selinux-refpolicy/policy/flask/access_vectors

865 lines
8.9 KiB
Plaintext
Raw Normal View History

#
# Define common prefixes for access vectors
#
# common common_name { permission_name ... }
#
# Define a common prefix for file access vectors.
#
common file
{
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
unlink
link
rename
execute
swapon
quotaon
mounton
}
#
# Define a common prefix for socket access vectors.
#
common socket
{
# inherited from file
ioctl
read
write
create
getattr
setattr
lock
relabelfrom
relabelto
append
# socket-specific
bind
connect
listen
accept
getopt
setopt
shutdown
recvfrom
sendto
recv_msg
send_msg
name_bind
}
#
# Define a common prefix for ipc access vectors.
#
common ipc
{
create
destroy
getattr
setattr
read
write
associate
unix_read
unix_write
}
#
# Define a common prefix for userspace database object access vectors.
#
common database
{
create
drop
getattr
setattr
relabelfrom
relabelto
}
#
# Define a common prefix for pointer and keyboard access vectors.
#
common x_device
{
getattr
setattr
use
read
write
getfocus
setfocus
bell
force_cursor
freeze
grab
manage
list_property
get_property
set_property
add
remove
create
destroy
}
#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
#
# Define the access vector interpretation for file-related objects.
#
class filesystem
{
mount
remount
unmount
getattr
relabelfrom
relabelto
transition
associate
quotamod
quotaget
}
class dir
inherits file
{
add_name
remove_name
reparent
search
rmdir
open
2011-03-28 15:45:46 +00:00
audit_access
execmod
}
class file
inherits file
{
execute_no_trans
entrypoint
execmod
open
2011-03-28 15:45:46 +00:00
audit_access
}
class lnk_file
inherits file
2011-03-28 15:45:46 +00:00
{
open
audit_access
execmod
}
class chr_file
inherits file
{
execute_no_trans
entrypoint
execmod
open
2011-03-28 15:45:46 +00:00
audit_access
}
class blk_file
inherits file
{
open
2011-03-28 15:45:46 +00:00
audit_access
execmod
}
class sock_file
inherits file
2009-03-11 14:58:03 +00:00
{
open
2011-03-28 15:45:46 +00:00
audit_access
execmod
2009-03-11 14:58:03 +00:00
}
class fifo_file
inherits file
{
open
2011-03-28 15:45:46 +00:00
audit_access
execmod
}
class fd
{
use
}
#
# Define the access vector interpretation for network-related objects.
#
class socket
inherits socket
class tcp_socket
inherits socket
{
connectto
newconn
acceptfrom
node_bind
name_connect
}
class udp_socket
inherits socket
{
node_bind
}
class rawip_socket
inherits socket
{
node_bind
}
class node
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
enforce_dest
2007-02-26 15:39:59 +00:00
dccp_recv
dccp_send
recvfrom
sendto
}
class netif
{
tcp_recv
tcp_send
udp_recv
udp_send
rawip_recv
rawip_send
2007-02-26 15:39:59 +00:00
dccp_recv
dccp_send
ingress
egress
}
class netlink_socket
inherits socket
class packet_socket
inherits socket
class key_socket
inherits socket
class unix_stream_socket
inherits socket
{
connectto
newconn
acceptfrom
}
class unix_dgram_socket
inherits socket
#
# Define the access vector interpretation for process-related objects
#
class process
{
fork
transition
sigchld # commonly granted from child to parent
sigkill # cannot be caught or ignored
sigstop # cannot be caught or ignored
signull # for kill(pid, 0)
signal # all other signals
ptrace
getsched
setsched
getsession
getpgid
setpgid
getcap
setcap
share
getattr
setexec
setfscreate
noatsecure
siginh
setrlimit
rlimitinh
dyntransition
setcurrent
execmem
execstack
execheap
2006-06-21 21:02:49 +00:00
setkeycreate
setsockcreate
}
#
# Define the access vector interpretation for ipc-related objects
#
class ipc
inherits ipc
class sem
inherits ipc
class msgq
inherits ipc
{
enqueue
}
class msg
{
send
receive
}
class shm
inherits ipc
{
lock
}
#
# Define the access vector interpretation for the security server.
#
class security
{
compute_av
compute_create
compute_member
check_context
load_policy
compute_relabel
compute_user
setenforce # was avc_toggle in system class
setbool
setsecparam
setcheckreqprot
2011-03-28 15:45:46 +00:00
read_policy
}
#
# Define the access vector interpretation for system operations.
#
class system
{
ipc_info
syslog_read
syslog_mod
syslog_console
module_request
}
#
# Define the access vector interpretation for controling capabilies
#
class capability
{
# The capabilities are defined in include/linux/capability.h
# Capabilities >= 32 are defined in the capability2 class.
# Care should be taken to ensure that these are consistent with
# those definitions. (Order matters)
chown
dac_override
dac_read_search
fowner
fsetid
kill
setgid
setuid
setpcap
linux_immutable
net_bind_service
net_broadcast
net_admin
net_raw
ipc_lock
ipc_owner
sys_module
sys_rawio
sys_chroot
sys_ptrace
sys_pacct
sys_admin
sys_boot
sys_nice
sys_resource
sys_time
sys_tty_config
mknod
lease
audit_write
audit_control
setfcap
}
class capability2
{
mac_override # unused by SELinux
mac_admin # unused by SELinux
2011-01-19 19:11:00 +00:00
syslog
}
#
# Define the access vector interpretation for controlling
# changes to passwd information.
#
class passwd
{
passwd # change another user passwd
chfn # change another user finger info
chsh # change another user shell
rootok # pam_rootok check (skip auth)
crontab # crontab on another user
}
#
# SE-X Windows stuff
#
2008-04-01 20:23:23 +00:00
class x_drawable
{
create
destroy
2008-04-01 20:23:23 +00:00
read
write
blend
getattr
2008-04-01 20:23:23 +00:00
setattr
list_child
add_child
remove_child
list_property
get_property
set_property
manage
override
show
hide
send
receive
}
2008-04-01 20:23:23 +00:00
class x_screen
{
getattr
setattr
2008-04-01 20:23:23 +00:00
hide_cursor
show_cursor
saver_getattr
saver_setattr
saver_hide
saver_show
}
2008-04-01 20:23:23 +00:00
class x_gc
{
create
destroy
getattr
setattr
2008-04-01 20:23:23 +00:00
use
}
class x_font
{
create
destroy
getattr
2008-04-01 20:23:23 +00:00
add_glyph
remove_glyph
use
}
2008-04-01 20:23:23 +00:00
class x_colormap
{
create
2008-04-01 20:23:23 +00:00
destroy
read
write
getattr
add_color
remove_color
install
uninstall
2008-04-01 20:23:23 +00:00
use
}
class x_property
{
create
destroy
read
2008-04-01 20:23:23 +00:00
write
append
getattr
setattr
}
2008-04-01 20:23:23 +00:00
class x_selection
{
read
write
2008-04-01 20:23:23 +00:00
getattr
setattr
}
2008-04-01 20:23:23 +00:00
class x_cursor
{
create
2008-04-01 20:23:23 +00:00
destroy
read
write
getattr
setattr
2008-04-01 20:23:23 +00:00
use
}
2008-04-01 20:23:23 +00:00
class x_client
{
2008-04-01 20:23:23 +00:00
destroy
getattr
setattr
manage
}
2008-04-01 20:23:23 +00:00
class x_device
inherits x_device
2008-04-01 20:23:23 +00:00
class x_server
{
getattr
2008-04-01 20:23:23 +00:00
setattr
record
debug
grab
2008-04-01 20:23:23 +00:00
manage
}
2008-04-01 20:23:23 +00:00
class x_extension
{
query
use
}
2008-04-01 20:23:23 +00:00
class x_resource
{
read
write
}
class x_event
{
2008-04-01 20:23:23 +00:00
send
receive
}
class x_synthetic_event
{
send
receive
}
#
# Extended Netlink classes
#
class netlink_route_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_firewall_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_tcpdiag_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_nflog_socket
inherits socket
class netlink_xfrm_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_selinux_socket
inherits socket
class netlink_audit_socket
inherits socket
{
nlmsg_read
nlmsg_write
nlmsg_relay
nlmsg_readpriv
2009-03-05 14:11:24 +00:00
nlmsg_tty_audit
}
class netlink_ip6fw_socket
inherits socket
{
nlmsg_read
nlmsg_write
}
class netlink_dnrt_socket
inherits socket
# Define the access vector interpretation for controlling
# access and communication through the D-BUS messaging
# system.
#
class dbus
{
acquire_svc
send_msg
}
# Define the access vector interpretation for controlling
# access through the name service cache daemon (nscd).
#
class nscd
{
getpwd
getgrp
gethost
getstat
admin
2005-07-08 19:44:12 +00:00
shmempwd
shmemgrp
shmemhost
getserv
shmemserv
}
# Define the access vector interpretation for controlling
# access to IPSec network data by association
#
class association
{
2005-07-08 19:44:12 +00:00
sendto
recvfrom
2006-01-06 16:01:30 +00:00
setcontext
polmatch
}
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
inherits socket
2006-05-04 20:40:49 +00:00
class appletalk_socket
inherits socket
2006-05-19 17:45:46 +00:00
class packet
{
send
recv
relabelto
flow_in # deprecated
flow_out # deprecated
forward_in
forward_out
2006-05-19 17:45:46 +00:00
}
2006-06-21 21:02:49 +00:00
class key
{
view
read
write
search
link
setattr
create
}
class context
{
translate
contains
}
2007-02-26 15:39:59 +00:00
class dccp_socket
inherits socket
{
node_bind
name_connect
}
class memprotect
{
mmap_zero
}
class db_database
inherits database
{
access
install_module
load_module
get_param # deprecated
set_param # deprecated
}
class db_table
inherits database
{
use # deprecated
select
update
insert
delete
lock
}
class db_procedure
inherits database
{
execute
entrypoint
install
}
class db_column
inherits database
{
use # deprecated
select
update
insert
}
class db_tuple
{
relabelfrom
relabelto
use # deprecated
select
update
insert
delete
}
class db_blob
inherits database
{
read
write
import
export
}
# network peer labels
class peer
{
recv
}
class x_application_data
{
paste
paste_after_confirm
copy
}
class kernel_service
{
use_as_override
create_files_as
}
2009-08-31 12:44:11 +00:00
class tun_socket
inherits socket
class x_pointer
inherits x_device
class x_keyboard
inherits x_device
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
class db_schema
inherits database
{
search
add_name
remove_name
}
class db_view
inherits database
{
expand
}
class db_sequence
inherits database
{
get_value
next_value
set_value
}
class db_language
inherits database
{
implement
execute
}