5 # Domination of sensitivities is in increasin
6 # numerical order, with s0 being the lowest
11 # Define the categories
13 # Generate declarations
15 gen_cats(mls_num_cats)
18 # Each MLS level specifies a sensitivity and zero or more categories which may
19 # be associated with that sensitivity.
21 # Generate levels from all sensitivities
24 gen_levels(mls_num_sens,mls_num_cats)
27 # Define the MLS policy
29 # mlsconstrain class_set perm_set expression ;
31 # mlsvalidatetrans class_set expression ;
33 # expression : ( expression )
35 # | expression and expression
36 # | expression or expression
52 # | u3 op names (NOTE: this is only available for mlsvalidatetrans)
53 # | r3 op names (NOTE: this is only available for mlsvalidatetrans)
54 # | t3 op names (NOTE: this is only available for mlsvalidatetrans)
57 # role_mls_op : == | != | eq | dom | domby | incomp
59 # names : name | { name_list }
60 # name_list : name | name_list name
64 # MLS policy for the file classes
67 # make sure these file classes are "single level"
68 mlsconstrain { file lnk_file fifo_file } { create relabelto }
71 # new file labels must be dominated by the relabeling subjects clearance
72 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
75 # the file "read" ops (note the check is dominance of the low level)
76 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
78 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
79 ( t1 == mlsfileread ) or
80 ( t2 == mlstrustedobject ));
82 mlsconstrain dir search
84 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
85 ( t1 == mlsfileread ) or
86 ( t2 == mlstrustedobject ));
88 # the "single level" file "write" ops
89 mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
91 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
92 (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
93 ( t1 == mlsfilewrite ) or
94 ( t2 == mlstrustedobject ));
96 # Directory "write" ops
97 mlsconstrain dir { add_name remove_name reparent rmdir }
99 (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
100 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
101 ( t1 == mlsfilewrite ) or
102 ( t2 == mlstrustedobject ));
104 # these access vectors have no MLS restrictions
105 # { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
107 # { file chr_file } { execute_no_trans entrypoint execmod }
109 # the file upgrade/downgrade rule
110 mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
112 (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
113 (( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
114 (( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
116 (( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
117 (( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
118 (( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
120 # create can also require the upgrade/downgrade checks if the creating process
121 # has used setfscreate (note that both the high and low level of the object
122 # default to the process sensitivity level)
123 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
125 (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
126 (( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
127 (( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
129 (( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
130 (( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
131 (( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
137 # MLS policy for the filesystem class
140 # new filesystem labels must be dominated by the relabeling subjects clearance
141 mlsconstrain filesystem relabelto
144 # the filesystem "read" ops (implicit single level)
145 mlsconstrain filesystem { getattr quotaget }
147 (( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
148 ( t1 == mlsfileread ));
150 # all the filesystem "write" ops (implicit single level)
151 mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
153 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
154 ( t1 == mlsfilewrite ));
156 # these access vectors have no MLS restrictions
157 # filesystem { transition associate }
163 # MLS policy for the socket classes
166 # new socket labels must be dominated by the relabeling subjects clearance
167 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
170 # the socket "read+write" ops
171 # (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
172 # require equal levels for unprivileged subjects, or read *and* write overrides)
173 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
175 (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
176 ( t1 == mlsnetread )) and
177 ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
178 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
179 ( t1 == mlsnetwrite ))));
182 # the socket "read" ops (note the check is dominance of the low level)
183 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
185 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
186 ( t1 == mlsnetread ));
188 mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
190 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
191 ( t1 == mlsnetread ));
193 # the socket "write" ops
194 mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
196 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
197 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
198 ( t1 == mlsnetwrite ));
200 # used by netlabel to restrict normal domains to same level connections
201 mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
203 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
204 ( t1 == mlsnetread ));
206 # UNIX domain socket ops
207 mlsconstrain unix_stream_socket connectto
209 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
210 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
211 ( t1 == mlsnetwrite ) or
212 ( t2 == mlstrustedobject ));
214 mlsconstrain unix_dgram_socket sendto
216 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
217 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
218 ( t1 == mlsnetwrite ) or
219 ( t2 == mlstrustedobject ));
221 # these access vectors have no MLS restrictions
222 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
224 # { tcp_socket udp_socket rawip_socket } node_bind
226 # { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
228 # tcp_socket name_connect
230 # { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
232 # netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
234 # netlink_kobject_uevent_socket *
241 # MLS policy for the ipc classes
244 # the ipc "read" ops (implicit single level)
245 mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
247 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
248 ( t1 == mlsipcread ));
250 mlsconstrain msg receive
252 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
253 ( t1 == mlsipcread ));
255 # the ipc "write" ops (implicit single level)
256 mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
258 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
259 ( t1 == mlsipcwrite ));
261 mlsconstrain msgq enqueue
263 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
264 ( t1 == mlsipcwrite ));
266 mlsconstrain shm lock
268 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
269 ( t1 == mlsipcwrite ));
271 mlsconstrain msg send
273 (( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
274 ( t1 == mlsipcwrite ));
276 # these access vectors have no MLS restrictions
277 # { ipc sem msgq shm } associate
283 # MLS policy for the fd class
286 # No sharing of open file descriptors between levels unless
287 # the process type is authorized to use fds created by
288 # other levels (mlsfduse) or the fd type is authorized to
289 # shared among levels (mlsfdshare).
290 mlsconstrain fd use (
297 # MLS policy for the network object classes
300 # the netif/node "read" ops (implicit single level socket doing the read)
301 # (note the check is dominance of the low level)
302 mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
303 (( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
305 # the netif/node "write" ops (implicit single level socket doing the write)
306 mlsconstrain { netif node } { tcp_send udp_send rawip_send }
308 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
310 # these access vectors have no MLS restrictions
317 # MLS policy for the network ingress/egress controls
320 # the netif ingress/egress ops, the ingress permission is a "write" operation
321 # because the subject in this particular case is the remote domain which is
322 # writing data out the network interface which is acting as the object
323 mlsconstrain { netif } { ingress }
324 ((( l1 dom l2 ) and ( l1 domby h2 )) or
325 ( t1 == mlsnetinbound ) or
326 ( t1 == unlabeled_t ));
327 mlsconstrain { netif } { egress }
328 ((( l1 dom l2 ) and ( l1 domby h2 )) or
329 ( t1 == mlsnetoutbound ));
331 # the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
332 # because the subject in this particular case is the remote domain which is
333 # writing data out the network node which is acting as the object
334 mlsconstrain { node } { recvfrom }
335 ((( l1 dom l2 ) and ( l1 domby h2 )) or
336 ( t1 == mlsnetinbound ) or
337 ( t1 == unlabeled_t ));
338 mlsconstrain { node } { sendto }
339 ((( l1 dom l2 ) and ( l1 domby h2 )) or
340 ( t1 == mlsnetoutbound ));
342 # the forward ops, the forward_in permission is a "write" operation because the
343 # subject in this particular case is the remote domain which is writing data
344 # to the network with a secmark label, the object in this case
345 mlsconstrain { packet } { forward_in }
346 ((( l1 dom l2 ) and ( l1 domby h2 )) or
347 ( t1 == mlsnetinbound ) or
348 ( t1 == unlabeled_t ));
349 mlsconstrain { packet } { forward_out }
350 ((( l1 dom l2 ) and ( l1 domby h2 )) or
351 ( t1 == mlsnetoutbound ) or
352 ( t1 == unlabeled_t ));
355 # MLS policy for the secmark and peer controls
358 # the peer/packet recv op
359 mlsconstrain { peer packet } { recv }
361 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
362 ( t1 == mlsnetread ));
368 # MLS policy for the process class
371 # new process labels must be dominated by the relabeling subjects clearance
372 # and sensitivity level changes require privilege
373 mlsconstrain process transition
375 (( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
376 (( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
377 mlsconstrain process dyntransition
379 (( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
381 # all the process "read" ops
382 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
384 (( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
385 ( t1 == mlsprocread ));
387 # all the process "write" ops (note the check is equality on the low level)
388 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
390 (( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
391 ( t1 == mlsprocwrite ));
393 # these access vectors have no MLS restrictions
394 # process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
400 # MLS policy for the security class
403 # these access vectors have no MLS restrictions
410 # MLS policy for the system class
413 # these access vectors have no MLS restrictions
420 # MLS policy for the capability class
423 # these access vectors have no MLS restrictions
430 # MLS policy for the passwd class
433 # these access vectors have no MLS restrictions
440 # MLS policy for the x_drawable class
443 # the x_drawable "read" ops (implicit single level)
444 mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive }
446 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
447 ( t1 == mlsxwinread ));
449 # the x_drawable "write" ops (implicit single level)
450 mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
452 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
453 ( t1 == mlsxwinwrite ));
455 # No MLS restrictions: x_drawable { show hide override }
459 # MLS policy for the x_gc class
462 # the x_gc "read" ops (implicit single level)
463 mlsconstrain x_gc { getattr use }
465 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
466 ( t1 == mlsxwinread ));
468 # the x_gc "write" ops (implicit single level)
469 mlsconstrain x_gc { create destroy setattr }
471 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
472 ( t1 == mlsxwinwrite ));
476 # MLS policy for the x_font class
479 # the x_font "read" ops (implicit single level)
480 mlsconstrain x_font { use }
482 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
483 ( t1 == mlsxwinread ));
485 # the x_font "write" ops (implicit single level)
486 mlsconstrain x_font { create destroy add_glyph remove_glyph }
488 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
489 ( t1 == mlsxwinwrite ));
491 # these access vectors have no MLS restrictions
496 # MLS policy for the x_colormap class
499 # the x_colormap "read" ops (implicit single level)
500 mlsconstrain x_colormap { read getattr use }
502 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
503 ( t1 == mlsxwinreadcolormap ) or
504 ( t1 == mlsxwinread ));
506 # the x_colormap "write" ops (implicit single level)
507 mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall }
509 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
510 ( t1 == mlsxwinwritecolormap ) or
511 ( t1 == mlsxwinwrite ));
515 # MLS policy for the x_property class
518 # the x_property "read" ops (implicit single level)
519 mlsconstrain x_property { read getattr }
521 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
522 ( t1 == mlsxwinreadproperty ) or
523 ( t1 == mlsxwinread ));
525 # the x_property "write" ops (implicit single level)
526 mlsconstrain x_property { create destroy write append setattr }
528 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
529 ( t1 == mlsxwinwriteproperty ) or
530 ( t1 == mlsxwinwrite ));
534 # MLS policy for the x_selection class
537 # the x_selection "read" ops (implicit single level)
538 mlsconstrain x_selection { read getattr }
540 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
541 ( t1 == mlsxwinreadselection ) or
542 ( t1 == mlsxwinread ));
544 # the x_selection "write" ops (implicit single level)
545 mlsconstrain x_selection { write setattr }
547 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
548 ( t1 == mlsxwinwriteselection ) or
549 ( t1 == mlsxwinwrite ));
553 # MLS policy for the x_cursor class
556 # the x_cursor "read" ops (implicit single level)
557 mlsconstrain x_cursor { read getattr use }
559 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
560 ( t1 == mlsxwinread ));
562 # the x_cursor "write" ops (implicit single level)
563 mlsconstrain x_cursor { create destroy write setattr }
565 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
566 ( t1 == mlsxwinwrite ));
570 # MLS policy for the x_client class
573 # the x_client "read" ops (implicit single level)
574 mlsconstrain x_client { getattr }
576 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
577 ( t1 == mlsxwinread ));
579 # the x_client "write" ops (implicit single level)
580 mlsconstrain x_client { destroy setattr manage }
582 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
583 ( t1 == mlsxwinwrite ));
587 # MLS policy for the x_device class
590 # the x_device "read" ops (implicit single level)
591 mlsconstrain x_device { getattr use read getfocus grab }
593 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
594 ( t1 == mlsxwinread ));
596 # the x_device "write" ops (implicit single level)
597 mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage }
599 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
600 ( t1 == mlsxwinwritexinput ) or
601 ( t1 == mlsxwinwrite ));
605 # MLS policy for the x_server class
608 # these access vectors have no MLS restrictions
613 # MLS policy for the x_extension class
616 # these access vectors have no MLS restrictions
617 # x_extension { query use }
621 # MLS policy for the x_resource class
624 # the x_resource "read" ops (implicit single level)
625 mlsconstrain x_resource { read }
627 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
628 ( t1 == mlsxwinread ));
630 # the x_resource "write" ops (implicit single level)
631 mlsconstrain x_resource { write }
633 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
634 ( t1 == mlsxwinwritexinput ) or
635 ( t1 == mlsxwinwrite ));
639 # MLS policy for the x_event class
642 # the x_event "read" ops (implicit single level)
643 mlsconstrain x_event { receive }
645 (( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
646 ( t1 == mlsxwinread ));
648 # the x_event "write" ops (implicit single level)
649 mlsconstrain x_event { send }
651 (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
652 ( t1 == mlsxwinwritexinput ) or
653 ( t1 == mlsxwinwrite ));
657 # MLS policy for the x_application_data class
660 # the x_application_data "paste" ops
661 mlsconstrain x_application_data { paste }
664 # the x_application_data "paste_after_confirm" ops
665 mlsconstrain x_application_data { paste_after_confirm }
671 # MLS policy for the dbus class
674 mlsconstrain dbus { send_msg }
676 ( t1 == mlsdbussend ) or
677 ( t2 == mlsdbusrecv ));
679 # these access vectors have no MLS restrictions
680 # dbus { acquire_svc }
686 # MLS policy for the nscd class
689 # these access vectors have no MLS restrictions
690 # nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
696 # MLS policy for the association class
699 mlsconstrain association { recvfrom }
700 ((( l1 dom l2 ) and ( l1 domby h2 )) or
701 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
702 ( t1 == mlsnetread ) or
703 ( t2 == unlabeled_t ));
705 mlsconstrain association { sendto }
707 (( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
708 ( t2 == unlabeled_t ));
710 mlsconstrain association { polmatch }
711 (( l1 dom l2 ) and ( h1 domby h2 ));
716 # MLS policy for the context class
719 mlsconstrain context translate
720 (( h1 dom h2 ) or ( t1 == mlstranslate ));
722 mlsconstrain context contains
723 (( h1 dom h2 ) and ( l1 domby l2));
726 # MLS policy for database classes
729 # make sure these database classes are "single level"
730 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
732 mlsconstrain { db_tuple } { insert relabelto }
735 # new database labels must be dominated by the relabeling subjects clearance
736 mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
739 # the database "read" ops (note the check is dominance of the low level)
740 mlsconstrain { db_database } { getattr access get_param }
742 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
743 ( t1 == mlsdbread ) or
744 ( t2 == mlstrustedobject ));
746 mlsconstrain { db_schema } { getattr search }
748 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
749 ( t1 == mlsdbread ) or
750 ( t2 == mlstrustedobject ));
752 mlsconstrain { db_table } { getattr use select lock }
754 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
755 ( t1 == mlsdbread ) or
756 ( t2 == mlstrustedobject ));
758 mlsconstrain { db_column } { getattr use select }
760 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
761 ( t1 == mlsdbread ) or
762 ( t2 == mlstrustedobject ));
764 mlsconstrain { db_sequence } { getattr get_value next_value }
766 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
767 ( t1 == mlsdbread ) or
768 ( t2 == mlstrustedobject ));
770 mlsconstrain { db_view } { getattr expand }
772 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
773 ( t1 == mlsdbread ) or
774 ( t2 == mlstrustedobject ));
776 mlsconstrain { db_procedure } { getattr execute install }
778 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
779 ( t1 == mlsdbread ) or
780 ( t2 == mlstrustedobject ));
782 mlsconstrain { db_language } { getattr execute }
784 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
785 ( t1 == mlsdbread ) or
786 ( t2 == mlstrustedobject ));
788 mlsconstrain { db_blob } { getattr read export }
790 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
791 ( t1 == mlsdbread ) or
792 ( t2 == mlstrustedobject ));
794 mlsconstrain { db_tuple } { use select }
796 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
797 ( t1 == mlsdbread ) or
798 ( t2 == mlstrustedobject ));
800 # the "single level" file "write" ops
801 mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
803 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
804 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
805 ( t1 == mlsdbwrite ) or
806 ( t2 == mlstrustedobject ));
808 mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }
810 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
811 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
812 ( t1 == mlsdbwrite ) or
813 ( t2 == mlstrustedobject ));
815 mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
817 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
818 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
819 ( t1 == mlsdbwrite ) or
820 ( t2 == mlstrustedobject ));
822 mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
824 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
825 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
826 ( t1 == mlsdbwrite ) or
827 ( t2 == mlstrustedobject ));
829 mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }
831 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
832 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
833 ( t1 == mlsdbwrite ) or
834 ( t2 == mlstrustedobject ));
836 mlsconstrain { db_view } { create drop setattr relabelfrom }
838 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
839 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
840 ( t1 == mlsdbwrite ) or
841 ( t2 == mlstrustedobject ));
843 mlsconstrain { db_procedure } { create drop setattr relabelfrom }
845 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
846 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
847 ( t1 == mlsdbwrite ) or
848 ( t2 == mlstrustedobject ));
850 mlsconstrain { db_language } { create drop setattr relabelfrom }
852 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
853 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
854 ( t1 == mlsdbwrite ) or
855 ( t2 == mlstrustedobject ));
857 mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
859 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
860 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
861 ( t1 == mlsdbwrite ) or
862 ( t2 == mlstrustedobject ));
864 mlsconstrain { db_tuple } { relabelfrom update insert delete }
866 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
867 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
868 ( t1 == mlsdbwrite ) or
869 ( t2 == mlstrustedobject ));
871 # the database upgrade/downgrade rule
872 mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }
874 (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
875 (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
876 (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
878 (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
879 (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
880 (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
882 ') dnl end enable_mls
projects / people / stevee / selinux-policy.git / blob