5 # MCS is single-sensitivity.
10 # Define the categories
12 # Generate declarations
14 gen_cats(mcs_num_cats)
17 # Each MCS level specifies a sensitivity and zero or more categories which may
18 # be associated with that sensitivity.
21 gen_levels(1,mcs_num_cats)
24 # Define the MCS policy
26 # mlsconstrain class_set perm_set expression ;
28 # mlsvalidatetrans class_set expression ;
30 # expression : ( expression )
32 # | expression and expression
33 # | expression or expression
49 # | u3 op names (NOTE: this is only available for mlsvalidatetrans)
50 # | r3 op names (NOTE: this is only available for mlsvalidatetrans)
51 # | t3 op names (NOTE: this is only available for mlsvalidatetrans)
54 # role_mls_op : == | != | eq | dom | domby | incomp
56 # names : name | { name_list }
57 # name_list : name | name_list name
61 # MCS policy for the file classes
63 # Constrain file access so that the high range of the process dominates
64 # the high range of the file. We use the high range of the process so
65 # that processes can always simply run at s0.
68 # - getattr on dirs/files is not constrained.
69 # - /proc/pid operations are not constrained.
71 mlsconstrain file { read ioctl lock execute execute_no_trans }
72 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
73 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
75 mlsconstrain file { write setattr append unlink link rename }
76 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
77 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
79 mlsconstrain dir { search read ioctl lock }
80 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
81 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
83 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
84 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
85 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
87 mlsconstrain fifo_file { open }
88 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
89 (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
91 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
92 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
93 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
95 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
96 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
97 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
99 # New filesystem object labels must be dominated by the relabeling subject
100 # clearance, also the objects are single-level.
101 mlsconstrain file { create relabelto }
102 (( h1 dom h2 ) and ( l2 eq h2 ));
104 # new file labels must be dominated by the relabeling subject clearance
105 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
106 (( h1 dom h2 ) or ( t1 == mcswriteall ));
108 mlsconstrain { file lnk_file fifo_file } { create relabelto }
111 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
114 mlsconstrain process { transition dyntransition }
115 (( h1 dom h2 ) or ( t1 == mcssetcats ));
117 mlsconstrain process { ptrace }
118 (( h1 dom h2) or ( t1 == mcsptraceall ));
120 mlsconstrain process { sigkill sigstop }
121 (( h1 dom h2 ) or ( t1 == mcskillall ));
123 mlsconstrain process { signal }
124 (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
127 # MCS policy for SELinux-enabled databases
130 # Any database object must be dominated by the relabeling subject
131 # clearance, also the objects are single-level.
132 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
133 (( h1 dom h2 ) and ( l2 eq h2 ));
135 mlsconstrain { db_tuple } { insert relabelto }
136 (( h1 dom h2 ) and ( l2 eq h2 ));
138 # Access control for any database objects based on MCS rules.
139 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
142 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
145 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
148 mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
151 mlsconstrain db_tuple { relabelfrom select update delete use }
154 mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
157 mlsconstrain db_view { drop getattr setattr relabelfrom expand }
160 mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
163 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
166 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
169 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
170 (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
172 # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
173 # because the subject in this particular case is the remote domain which is
174 # writing data out the network node which is acting as the object
175 mlsconstrain { node } { recvfrom }
176 ((( l1 dom l2 ) and ( l1 domby h2 )) or
177 ( t1 == mcsnetwrite ) or
178 ( t1 == unlabeled_t ));
179 mlsconstrain { node } { sendto }
180 ((( l1 dom l2 ) and ( l1 domby h2 )) or
181 ( t1 == mcsnetwrite ));
183 mlsconstrain packet { send recv }
184 (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
186 ') dnl end enable_mcs