policy/mcs

   1 ifdef(`enable_mcs',`
   2 default_range dir_file_class_set target low;
   3
   4 #
   5 # Define sensitivities
   6 #
   7 # MCS is single-sensitivity.
   8
   9 gen_sens(1)
  10
  11 #
  12 # Define the categories
  13 #
  14 # Generate declarations
  15
  16 gen_cats(mcs_num_cats)
  17
  18 #
  19 # Each MCS level specifies a sensitivity and zero or more categories which may
  20 # be associated with that sensitivity.
  21 #
  22
  23 gen_levels(1,mcs_num_cats)
  24
  25 #
  26 # Define the MCS policy
  27 #
  28 # mlsconstrain class_set perm_set expression ;
  29 #
  30 # mlsvalidatetrans class_set expression ;
  31 #
  32 # expression : ( expression )
  33 #            | not expression
  34 #            | expression and expression
  35 #            | expression or expression
  36 #            | u1 op u2
  37 #            | r1 role_mls_op r2
  38 #            | t1 op t2
  39 #            | l1 role_mls_op l2
  40 #            | l1 role_mls_op h2
  41 #            | h1 role_mls_op l2
  42 #            | h1 role_mls_op h2
  43 #            | l1 role_mls_op h1
  44 #            | l2 role_mls_op h2
  45 #            | u1 op names
  46 #            | u2 op names
  47 #            | r1 op names
  48 #            | r2 op names
  49 #            | t1 op names
  50 #            | t2 op names
  51 #            | u3 op names (NOTE: this is only available for mlsvalidatetrans)
  52 #            | r3 op names (NOTE: this is only available for mlsvalidatetrans)
  53 #            | t3 op names (NOTE: this is only available for mlsvalidatetrans)
  54 #
  55 # op : == | !=
  56 # role_mls_op : == | != | eq | dom | domby | incomp
  57 #
  58 # names : name | { name_list }
  59 # name_list : name | name_list name
  60 #
  61
  62 #
  63 # MCS policy for the file classes
  64 #
  65 # Constrain file access so that the high range of the process dominates
  66 # the high range of the file.  We use the high range of the process so
  67 # that processes can always simply run at s0.
  68 #
  69 # Note:
  70 #  - getattr on dirs/files is not constrained.
  71 #  - /proc/pid operations are not constrained.
  72
  73 mlsconstrain file { read ioctl lock execute execute_no_trans }
  74         (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  75          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  76
  77 mlsconstrain file { write setattr append unlink link rename }
  78         (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  79          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  80
  81 mlsconstrain dir { search read ioctl lock }
  82         (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  83          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  84
  85 mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
  86         (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  87          (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  88
  89 mlsconstrain fifo_file { open }
  90     (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  91      (( t1 != mcsuntrustedproc ) and ( t2 == domain )));
  92
  93 mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
  94     (( h1 dom h2 ) or ( t1 == mcsreadall ) or
  95      (( t1 != mcsuntrustedproc ) and (t2 == domain)));
  96
  97 mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
  98     (( h1 dom h2 ) or ( t1 == mcswriteall ) or
  99      (( t1 != mcsuntrustedproc ) and (t2 == domain)));
 100
 101 # New filesystem object labels must be dominated by the relabeling subject
 102 # clearance, also the objects are single-level.
 103 mlsconstrain file { create relabelto }
 104         (( h1 dom h2 ) and ( l2 eq h2 ));
 105
 106 # new file labels must be dominated by the relabeling subject clearance
 107 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 108         (( h1 dom h2 ) or ( t1 == mcswriteall ));
 109
 110 mlsconstrain { file lnk_file fifo_file } { create relabelto }
 111         ( l2 eq h2 );
 112
 113 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 114         ( h1 dom h2 );
 115
 116 mlsconstrain process { transition dyntransition }
 117         (( h1 dom h2 ) or ( t1 == mcssetcats ));
 118
 119 mlsconstrain process { ptrace }
 120         (( h1 dom h2) or ( t1 == mcsptraceall ));
 121
 122 mlsconstrain process { sigkill sigstop }
 123         (( h1 dom h2 ) or ( t1 == mcskillall ));
 124
 125 mlsconstrain process { signal }
 126         (( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
 127
 128 #
 129 # MCS policy for SELinux-enabled databases
 130 #
 131
 132 # Any database object must be dominated by the relabeling subject
 133 # clearance, also the objects are single-level.
 134 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
 135         (( h1 dom h2 ) and ( l2 eq h2 ));
 136
 137 mlsconstrain { db_tuple } { insert relabelto }
 138         (( h1 dom h2 ) and ( l2 eq h2 ));
 139
 140 # Access control for any database objects based on MCS rules.
 141 mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
 142         ( h1 dom h2 );
 143
 144 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 145         ( h1 dom h2 );
 146
 147 mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
 148         ( h1 dom h2 );
 149
 150 mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
 151         ( h1 dom h2 );
 152
 153 mlsconstrain db_tuple { relabelfrom select update delete use }
 154         ( h1 dom h2 );
 155
 156 mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }
 157         ( h1 dom h2 );
 158
 159 mlsconstrain db_view { drop getattr setattr relabelfrom expand }
 160         ( h1 dom h2 );
 161
 162 mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }
 163         ( h1 dom h2 );
 164
 165 mlsconstrain db_language { drop getattr setattr relabelfrom execute }
 166         ( h1 dom h2 );
 167
 168 mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
 169         ( h1 dom h2 );
 170
 171 mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
 172         (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 173
 174 # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
 175 # because the subject in this particular case is the remote domain which is
 176 # writing data out the network node which is acting as the object
 177 mlsconstrain { node } { recvfrom }
 178         ((( l1 dom l2 ) and ( l1 domby h2 )) or
 179          ( t1 == mcsnetwrite ) or
 180          ( t1 == unlabeled_t ));
 181 mlsconstrain { node } { sendto }
 182         ((( l1 dom l2 ) and ( l1 domby h2 )) or
 183          ( t1 == mcsnetwrite ));
 184
 185 mlsconstrain packet { send recv }
 186         (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
 187
 188 ') dnl end enable_mcs