h2 );
	164
	165	mlsconstrain db_language { drop getattr setattr relabelfrom execute }
9760cbec CP	166	( h1 dom h2 );
9760cbec CP	167
350ed891	168	mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
9760cbec CP	169	( h1 dom h2 );
9760cbec CP	170
74df3513 DW	171	mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
	172	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
	173
d93ac322 DW	174	# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
	175	# because the subject in this particular case is the remote domain which is
	176	# writing data out the network node which is acting as the object
	177	mlsconstrain { node } { recvfrom }
	178	((( l1 dom l2 ) and ( l1 domby h2 )) or
	179	( t1 == mcsnetwrite ) or
	180	( t1 == unlabeled_t ));
	181	mlsconstrain { node } { sendto }
	182	((( l1 dom l2 ) and ( l1 domby h2 )) or
	183	( t1 == mcsnetwrite ));
	184
1fb98d57	185	mlsconstrain packet { send recv }
5218e768	186	(( h1 dom h2 ) or ( t1 == mcsnetwrite ));
1fb98d57	187
a0824843	188	') dnl end enable_mcs