2 default_range dir_file_class_set target low;
7 # MCS is single-sensitivity.
12 # Define the categories
14 # Generate declarations
16 gen_cats(mcs_num_cats)
19 # Each MCS level specifies a sensitivity and zero or more categories which may
20 # be associated with that sensitivity.
23 gen_levels(1,mcs_num_cats)
26 # Define the MCS policy
28 # mlsconstrain class_set perm_set expression ;
30 # mlsvalidatetrans class_set expression ;
32 # expression : ( expression )
34 # | expression and expression
35 # | expression or expression
51 # | u3 op names (NOTE: this is only available for mlsvalidatetrans)
52 # | r3 op names (NOTE: this is only available for mlsvalidatetrans)
53 # | t3 op names (NOTE: this is only available for mlsvalidatetrans)
56 # role_mls_op : == | != | eq | dom | domby | incomp
58 # names : name | { name_list }
59 # name_list : name | name_list name
63 # MCS policy for the file classes
65 # Constrain file access so that the high range of the process dominates
66 # the high range of the file. We use the high range of the process so
67 # that processes can always simply run at s0.
70 # - getattr on dirs/files is not constrained.
71 # - /proc/pid operations are not constrained.
73 mlsconstrain file { read ioctl lock execute execute_no_trans }
74 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
75 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
77 mlsconstrain file { write setattr append unlink link rename }
78 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
79 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
81 mlsconstrain dir { search read ioctl lock }
82 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
83 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
85 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
86 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
87 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
89 mlsconstrain fifo_file { open }
90 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
91 (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
93 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
94 (( h1 dom h2 ) or ( t1 == mcsreadall ) or
95 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
97 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
98 (( h1 dom h2 ) or ( t1 == mcswriteall ) or
99 (( t1 != mcsuntrustedproc ) and (t2 == domain)));
101 # New filesystem object labels must be dominated by the relabeling subject
102 # clearance, also the objects are single-level.
103 mlsconstrain file { create relabelto }
104 (( h1 dom h2 ) and ( l2 eq h2 ));
106 # new file labels must be dominated by the relabeling subject clearance
107 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
108 (( h1 dom h2 ) or ( t1 == mcswriteall ));
110 mlsconstrain { file lnk_file fifo_file } { create relabelto }
113 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
116 mlsconstrain process { transition dyntransition }
117 (( h1 dom h2 ) or ( t1 == mcssetcats ));
119 mlsconstrain process { ptrace }
120 (( h1 dom h2) or ( t1 == mcsptraceall ));
122 mlsconstrain process { sigkill sigstop }
123 (( h1 dom h2 ) or ( t1 == mcskillall ));
125 mlsconstrain process { signal }
126 (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
129 # MCS policy for SELinux-enabled databases
132 # Any database object must be dominated by the relabeling subject
133 # clearance, also the objects are single-level.
134 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
135 (( h1 dom h2 ) and ( l2 eq h2 ));
137 mlsconstrain { db_tuple } { insert relabelto }
138 (( h1 dom h2 ) and ( l2 eq h2 ));
140 # Access control for any database objects based on MCS rules.
141 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
144 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
147 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
150 mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
153 mlsconstrain db_tuple { relabelfrom select update delete use }
156 mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
159 mlsconstrain db_view { drop getattr setattr relabelfrom expand }
162 mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
165 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
168 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
171 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
172 (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
174 # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
175 # because the subject in this particular case is the remote domain which is
176 # writing data out the network node which is acting as the object
177 mlsconstrain { node } { recvfrom }
178 ((( l1 dom l2 ) and ( l1 domby h2 )) or
179 ( t1 == mcsnetwrite ) or
180 ( t1 == unlabeled_t ));
181 mlsconstrain { node } { sendto }
182 ((( l1 dom l2 ) and ( l1 domby h2 )) or
183 ( t1 == mcsnetwrite ));
185 mlsconstrain packet { send recv }
186 (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
188 ') dnl end enable_mcs