]>
Commit | Line | Data |
---|---|---|
134191be CP |
1 | ifdef(`enable_mls',` |
2 | # | |
3 | # Define sensitivities | |
4 | # | |
e070dd2d CP |
5 | # Domination of sensitivities is in increasin |
6 | # numerical order, with s0 being the lowest | |
134191be | 7 | |
e070dd2d | 8 | gen_sens(mls_num_sens) |
2705f9a0 | 9 | |
134191be CP |
10 | # |
11 | # Define the categories | |
12 | # | |
e070dd2d | 13 | # Generate declarations |
134191be | 14 | |
e070dd2d | 15 | gen_cats(mls_num_cats) |
134191be CP |
16 | |
17 | # | |
18 | # Each MLS level specifies a sensitivity and zero or more categories which may | |
19 | # be associated with that sensitivity. | |
20 | # | |
e070dd2d CP |
21 | # Generate levels from all sensitivities |
22 | # with all categories | |
134191be | 23 | |
e070dd2d | 24 | gen_levels(mls_num_sens,mls_num_cats) |
134191be CP |
25 | |
26 | # | |
27 | # Define the MLS policy | |
28 | # | |
29 | # mlsconstrain class_set perm_set expression ; | |
30 | # | |
31 | # mlsvalidatetrans class_set expression ; | |
32 | # | |
33 | # expression : ( expression ) | |
34 | # | not expression | |
35 | # | expression and expression | |
36 | # | expression or expression | |
37 | # | u1 op u2 | |
38 | # | r1 role_mls_op r2 | |
39 | # | t1 op t2 | |
40 | # | l1 role_mls_op l2 | |
41 | # | l1 role_mls_op h2 | |
42 | # | h1 role_mls_op l2 | |
43 | # | h1 role_mls_op h2 | |
44 | # | l1 role_mls_op h1 | |
45 | # | l2 role_mls_op h2 | |
46 | # | u1 op names | |
47 | # | u2 op names | |
48 | # | r1 op names | |
49 | # | r2 op names | |
50 | # | t1 op names | |
51 | # | t2 op names | |
52 | # | u3 op names (NOTE: this is only available for mlsvalidatetrans) | |
53 | # | r3 op names (NOTE: this is only available for mlsvalidatetrans) | |
54 | # | t3 op names (NOTE: this is only available for mlsvalidatetrans) | |
55 | # | |
56 | # op : == | != | |
57 | # role_mls_op : == | != | eq | dom | domby | incomp | |
58 | # | |
59 | # names : name | { name_list } | |
2705f9a0 | 60 | # name_list : name | name_list name |
134191be CP |
61 | # |
62 | ||
63 | # | |
64 | # MLS policy for the file classes | |
65 | # | |
66 | ||
67 | # make sure these file classes are "single level" | |
68 | mlsconstrain { file lnk_file fifo_file } { create relabelto } | |
69 | ( l2 eq h2 ); | |
70 | ||
bf080a46 | 71 | # new file labels must be dominated by the relabeling subjects clearance |
134191be CP |
72 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto |
73 | ( h1 dom h2 ); | |
74 | ||
75 | # the file "read" ops (note the check is dominance of the low level) | |
76 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } | |
77 | (( l1 dom l2 ) or | |
78 | (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or | |
79 | ( t1 == mlsfileread ) or | |
80 | ( t2 == mlstrustedobject )); | |
81 | ||
82 | mlsconstrain dir search | |
83 | (( l1 dom l2 ) or | |
84 | (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or | |
85 | ( t1 == mlsfileread ) or | |
86 | ( t2 == mlstrustedobject )); | |
87 | ||
88 | # the "single level" file "write" ops | |
a5e2133b | 89 | mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton } |
134191be CP |
90 | (( l1 eq l2 ) or |
91 | (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
f497b8df | 92 | (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or |
134191be CP |
93 | ( t1 == mlsfilewrite ) or |
94 | ( t2 == mlstrustedobject )); | |
95 | ||
d62c0881 | 96 | # Directory "write" ops |
134191be | 97 | mlsconstrain dir { add_name remove_name reparent rmdir } |
d62c0881 CP |
98 | (( l1 eq l2 ) or |
99 | (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
134191be CP |
100 | (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or |
101 | ( t1 == mlsfilewrite ) or | |
102 | ( t2 == mlstrustedobject )); | |
103 | ||
104 | # these access vectors have no MLS restrictions | |
105 | # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon } | |
106 | # | |
2705f9a0 | 107 | # { file chr_file } { execute_no_trans entrypoint execmod } |
134191be CP |
108 | |
109 | # the file upgrade/downgrade rule | |
2705f9a0 | 110 | mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file } |
134191be CP |
111 | ((( l1 eq l2 ) or |
112 | (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or | |
113 | (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or | |
114 | (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and | |
115 | (( h1 eq h2 ) or | |
116 | (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or | |
117 | (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or | |
118 | (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 )))); | |
119 | ||
120 | # create can also require the upgrade/downgrade checks if the creating process | |
121 | # has used setfscreate (note that both the high and low level of the object | |
122 | # default to the process sensitivity level) | |
123 | mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create | |
124 | ((( l1 eq l2 ) or | |
125 | (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or | |
126 | (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or | |
127 | (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and | |
128 | (( l1 eq h2 ) or | |
129 | (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or | |
130 | (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or | |
131 | (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 )))); | |
132 | ||
133 | ||
2705f9a0 CP |
134 | |
135 | ||
134191be CP |
136 | # |
137 | # MLS policy for the filesystem class | |
138 | # | |
139 | ||
bf080a46 | 140 | # new filesystem labels must be dominated by the relabeling subjects clearance |
134191be CP |
141 | mlsconstrain filesystem relabelto |
142 | ( h1 dom h2 ); | |
143 | ||
144 | # the filesystem "read" ops (implicit single level) | |
145 | mlsconstrain filesystem { getattr quotaget } | |
146 | (( l1 dom l2 ) or | |
147 | (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or | |
148 | ( t1 == mlsfileread )); | |
149 | ||
150 | # all the filesystem "write" ops (implicit single level) | |
151 | mlsconstrain filesystem { mount remount unmount relabelfrom quotamod } | |
152 | (( l1 eq l2 ) or | |
153 | (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
154 | ( t1 == mlsfilewrite )); | |
155 | ||
156 | # these access vectors have no MLS restrictions | |
157 | # filesystem { transition associate } | |
158 | ||
159 | ||
2705f9a0 CP |
160 | |
161 | ||
134191be CP |
162 | # |
163 | # MLS policy for the socket classes | |
164 | # | |
165 | ||
bf080a46 | 166 | # new socket labels must be dominated by the relabeling subjects clearance |
134191be CP |
167 | mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto |
168 | ( h1 dom h2 ); | |
169 | ||
d62c0881 CP |
170 | # the socket "read+write" ops |
171 | # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR), | |
172 | # require equal levels for unprivileged subjects, or read *and* write overrides) | |
173 | mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect } | |
174 | (( l1 eq l2 ) or | |
175 | (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
176 | ( t1 == mlsnetread )) and | |
177 | ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
178 | (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
179 | ( t1 == mlsnetwrite )))); | |
180 | ||
181 | ||
2705f9a0 | 182 | # the socket "read" ops (note the check is dominance of the low level) |
130f8a4a | 183 | mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg } |
134191be CP |
184 | (( l1 dom l2 ) or |
185 | (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
186 | ( t1 == mlsnetread )); | |
187 | ||
134191be CP |
188 | mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read |
189 | (( l1 dom l2 ) or | |
190 | (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
191 | ( t1 == mlsnetread )); | |
192 | ||
193 | # the socket "write" ops | |
2705f9a0 | 194 | mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown } |
d62c0881 CP |
195 | (( l1 eq l2 ) or |
196 | (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
134191be CP |
197 | (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or |
198 | ( t1 == mlsnetwrite )); | |
199 | ||
d62c0881 | 200 | # used by netlabel to restrict normal domains to same level connections |
b50f2ee4 | 201 | mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom |
130f8a4a CP |
202 | (( l1 eq l2 ) or |
203 | (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
d62c0881 | 204 | ( t1 == mlsnetread )); |
130f8a4a | 205 | |
4af2b3fb CP |
206 | # UNIX domain socket ops |
207 | mlsconstrain unix_stream_socket connectto | |
208 | (( l1 eq l2 ) or | |
209 | (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
210 | (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
3b727860 CP |
211 | ( t1 == mlsnetwrite ) or |
212 | ( t2 == mlstrustedobject )); | |
4af2b3fb CP |
213 | |
214 | mlsconstrain unix_dgram_socket sendto | |
215 | (( l1 eq l2 ) or | |
216 | (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
217 | (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
3b727860 CP |
218 | ( t1 == mlsnetwrite ) or |
219 | ( t2 == mlstrustedobject )); | |
4af2b3fb | 220 | |
134191be | 221 | # these access vectors have no MLS restrictions |
2705f9a0 | 222 | # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind } |
134191be CP |
223 | # |
224 | # { tcp_socket udp_socket rawip_socket } node_bind | |
225 | # | |
2705f9a0 CP |
226 | # { tcp_socket unix_stream_socket } { connectto newconn acceptfrom } |
227 | # | |
63e0a1e0 CP |
228 | # tcp_socket name_connect |
229 | # | |
134191be CP |
230 | # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write |
231 | # | |
63e0a1e0 CP |
232 | # netlink_audit_socket { nlmsg_relay nlmsg_readpriv } |
233 | # | |
234 | # netlink_kobject_uevent_socket * | |
235 | # | |
134191be CP |
236 | |
237 | ||
2705f9a0 CP |
238 | |
239 | ||
134191be CP |
240 | # |
241 | # MLS policy for the ipc classes | |
242 | # | |
243 | ||
244 | # the ipc "read" ops (implicit single level) | |
245 | mlsconstrain { ipc sem msgq shm } { getattr read unix_read } | |
246 | (( l1 dom l2 ) or | |
247 | (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or | |
248 | ( t1 == mlsipcread )); | |
249 | ||
250 | mlsconstrain msg receive | |
251 | (( l1 dom l2 ) or | |
252 | (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or | |
253 | ( t1 == mlsipcread )); | |
254 | ||
255 | # the ipc "write" ops (implicit single level) | |
256 | mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write } | |
257 | (( l1 eq l2 ) or | |
258 | (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
259 | ( t1 == mlsipcwrite )); | |
260 | ||
261 | mlsconstrain msgq enqueue | |
262 | (( l1 eq l2 ) or | |
263 | (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
264 | ( t1 == mlsipcwrite )); | |
265 | ||
266 | mlsconstrain shm lock | |
267 | (( l1 eq l2 ) or | |
268 | (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
269 | ( t1 == mlsipcwrite )); | |
270 | ||
271 | mlsconstrain msg send | |
272 | (( l1 eq l2 ) or | |
273 | (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
274 | ( t1 == mlsipcwrite )); | |
275 | ||
276 | # these access vectors have no MLS restrictions | |
277 | # { ipc sem msgq shm } associate | |
278 | ||
279 | ||
2705f9a0 CP |
280 | |
281 | ||
134191be CP |
282 | # |
283 | # MLS policy for the fd class | |
284 | # | |
285 | ||
cf7af137 CP |
286 | # No sharing of open file descriptors between levels unless |
287 | # the process type is authorized to use fds created by | |
288 | # other levels (mlsfduse) or the fd type is authorized to | |
289 | # shared among levels (mlsfdshare). | |
290 | mlsconstrain fd use ( | |
291 | l1 eq l2 | |
292 | or t1 == mlsfduse | |
293 | or t2 == mlsfdshare | |
294 | ); | |
134191be CP |
295 | |
296 | # | |
2705f9a0 | 297 | # MLS policy for the network object classes |
134191be CP |
298 | # |
299 | ||
2705f9a0 CP |
300 | # the netif/node "read" ops (implicit single level socket doing the read) |
301 | # (note the check is dominance of the low level) | |
302 | mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv } | |
303 | (( l1 dom l2 ) or ( t1 == mlsnetrecvall )); | |
304 | ||
305 | # the netif/node "write" ops (implicit single level socket doing the write) | |
306 | mlsconstrain { netif node } { tcp_send udp_send rawip_send } | |
d62c0881 CP |
307 | (( l1 eq l2 ) or |
308 | (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 ))); | |
2705f9a0 | 309 | |
134191be | 310 | # these access vectors have no MLS restrictions |
63e0a1e0 | 311 | # node enforce_dest |
2705f9a0 CP |
312 | |
313 | ||
134191be CP |
314 | |
315 | ||
e1a70f1d CP |
316 | # |
317 | # MLS policy for the network ingress/egress controls | |
318 | # | |
319 | ||
320 | # the netif ingress/egress ops, the ingress permission is a "write" operation | |
321 | # because the subject in this particular case is the remote domain which is | |
322 | # writing data out the network interface which is acting as the object | |
323 | mlsconstrain { netif } { ingress } | |
324 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
325 | ( t1 == mlsnetinbound ) or | |
326 | ( t1 == unlabeled_t )); | |
327 | mlsconstrain { netif } { egress } | |
328 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
329 | ( t1 == mlsnetoutbound )); | |
330 | ||
331 | # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation | |
332 | # because the subject in this particular case is the remote domain which is | |
333 | # writing data out the network node which is acting as the object | |
334 | mlsconstrain { node } { recvfrom } | |
335 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
336 | ( t1 == mlsnetinbound ) or | |
337 | ( t1 == unlabeled_t )); | |
338 | mlsconstrain { node } { sendto } | |
339 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
340 | ( t1 == mlsnetoutbound )); | |
341 | ||
342 | # the forward ops, the forward_in permission is a "write" operation because the | |
343 | # subject in this particular case is the remote domain which is writing data | |
344 | # to the network with a secmark label, the object in this case | |
345 | mlsconstrain { packet } { forward_in } | |
346 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
347 | ( t1 == mlsnetinbound ) or | |
348 | ( t1 == unlabeled_t )); | |
349 | mlsconstrain { packet } { forward_out } | |
350 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
351 | ( t1 == mlsnetoutbound ) or | |
352 | ( t1 == unlabeled_t )); | |
353 | ||
354 | # | |
355 | # MLS policy for the secmark and peer controls | |
356 | # | |
357 | ||
358 | # the peer/packet recv op | |
359 | mlsconstrain { peer packet } { recv } | |
360 | (( l1 dom l2 ) or | |
361 | (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
362 | ( t1 == mlsnetread )); | |
363 | ||
364 | ||
365 | ||
366 | ||
134191be CP |
367 | # |
368 | # MLS policy for the process class | |
369 | # | |
370 | ||
bf080a46 | 371 | # new process labels must be dominated by the relabeling subjects clearance |
2705f9a0 CP |
372 | # and sensitivity level changes require privilege |
373 | mlsconstrain process transition | |
374 | (( h1 dom h2 ) and | |
375 | (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or | |
376 | (( t1 == privrangetrans ) and ( t2 == mlsrangetrans )))); | |
377 | mlsconstrain process dyntransition | |
134191be CP |
378 | (( h1 dom h2 ) and |
379 | (( l1 eq l2 ) or ( t1 == mlsprocsetsl ))); | |
380 | ||
381 | # all the process "read" ops | |
382 | mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } | |
383 | (( l1 dom l2 ) or | |
384 | (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or | |
385 | ( t1 == mlsprocread )); | |
386 | ||
387 | # all the process "write" ops (note the check is equality on the low level) | |
388 | mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share } | |
389 | (( l1 eq l2 ) or | |
390 | (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
391 | ( t1 == mlsprocwrite )); | |
392 | ||
393 | # these access vectors have no MLS restrictions | |
63e0a1e0 | 394 | # process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap } |
2705f9a0 CP |
395 | |
396 | ||
134191be CP |
397 | |
398 | ||
399 | # | |
400 | # MLS policy for the security class | |
401 | # | |
402 | ||
403 | # these access vectors have no MLS restrictions | |
404 | # security * | |
405 | ||
406 | ||
2705f9a0 CP |
407 | |
408 | ||
134191be CP |
409 | # |
410 | # MLS policy for the system class | |
411 | # | |
412 | ||
413 | # these access vectors have no MLS restrictions | |
414 | # system * | |
415 | ||
416 | ||
2705f9a0 CP |
417 | |
418 | ||
134191be CP |
419 | # |
420 | # MLS policy for the capability class | |
421 | # | |
422 | ||
423 | # these access vectors have no MLS restrictions | |
424 | # capability * | |
425 | ||
426 | ||
427 | ||
2705f9a0 | 428 | |
134191be CP |
429 | # |
430 | # MLS policy for the passwd class | |
431 | # | |
432 | ||
433 | # these access vectors have no MLS restrictions | |
434 | # passwd * | |
435 | ||
436 | ||
2705f9a0 CP |
437 | |
438 | ||
134191be | 439 | # |
2c12b471 | 440 | # MLS policy for the x_drawable class |
134191be CP |
441 | # |
442 | ||
2c12b471 CP |
443 | # the x_drawable "read" ops (implicit single level) |
444 | mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive } | |
134191be CP |
445 | (( l1 dom l2 ) or |
446 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
447 | ( t1 == mlsxwinread )); | |
448 | ||
2c12b471 CP |
449 | # the x_drawable "write" ops (implicit single level) |
450 | mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage } | |
134191be CP |
451 | (( l1 eq l2 ) or |
452 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
453 | ( t1 == mlsxwinwrite )); | |
454 | ||
2c12b471 | 455 | # No MLS restrictions: x_drawable { show hide override } |
2705f9a0 CP |
456 | |
457 | ||
134191be | 458 | # |
2c12b471 | 459 | # MLS policy for the x_gc class |
134191be CP |
460 | # |
461 | ||
2c12b471 CP |
462 | # the x_gc "read" ops (implicit single level) |
463 | mlsconstrain x_gc { getattr use } | |
134191be CP |
464 | (( l1 dom l2 ) or |
465 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
466 | ( t1 == mlsxwinread )); | |
467 | ||
2c12b471 CP |
468 | # the x_gc "write" ops (implicit single level) |
469 | mlsconstrain x_gc { create destroy setattr } | |
134191be CP |
470 | (( l1 eq l2 ) or |
471 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
472 | ( t1 == mlsxwinwrite )); | |
473 | ||
474 | ||
475 | # | |
2c12b471 | 476 | # MLS policy for the x_font class |
134191be CP |
477 | # |
478 | ||
2c12b471 CP |
479 | # the x_font "read" ops (implicit single level) |
480 | mlsconstrain x_font { use } | |
134191be CP |
481 | (( l1 dom l2 ) or |
482 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
483 | ( t1 == mlsxwinread )); | |
484 | ||
2c12b471 CP |
485 | # the x_font "write" ops (implicit single level) |
486 | mlsconstrain x_font { create destroy add_glyph remove_glyph } | |
134191be CP |
487 | (( l1 eq l2 ) or |
488 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
489 | ( t1 == mlsxwinwrite )); | |
490 | ||
491 | # these access vectors have no MLS restrictions | |
492 | # font use | |
493 | ||
494 | ||
495 | # | |
2c12b471 | 496 | # MLS policy for the x_colormap class |
134191be CP |
497 | # |
498 | ||
2c12b471 CP |
499 | # the x_colormap "read" ops (implicit single level) |
500 | mlsconstrain x_colormap { read getattr use } | |
134191be CP |
501 | (( l1 dom l2 ) or |
502 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
bf080a46 | 503 | ( t1 == mlsxwinreadcolormap ) or |
134191be CP |
504 | ( t1 == mlsxwinread )); |
505 | ||
2c12b471 CP |
506 | # the x_colormap "write" ops (implicit single level) |
507 | mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall } | |
134191be CP |
508 | (( l1 eq l2 ) or |
509 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
bf080a46 | 510 | ( t1 == mlsxwinwritecolormap ) or |
134191be CP |
511 | ( t1 == mlsxwinwrite )); |
512 | ||
513 | ||
514 | # | |
2c12b471 | 515 | # MLS policy for the x_property class |
134191be CP |
516 | # |
517 | ||
2c12b471 CP |
518 | # the x_property "read" ops (implicit single level) |
519 | mlsconstrain x_property { read getattr } | |
134191be CP |
520 | (( l1 dom l2 ) or |
521 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
bf080a46 | 522 | ( t1 == mlsxwinreadproperty ) or |
134191be CP |
523 | ( t1 == mlsxwinread )); |
524 | ||
2c12b471 CP |
525 | # the x_property "write" ops (implicit single level) |
526 | mlsconstrain x_property { create destroy write append setattr } | |
134191be CP |
527 | (( l1 eq l2 ) or |
528 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
bf080a46 | 529 | ( t1 == mlsxwinwriteproperty ) or |
134191be CP |
530 | ( t1 == mlsxwinwrite )); |
531 | ||
2705f9a0 | 532 | |
16fd1fd8 CP |
533 | # |
534 | # MLS policy for the x_selection class | |
535 | # | |
536 | ||
537 | # the x_selection "read" ops (implicit single level) | |
538 | mlsconstrain x_selection { read getattr } | |
539 | (( l1 dom l2 ) or | |
540 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
541 | ( t1 == mlsxwinreadselection ) or | |
542 | ( t1 == mlsxwinread )); | |
543 | ||
544 | # the x_selection "write" ops (implicit single level) | |
545 | mlsconstrain x_selection { write setattr } | |
546 | (( l1 eq l2 ) or | |
547 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
548 | ( t1 == mlsxwinwriteselection ) or | |
549 | ( t1 == mlsxwinwrite )); | |
550 | ||
551 | ||
134191be | 552 | # |
2c12b471 | 553 | # MLS policy for the x_cursor class |
134191be CP |
554 | # |
555 | ||
2c12b471 CP |
556 | # the x_cursor "read" ops (implicit single level) |
557 | mlsconstrain x_cursor { read getattr use } | |
558 | (( l1 dom l2 ) or | |
559 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
560 | ( t1 == mlsxwinread )); | |
561 | ||
562 | # the x_cursor "write" ops (implicit single level) | |
563 | mlsconstrain x_cursor { create destroy write setattr } | |
134191be CP |
564 | (( l1 eq l2 ) or |
565 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
566 | ( t1 == mlsxwinwrite )); | |
567 | ||
568 | ||
569 | # | |
2c12b471 | 570 | # MLS policy for the x_client class |
134191be CP |
571 | # |
572 | ||
2c12b471 CP |
573 | # the x_client "read" ops (implicit single level) |
574 | mlsconstrain x_client { getattr } | |
575 | (( l1 dom l2 ) or | |
576 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
577 | ( t1 == mlsxwinread )); | |
578 | ||
579 | # the x_client "write" ops (implicit single level) | |
580 | mlsconstrain x_client { destroy setattr manage } | |
134191be CP |
581 | (( l1 eq l2 ) or |
582 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
583 | ( t1 == mlsxwinwrite )); | |
584 | ||
585 | ||
586 | # | |
2c12b471 | 587 | # MLS policy for the x_device class |
134191be CP |
588 | # |
589 | ||
2c12b471 CP |
590 | # the x_device "read" ops (implicit single level) |
591 | mlsconstrain x_device { getattr use read getfocus grab } | |
592 | (( l1 dom l2 ) or | |
593 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
594 | ( t1 == mlsxwinread )); | |
134191be | 595 | |
2c12b471 CP |
596 | # the x_device "write" ops (implicit single level) |
597 | mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage } | |
134191be CP |
598 | (( l1 eq l2 ) or |
599 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
bf080a46 | 600 | ( t1 == mlsxwinwritexinput ) or |
134191be CP |
601 | ( t1 == mlsxwinwrite )); |
602 | ||
603 | ||
2c12b471 CP |
604 | # |
605 | # MLS policy for the x_server class | |
606 | # | |
607 | ||
608 | # these access vectors have no MLS restrictions | |
609 | # x_server * | |
134191be CP |
610 | |
611 | ||
612 | # | |
2c12b471 | 613 | # MLS policy for the x_extension class |
134191be CP |
614 | # |
615 | ||
bf080a46 | 616 | # these access vectors have no MLS restrictions |
2c12b471 CP |
617 | # x_extension { query use } |
618 | ||
134191be | 619 | |
2c12b471 CP |
620 | # |
621 | # MLS policy for the x_resource class | |
622 | # | |
623 | ||
624 | # the x_resource "read" ops (implicit single level) | |
625 | mlsconstrain x_resource { read } | |
626 | (( l1 dom l2 ) or | |
627 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
628 | ( t1 == mlsxwinread )); | |
134191be | 629 | |
2c12b471 CP |
630 | # the x_resource "write" ops (implicit single level) |
631 | mlsconstrain x_resource { write } | |
632 | (( l1 eq l2 ) or | |
633 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
634 | ( t1 == mlsxwinwritexinput ) or | |
635 | ( t1 == mlsxwinwrite )); | |
2705f9a0 CP |
636 | |
637 | ||
134191be | 638 | # |
2c12b471 | 639 | # MLS policy for the x_event class |
134191be CP |
640 | # |
641 | ||
2c12b471 CP |
642 | # the x_event "read" ops (implicit single level) |
643 | mlsconstrain x_event { receive } | |
644 | (( l1 dom l2 ) or | |
645 | (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or | |
646 | ( t1 == mlsxwinread )); | |
647 | ||
648 | # the x_event "write" ops (implicit single level) | |
649 | mlsconstrain x_event { send } | |
650 | (( l1 eq l2 ) or | |
651 | (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
652 | ( t1 == mlsxwinwritexinput ) or | |
653 | ( t1 == mlsxwinwrite )); | |
654 | ||
134191be | 655 | |
d923d54c CP |
656 | # |
657 | # MLS policy for the x_application_data class | |
658 | # | |
659 | ||
6a824f63 | 660 | # the x_application_data "paste" ops |
d923d54c | 661 | mlsconstrain x_application_data { paste } |
6a824f63 | 662 | ( l1 domby l2 ); |
d923d54c | 663 | |
6a824f63 | 664 | # the x_application_data "paste_after_confirm" ops |
d923d54c | 665 | mlsconstrain x_application_data { paste_after_confirm } |
6a824f63 | 666 | ( l1 dom l2 ); |
d923d54c | 667 | |
134191be | 668 | |
2705f9a0 | 669 | |
134191be CP |
670 | # |
671 | # MLS policy for the dbus class | |
672 | # | |
673 | ||
936f286c CP |
674 | mlsconstrain dbus { send_msg } |
675 | (( l1 eq l2 ) or | |
676 | ( t1 == mlsdbussend ) or | |
677 | ( t2 == mlsdbusrecv )); | |
678 | ||
134191be | 679 | # these access vectors have no MLS restrictions |
936f286c | 680 | # dbus { acquire_svc } |
134191be CP |
681 | |
682 | ||
2705f9a0 CP |
683 | |
684 | ||
134191be CP |
685 | # |
686 | # MLS policy for the nscd class | |
687 | # | |
688 | ||
689 | # these access vectors have no MLS restrictions | |
690 | # nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } | |
691 | ||
692 | ||
2705f9a0 CP |
693 | |
694 | ||
134191be CP |
695 | # |
696 | # MLS policy for the association class | |
697 | # | |
698 | ||
9b45c603 CP |
699 | mlsconstrain association { recvfrom } |
700 | ((( l1 dom l2 ) and ( l1 domby h2 )) or | |
701 | (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or | |
702 | ( t1 == mlsnetread ) or | |
703 | ( t2 == unlabeled_t )); | |
704 | ||
705 | mlsconstrain association { sendto } | |
d62c0881 CP |
706 | (( l1 eq l2 ) or |
707 | (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or | |
9b45c603 CP |
708 | ( t2 == unlabeled_t )); |
709 | ||
710 | mlsconstrain association { polmatch } | |
d31d3c15 | 711 | (( l1 dom l2 ) and ( h1 domby h2 )); |
134191be | 712 | |
a8671ae5 CP |
713 | |
714 | ||
715 | # | |
716 | # MLS policy for the context class | |
717 | # | |
718 | ||
719 | mlsconstrain context translate | |
720 | (( h1 dom h2 ) or ( t1 == mlstranslate )); | |
721 | ||
c6a60bb2 | 722 | mlsconstrain context contains |
4c365f4a | 723 | (( h1 dom h2 ) and ( l1 domby l2)); |
c6a60bb2 | 724 | |
9760cbec CP |
725 | # |
726 | # MLS policy for database classes | |
727 | # | |
728 | ||
729 | # make sure these database classes are "single level" | |
82c32d5c | 730 | mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } |
9760cbec CP |
731 | ( l2 eq h2 ); |
732 | mlsconstrain { db_tuple } { insert relabelto } | |
733 | ( l2 eq h2 ); | |
734 | ||
735 | # new database labels must be dominated by the relabeling subjects clearance | |
82c32d5c | 736 | mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } |
9760cbec CP |
737 | ( h1 dom h2 ); |
738 | ||
739 | # the database "read" ops (note the check is dominance of the low level) | |
740 | mlsconstrain { db_database } { getattr access get_param } | |
741 | (( l1 dom l2 ) or | |
742 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
743 | ( t1 == mlsdbread ) or | |
744 | ( t2 == mlstrustedobject )); | |
745 | ||
82c32d5c KK |
746 | mlsconstrain { db_schema } { getattr search } |
747 | (( l1 dom l2 ) or | |
748 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
749 | ( t1 == mlsdbread ) or | |
750 | ( t2 == mlstrustedobject )); | |
751 | ||
350ed891 CP |
752 | mlsconstrain { db_table } { getattr use select lock } |
753 | (( l1 dom l2 ) or | |
754 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
755 | ( t1 == mlsdbread ) or | |
756 | ( t2 == mlstrustedobject )); | |
757 | ||
758 | mlsconstrain { db_column } { getattr use select } | |
9760cbec CP |
759 | (( l1 dom l2 ) or |
760 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
761 | ( t1 == mlsdbread ) or | |
762 | ( t2 == mlstrustedobject )); | |
763 | ||
82c32d5c KK |
764 | mlsconstrain { db_sequence } { getattr get_value next_value } |
765 | (( l1 dom l2 ) or | |
766 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
767 | ( t1 == mlsdbread ) or | |
768 | ( t2 == mlstrustedobject )); | |
769 | ||
770 | mlsconstrain { db_view } { getattr expand } | |
771 | (( l1 dom l2 ) or | |
772 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
773 | ( t1 == mlsdbread ) or | |
774 | ( t2 == mlstrustedobject )); | |
775 | ||
466e22a8 | 776 | mlsconstrain { db_procedure } { getattr execute install } |
9760cbec CP |
777 | (( l1 dom l2 ) or |
778 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
779 | ( t1 == mlsdbread ) or | |
780 | ( t2 == mlstrustedobject )); | |
781 | ||
82c32d5c KK |
782 | mlsconstrain { db_language } { getattr execute } |
783 | (( l1 dom l2 ) or | |
784 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
785 | ( t1 == mlsdbread ) or | |
786 | ( t2 == mlstrustedobject )); | |
787 | ||
350ed891 | 788 | mlsconstrain { db_blob } { getattr read export } |
9760cbec CP |
789 | (( l1 dom l2 ) or |
790 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
791 | ( t1 == mlsdbread ) or | |
792 | ( t2 == mlstrustedobject )); | |
793 | ||
794 | mlsconstrain { db_tuple } { use select } | |
795 | (( l1 dom l2 ) or | |
796 | (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or | |
797 | ( t1 == mlsdbread ) or | |
798 | ( t2 == mlstrustedobject )); | |
799 | ||
800 | # the "single level" file "write" ops | |
801 | mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } | |
802 | (( l1 eq l2 ) or | |
803 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
804 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
805 | ( t1 == mlsdbwrite ) or | |
806 | ( t2 == mlstrustedobject )); | |
807 | ||
82c32d5c KK |
808 | mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name } |
809 | (( l1 eq l2 ) or | |
810 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
811 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
812 | ( t1 == mlsdbwrite ) or | |
813 | ( t2 == mlstrustedobject )); | |
814 | ||
350ed891 | 815 | mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete } |
9760cbec CP |
816 | (( l1 eq l2 ) or |
817 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
818 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
819 | ( t1 == mlsdbwrite ) or | |
820 | ( t2 == mlstrustedobject )); | |
821 | ||
822 | mlsconstrain { db_column } { create drop setattr relabelfrom update insert } | |
823 | (( l1 eq l2 ) or | |
824 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
825 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
826 | ( t1 == mlsdbwrite ) or | |
827 | ( t2 == mlstrustedobject )); | |
828 | ||
82c32d5c KK |
829 | mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value } |
830 | (( l1 eq l2 ) or | |
831 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
832 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
833 | ( t1 == mlsdbwrite ) or | |
834 | ( t2 == mlstrustedobject )); | |
835 | ||
836 | mlsconstrain { db_view } { create drop setattr relabelfrom } | |
837 | (( l1 eq l2 ) or | |
838 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
839 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
840 | ( t1 == mlsdbwrite ) or | |
841 | ( t2 == mlstrustedobject )); | |
842 | ||
350ed891 CP |
843 | mlsconstrain { db_procedure } { create drop setattr relabelfrom } |
844 | (( l1 eq l2 ) or | |
845 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
846 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
847 | ( t1 == mlsdbwrite ) or | |
848 | ( t2 == mlstrustedobject )); | |
849 | ||
82c32d5c KK |
850 | mlsconstrain { db_language } { create drop setattr relabelfrom } |
851 | (( l1 eq l2 ) or | |
852 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
853 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
854 | ( t1 == mlsdbwrite ) or | |
855 | ( t2 == mlstrustedobject )); | |
856 | ||
350ed891 | 857 | mlsconstrain { db_blob } { create drop setattr relabelfrom write import } |
9760cbec CP |
858 | (( l1 eq l2 ) or |
859 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
860 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
861 | ( t1 == mlsdbwrite ) or | |
862 | ( t2 == mlstrustedobject )); | |
863 | ||
864 | mlsconstrain { db_tuple } { relabelfrom update insert delete } | |
865 | (( l1 eq l2 ) or | |
866 | (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or | |
867 | (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or | |
868 | ( t1 == mlsdbwrite ) or | |
869 | ( t2 == mlstrustedobject )); | |
870 | ||
871 | # the database upgrade/downgrade rule | |
82c32d5c | 872 | mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } |
9760cbec CP |
873 | ((( l1 eq l2 ) or |
874 | (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or | |
875 | (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or | |
876 | (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and | |
877 | (( l1 eq h2 ) or | |
878 | (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or | |
879 | (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or | |
880 | (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 )))); | |
881 | ||
134191be | 882 | ') dnl end enable_mls |