RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/mls

883 lines
27 KiB
Plaintext
Raw Normal View History

move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
ifdef(`enable_mls',`
#
# Define sensitivities
#
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
# Domination of sensitivities is in increasin
# numerical order, with s0 being the lowest
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
gen_sens(mls_num_sens)
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define the categories
#
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
# Generate declarations
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
gen_cats(mls_num_cats)
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
# Generate levels from all sensitivities
# with all categories
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options.
2006-10-04 17:25:34 +00:00
gen_levels(mls_num_sens,mls_num_cats)
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# Define the MLS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# name_list : name | name_list name
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
#
# MLS policy for the file classes
#
# make sure these file classes are "single level"
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
part of dan's mega patch
2006-01-06 22:51:40 +00:00
# new file labels must be dominated by the relabeling subjects clearance
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
mlsconstrain dir search
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
patch from dan Wed, 23 Aug 2006 14:03:49 -0400
2006-08-29 02:41:00 +00:00
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
Christopher J. PeBenito wrote: > We could add another 'or' on the above constraint: > > or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) ) > > I believe that would be the constraint you were looking for. I don't > like the name of that attribute, but I couldn't come up with a better > one off the top of my head. :) > Attached is a patch which I've tested against selinux-policy-2.4.2-1 that implements this additional constraint. The name is still a bit forced, but it works. -matt <mra at hp dot com>
2006-11-01 15:42:22 +00:00
(( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
# Directory "write" ops
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
mlsconstrain dir { add_name remove_name reparent rmdir }
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
(( l1 eq l2 ) or
(( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# { file chr_file } { execute_no_trans entrypoint execmod }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# the file upgrade/downgrade rule
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( h1 eq h2 ) or
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the filesystem class
#
part of dan's mega patch
2006-01-06 22:51:40 +00:00
# new filesystem labels must be dominated by the relabeling subjects clearance
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
mlsconstrain filesystem relabelto
( h1 dom h2 );
# the filesystem "read" ops (implicit single level)
mlsconstrain filesystem { getattr quotaget }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ));
# all the filesystem "write" ops (implicit single level)
mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ));
# these access vectors have no MLS restrictions
# filesystem { transition associate }
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the socket classes
#
part of dan's mega patch
2006-01-06 22:51:40 +00:00
# new socket labels must be dominated by the relabeling subjects clearance
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
# the socket "read+write" ops
# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
# require equal levels for unprivileged subjects, or read *and* write overrides)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
(( l1 eq l2 ) or
(((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread )) and
((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ))));
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# the socket "read" ops (note the check is dominance of the low level)
merge netlabel stuff from labeled-networking branch
2006-10-17 16:58:17 +00:00
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
# used by netlabel to restrict normal domains to same level connections
It was just pointed out to me that the raw IP socket class is missing from the recvfrom MLS constraint. Signed-off-by: Paul Moore
2007-03-09 14:45:19 +00:00
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
merge netlabel stuff from labeled-networking branch
2006-10-17 16:58:17 +00:00
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
( t1 == mlsnetread ));
merge netlabel stuff from labeled-networking branch
2006-10-17 16:58:17 +00:00
Add back missing s0 on network_port().
2010-03-08 12:59:56 +00:00
# UNIX domain socket ops
mlsconstrain unix_stream_socket connectto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
Add trusted object condition to unix socket connectto/sendto, to fix label translation.
2010-04-29 15:29:39 +00:00
( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject ));
Add back missing s0 on network_port().
2010-03-08 12:59:56 +00:00
mlsconstrain unix_dgram_socket sendto
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
Add trusted object condition to unix socket connectto/sendto, to fix label translation.
2010-04-29 15:29:39 +00:00
( t1 == mlsnetwrite ) or
( t2 == mlstrustedobject ));
Add back missing s0 on network_port().
2010-03-08 12:59:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# these access vectors have no MLS restrictions
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
#
updated mls comments from chad hanson
2006-03-13 15:36:38 +00:00
# tcp_socket name_connect
#
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
updated mls comments from chad hanson
2006-03-13 15:36:38 +00:00
# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
#
# netlink_kobject_uevent_socket *
#
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the ipc classes
#
# the ipc "read" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
mlsconstrain msg receive
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msgq enqueue
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain shm lock
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msg send
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
# these access vectors have no MLS restrictions
# { ipc sem msgq shm } associate
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the fd class
#
add mls fd constraints
2006-09-15 19:05:03 +00:00
# No sharing of open file descriptors between levels unless
# the process type is authorized to use fds created by
# other levels (mlsfduse) or the fd type is authorized to
# shared among levels (mlsfdshare).
mlsconstrain fd use (
l1 eq l2
or t1 == mlsfduse
or t2 == mlsfdshare
);
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# MLS policy for the network object classes
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# the netif/node "read" ops (implicit single level socket doing the read)
# (note the check is dominance of the low level)
mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )));
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# these access vectors have no MLS restrictions
updated mls comments from chad hanson
2006-03-13 15:36:38 +00:00
# node enforce_dest
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: add MLS constrains for ingress/egress permissions from Paul Moore. Add MLS constraints for several network related access controls including the new ingress/egress controls and the older Secmark controls. Based on the following post to the SELinux Reference Policy mailing list: * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
2009-03-02 15:16:49 +00:00
#
# MLS policy for the network ingress/egress controls
#
# the netif ingress/egress ops, the ingress permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network interface which is acting as the object
mlsconstrain { netif } { ingress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { netif } { egress }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the node recvfrom/sendto ops, the recvfrom permission is a "write" operation
# because the subject in this particular case is the remote domain which is
# writing data out the network node which is acting as the object
mlsconstrain { node } { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { node } { sendto }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ));
# the forward ops, the forward_in permission is a "write" operation because the
# subject in this particular case is the remote domain which is writing data
# to the network with a secmark label, the object in this case
mlsconstrain { packet } { forward_in }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetinbound ) or
( t1 == unlabeled_t ));
mlsconstrain { packet } { forward_out }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t1 == mlsnetoutbound ) or
( t1 == unlabeled_t ));
#
# MLS policy for the secmark and peer controls
#
# the peer/packet recv op
mlsconstrain { peer packet } { recv }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the process class
#
part of dan's mega patch
2006-01-06 22:51:40 +00:00
# new process labels must be dominated by the relabeling subjects clearance
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
# and sensitivity level changes require privilege
mlsconstrain process transition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
(( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
mlsconstrain process dyntransition
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
# all the process "read" ops
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(( l1 dom l2 ) or
(( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsprocread ));
# all the process "write" ops (note the check is equality on the low level)
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
(( l1 eq l2 ) or
(( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
updated mls comments from chad hanson
2006-03-13 15:36:38 +00:00
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the security class
#
# these access vectors have no MLS restrictions
# security *
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the system class
#
# these access vectors have no MLS restrictions
# system *
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the capability class
#
# these access vectors have no MLS restrictions
# capability *
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the passwd class
#
# these access vectors have no MLS restrictions
# passwd *
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_drawable class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_drawable "read" ops (implicit single level)
mlsconstrain x_drawable { read blend getattr list_child list_property get_property receive }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_drawable "write" ops (implicit single level)
mlsconstrain x_drawable { create destroy write setattr add_child remove_child send manage }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# No MLS restrictions: x_drawable { show hide override }
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_gc class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_gc "read" ops (implicit single level)
mlsconstrain x_gc { getattr use }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_gc "write" ops (implicit single level)
mlsconstrain x_gc { create destroy setattr }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_font class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_font "read" ops (implicit single level)
mlsconstrain x_font { use }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_font "write" ops (implicit single level)
mlsconstrain x_font { create destroy add_glyph remove_glyph }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# font use
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_colormap class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_colormap "read" ops (implicit single level)
mlsconstrain x_colormap { read getattr use }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
part of dan's mega patch
2006-01-06 22:51:40 +00:00
( t1 == mlsxwinreadcolormap ) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsxwinread ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_colormap "write" ops (implicit single level)
mlsconstrain x_colormap { create destroy write add_color remove_color install uninstall }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
part of dan's mega patch
2006-01-06 22:51:40 +00:00
( t1 == mlsxwinwritecolormap ) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsxwinwrite ));
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_property class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_property "read" ops (implicit single level)
mlsconstrain x_property { read getattr }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
part of dan's mega patch
2006-01-06 22:51:40 +00:00
( t1 == mlsxwinreadproperty ) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsxwinread ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_property "write" ops (implicit single level)
mlsconstrain x_property { create destroy write append setattr }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
part of dan's mega patch
2006-01-06 22:51:40 +00:00
( t1 == mlsxwinwriteproperty ) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsxwinwrite ));
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
trunk: MLS constraints for the x_selection class, from Eamon Walsh.
2009-06-05 13:36:19 +00:00
#
# MLS policy for the x_selection class
#
# the x_selection "read" ops (implicit single level)
mlsconstrain x_selection { read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadselection ) or
( t1 == mlsxwinread ));
# the x_selection "write" ops (implicit single level)
mlsconstrain x_selection { write setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwriteselection ) or
( t1 == mlsxwinwrite ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_cursor class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_cursor "read" ops (implicit single level)
mlsconstrain x_cursor { read getattr use }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_cursor "write" ops (implicit single level)
mlsconstrain x_cursor { create destroy write setattr }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_client class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_client "read" ops (implicit single level)
mlsconstrain x_client { getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_client "write" ops (implicit single level)
mlsconstrain x_client { destroy setattr manage }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_device class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_device "read" ops (implicit single level)
mlsconstrain x_device { getattr use read getfocus grab }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_device "write" ops (implicit single level)
mlsconstrain x_device { setattr write setfocus bell force_cursor freeze manage }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
part of dan's mega patch
2006-01-06 22:51:40 +00:00
( t1 == mlsxwinwritexinput ) or
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
( t1 == mlsxwinwrite ));
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
#
# MLS policy for the x_server class
#
# these access vectors have no MLS restrictions
# x_server *
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_extension class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
part of dan's mega patch
2006-01-06 22:51:40 +00:00
# these access vectors have no MLS restrictions
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# x_extension { query use }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
#
# MLS policy for the x_resource class
#
# the x_resource "read" ops (implicit single level)
mlsconstrain x_resource { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_resource "write" ops (implicit single level)
mlsconstrain x_resource { write }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# MLS policy for the x_event class
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
trunk: add core xselinux support.
2008-04-01 20:23:23 +00:00
# the x_event "read" ops (implicit single level)
mlsconstrain x_event { receive }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the x_event "write" ops (implicit single level)
mlsconstrain x_event { send }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
#
# MLS policy for the x_application_data class
#
trunk: update mls constraints for x_application_data.
2008-09-05 14:27:01 +00:00
# the x_application_data "paste" ops
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
mlsconstrain x_application_data { paste }
trunk: update mls constraints for x_application_data.
2008-09-05 14:27:01 +00:00
( l1 domby l2 );
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
trunk: update mls constraints for x_application_data.
2008-09-05 14:27:01 +00:00
# the x_application_data "paste_after_confirm" ops
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
mlsconstrain x_application_data { paste_after_confirm }
trunk: update mls constraints for x_application_data.
2008-09-05 14:27:01 +00:00
( l1 dom l2 );
trunk: X application data class from Eamon Walsh and Ted Toth.
2008-05-06 14:37:05 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the dbus class
#
trunk: add mls constraints to dbus.
2008-01-03 20:37:25 +00:00
mlsconstrain dbus { send_msg }
(( l1 eq l2 ) or
( t1 == mlsdbussend ) or
( t2 == mlsdbusrecv ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
# these access vectors have no MLS restrictions
trunk: add mls constraints to dbus.
2008-01-03 20:37:25 +00:00
# dbus { acquire_svc }
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the nscd class
#
# these access vectors have no MLS restrictions
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
begin merging in upstream NSA CVS changes
2005-09-12 21:40:56 +00:00
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
#
# MLS policy for the association class
#
This patch adds a polmatch avperm to arbitrate flow/state's access to a xfrm policy. It also defines MLS policy for association { sendto, recvfrom, polmatch }. NOTE: When an inbound packet is not using an IPSec SA, a check is performed between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For MLS purposes however, the target of the check should be the MLS label taken from the node sid (or secmark in the new secmark world). This would present a severe performance overhead (to make a new sid based on the unlabeled sid with the MLS taken from the node sid or secmark and then using this sid as the target). Pending reconciliation of the netlabel, ipsec and iptables contexts, I have chosen to currently make an exception for unlabeled_t SAs if TE policy allowed it. A similar problem exists for the outbound case and it has been similarly handled in the policy below (by making an exception for unlabeled_t). I am submitting the below limited patch pending a comprehensive patch from Joy Latten at IBM (latten@austin.ibm.com). I am not sure if I needed to manually do a "make tolib" in the flask subdir and submit the results as well. Please let me know if I needed to. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
mlsconstrain association { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ) or
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
Update MLS constraints from LSPP evaluated policy.
2007-08-24 14:14:29 +00:00
(( l1 eq l2 ) or
(( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
This patch adds a polmatch avperm to arbitrate flow/state's access to a xfrm policy. It also defines MLS policy for association { sendto, recvfrom, polmatch }. NOTE: When an inbound packet is not using an IPSec SA, a check is performed between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For MLS purposes however, the target of the check should be the MLS label taken from the node sid (or secmark in the new secmark world). This would present a severe performance overhead (to make a new sid based on the unlabeled sid with the MLS taken from the node sid or secmark and then using this sid as the target). Pending reconciliation of the netlabel, ipsec and iptables contexts, I have chosen to currently make an exception for unlabeled_t SAs if TE policy allowed it. A similar problem exists for the outbound case and it has been similarly handled in the policy below (by making an exception for unlabeled_t). I am submitting the below limited patch pending a comprehensive patch from Joy Latten at IBM (latten@austin.ibm.com). I am not sure if I needed to manually do a "make tolib" in the flask subdir and submit the results as well. Please let me know if I needed to. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
This modifies the mls constraint for polmatch in the association class. Specifically: - polmatch need no longer make an exception for unlabeled_t since a flow will now always match SPD rules with no contexts (per the IPSec leak fix patch upstreamed a few weeks back), as opposed to needing polmatch access to unlabeled_t. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-11-16 13:38:14 +00:00
(( l1 dom l2 ) and ( h1 domby h2 ));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
enhanced setransd support from darrel goeddel
2006-10-20 14:44:23 +00:00
#
# MLS policy for the context class
#
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the context contains security > checking in PAM and cron.
2006-11-14 13:38:52 +00:00
mlsconstrain context contains
l1 domby l2 for contains MLS constraint As identified by Stephan Smalley, the current MLS constraint for the contains permission of the context class should consider the current level of a user along with the clearance level so that mls_systemlow is no longer considered contained in mls_systemhigh. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-02-15 02:16:32 +00:00
(( h1 dom h2 ) and ( l1 domby l2));
On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote: > Here is the policy changes needed for the context contains security > checking in PAM and cron.
2006-11-14 13:38:52 +00:00
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
#
# MLS policy for database classes
#
# make sure these database classes are "single level"
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
( l2 eq h2 );
mlsconstrain { db_tuple } { insert relabelto }
( l2 eq h2 );
# new database labels must be dominated by the relabeling subjects clearance
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
( h1 dom h2 );
# the database "read" ops (note the check is dominance of the low level)
mlsconstrain { db_database } { getattr access get_param }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_schema } { getattr search }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
mlsconstrain { db_table } { getattr use select lock }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_column } { getattr use select }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_sequence } { getattr get_value next_value }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_view } { getattr expand }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
trunk: Add db_procedure install permission from KaiGai Kohei.
2009-01-23 19:49:36 +00:00
mlsconstrain { db_procedure } { getattr execute install }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_language } { getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
mlsconstrain { db_blob } { getattr read export }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_tuple } { use select }
(( l1 dom l2 ) or
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsdbread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_view } { create drop setattr relabelfrom }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
mlsconstrain { db_procedure } { create drop setattr relabelfrom }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsconstrain { db_language } { create drop setattr relabelfrom }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
se-postgresql update from kaigai - rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
mlsconstrain { db_tuple } { relabelfrom update insert delete }
(( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsdbwrite ) or
( t2 == mlstrustedobject ));
# the database upgrade/downgrade rule
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }
trunk: Database userspace object manager classes from KaiGai Kohei.
2007-08-09 13:15:07 +00:00
((( l1 eq l2 ) or
(( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
move flask dir to top level, and update them from nsa cvs. move files in misc to top level. make mls support work.
2005-06-01 15:40:37 +00:00
') dnl end enable_mls