policy/mcs

   1 ifdef(`enable_mcs',`
   2 #
   3 # Define sensitivities
   4 #
   5 # MCS is single-sensitivity.
   6
   7 gen_sens(1)
   8
   9 #
  10 # Define the categories
  11 #
  12 # Generate declarations
  13
  14 gen_cats(mcs_num_cats)
  15
  16 #
  17 # Each MCS level specifies a sensitivity and zero or more categories which may
  18 # be associated with that sensitivity.
  19 #
  20
  21 gen_levels(1,mcs_num_cats)
  22
  23 #
  24 # Define the MCS policy
  25 #
  26 # mlsconstrain class_set perm_set expression ;
  27 #
  28 # mlsvalidatetrans class_set expression ;
  29 #
  30 # expression : ( expression )
  31 #            | not expression
  32 #            | expression and expression
  33 #            | expression or expression
  34 #            | u1 op u2
  35 #            | r1 role_mls_op r2
  36 #            | t1 op t2
  37 #            | l1 role_mls_op l2
  38 #            | l1 role_mls_op h2
  39 #            | h1 role_mls_op l2
  40 #            | h1 role_mls_op h2
  41 #            | l1 role_mls_op h1
  42 #            | l2 role_mls_op h2
  43 #            | u1 op names
  44 #            | u2 op names
  45 #            | r1 op names
  46 #            | r2 op names
  47 #            | t1 op names
  48 #            | t2 op names
  49 #            | u3 op names (NOTE: this is only available for mlsvalidatetrans)
  50 #            | r3 op names (NOTE: this is only available for mlsvalidatetrans)
  51 #            | t3 op names (NOTE: this is only available for mlsvalidatetrans)
  52 #
  53 # op : == | !=
  54 # role_mls_op : == | != | eq | dom | domby | incomp
  55 #
  56 # names : name | { name_list }
  57 # name_list : name | name_list name
  58 #
  59
  60 #
  61 # MCS policy for the file classes
  62 #
  63 # Constrain file access so that the high range of the process dominates
  64 # the high range of the file.  We use the high range of the process so
  65 # that processes can always simply run at s0.
  66 #
  67 # Note:
  68 #  - getattr on dirs/files is not constrained.
  69 #  - /proc/pid operations are not constrained.
  70
  71 mlsconstrain file { read ioctl lock execute execute_no_trans }
  72         (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  73          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  74
  75 mlsconstrain file { write setattr append unlink link rename }
  76         (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  77          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  78
  79 mlsconstrain dir { search read ioctl lock }
  80         (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  81          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  82
  83 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
  84         (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  85          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  86
  87 mlsconstrain fifo_file { open }
  88     (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  89      (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
  90
  91 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
  92     (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  93      (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  94
  95 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
  96     (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  97      (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  98
  99 # New filesystem object labels must be dominated by the relabeling subject
 100 # clearance, also the objects are single-level.
 101 mlsconstrain file { create relabelto }
 102         (( h1 dom h2 ) and ( l2 eq h2 ));
 103
 104 # new file labels must be dominated by the relabeling subject clearance
 105 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 106         (( h1 dom h2 ) or ( t1 == mcswriteall ));
 107
 108 mlsconstrain { file lnk_file fifo_file } { create relabelto }
 109         ( l2 eq h2 );
 110
 111 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 112         ( h1 dom h2 );
 113
 114 mlsconstrain process { transition dyntransition }
 115         (( h1 dom h2 ) or ( t1 == mcssetcats ));
 116
 117 mlsconstrain process { ptrace }
 118         (( h1 dom h2) or ( t1 == mcsptraceall ));
 119
 120 mlsconstrain process { sigkill sigstop }
 121         (( h1 dom h2 ) or ( t1 == mcskillall ));
 122
 123 mlsconstrain process { signal }
 124         (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
 125
 126 #
 127 # MCS policy for SELinux-enabled databases
 128 #
 129
 130 # Any database object must be dominated by the relabeling subject
 131 # clearance, also the objects are single-level.
 132 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
 133         (( h1 dom h2 ) and ( l2 eq h2 ));
 134
 135 mlsconstrain { db_tuple } { insert relabelto }
 136         (( h1 dom h2 ) and ( l2 eq h2 ));
 137
 138 # Access control for any database objects based on MCS rules.
 139 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 140         ( h1 dom h2 );
 141
 142 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 143         ( h1 dom h2 );
 144
 145 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
 146         ( h1 dom h2 );
 147
 148 mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
 149         ( h1 dom h2 );
 150
 151 mlsconstrain db_tuple { relabelfrom select update delete use }
 152         ( h1 dom h2 );
 153
 154 mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
 155         ( h1 dom h2 );
 156
 157 mlsconstrain db_view { drop getattr setattr relabelfrom expand }
 158         ( h1 dom h2 );
 159
 160 mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
 161         ( h1 dom h2 );
 162
 163 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 164         ( h1 dom h2 );
 165
 166 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 167         ( h1 dom h2 );
 168
 169 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 170         (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 171
 172 # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
 173 # because the subject in this particular case is the remote domain which is
 174 # writing data out the network node which is acting as the object
 175 mlsconstrain { node } { recvfrom }
 176         ((( l1 dom l2 ) and ( l1 domby h2 )) or
 177          ( t1 == mcsnetwrite ) or
 178          ( t1 == unlabeled_t ));
 179 mlsconstrain { node } { sendto }
 180         ((( l1 dom l2 ) and ( l1 domby h2 )) or
 181          ( t1 == mcsnetwrite ));
 182
 183 mlsconstrain packet { send recv }
 184         (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 185
 186 ') dnl end enable_mcs