selinux-refpolicy/policy/flask/security_classes

202 lines
3.8 KiB
Plaintext
Raw Normal View History

# FLASK
#
2016-12-06 12:28:10 +00:00
# Define the security object classes
#
2005-08-22 14:13:19 +00:00
# Classes marked as userspace are classes
# for userspace object managers
class security
class process
class system
class capability
# file-related classes
class filesystem
class file
class dir
class fd
class lnk_file
class chr_file
class blk_file
class sock_file
class fifo_file
# network-related classes
class socket
class tcp_socket
class udp_socket
class rawip_socket
class node
class netif
class netlink_socket
class packet_socket
class key_socket
class unix_stream_socket
class unix_dgram_socket
# sysv-ipc-related classes
class sem
class msg
class msgq
class shm
class ipc
#
# userspace object manager classes
#
# passwd/chfn/chsh
2005-08-22 14:13:19 +00:00
class passwd # userspace
2008-04-01 20:23:23 +00:00
# SE-X Windows stuff (more classes below)
class x_drawable # userspace
class x_screen # userspace
class x_gc # userspace
class x_font # userspace
class x_colormap # userspace
class x_property # userspace
class x_selection # userspace
class x_cursor # userspace
class x_client # userspace
class x_device # userspace
class x_server # userspace
class x_extension # userspace
# extended netlink sockets
class netlink_route_socket
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Consequently, kernels >= 3.5 should never perform permission checks on these classes although they remained defined in the SELinux kernel classmap until the netlink classes were updated by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 circa Linux v4.2. Removing these class definitions would break legacy userspace that relies upon stable values for the userspace security class definitions since it will perturb those values by removing classes that preceded them. dbus-daemon in particular is known to break if its dbus class changes at runtime, which could occur upon a policy reload that removes these classes. Fixing this requires ensuring that dbus-daemon looks up the appropriate class value on each use or upon policy reload, via userspace interfaces such as selinux_check_access(), string_to_security_class(), and/or selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function that remaps the class value if needed. Other userspace policy enforcers are believed to have been updated in recent versions but older versions may break upon such a change. Hence, this change renames these classes with obsolete_ prefixes and removes all rules referencing them from refpolicy, thereby preserving the class numbering for subsequent classes while making it clear that these classses are no longer meaningful for modern kernels. This change does however create a potential compatibility break for kernels < 3.5, since the policy will cease to define the kernel class names and therefore the kernel will handle permission checks on the class based on the handle_unknown setting in policy. For most Linux distributions, this will default to allow and therefore avoid breaking userspace but will fail open. For kernels < 2.6.33 (i.e. the dynamic class/perm discovery support), the presence of a class in policy with the same number but a different name than the kernel class will cause the policy load to fail entirely. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 15:31:00 +00:00
class obsolete_netlink_firewall_socket
class netlink_tcpdiag_socket
class netlink_nflog_socket
class netlink_xfrm_socket
class netlink_selinux_socket
class netlink_audit_socket
Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Consequently, kernels >= 3.5 should never perform permission checks on these classes although they remained defined in the SELinux kernel classmap until the netlink classes were updated by https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c6d2e9bde1c1c87a7ead806f8f5e2181d41a652 circa Linux v4.2. Removing these class definitions would break legacy userspace that relies upon stable values for the userspace security class definitions since it will perturb those values by removing classes that preceded them. dbus-daemon in particular is known to break if its dbus class changes at runtime, which could occur upon a policy reload that removes these classes. Fixing this requires ensuring that dbus-daemon looks up the appropriate class value on each use or upon policy reload, via userspace interfaces such as selinux_check_access(), string_to_security_class(), and/or selinux_set_callback(SELINUX_CB_POLICYLOAD, ...) with a callback function that remaps the class value if needed. Other userspace policy enforcers are believed to have been updated in recent versions but older versions may break upon such a change. Hence, this change renames these classes with obsolete_ prefixes and removes all rules referencing them from refpolicy, thereby preserving the class numbering for subsequent classes while making it clear that these classses are no longer meaningful for modern kernels. This change does however create a potential compatibility break for kernels < 3.5, since the policy will cease to define the kernel class names and therefore the kernel will handle permission checks on the class based on the handle_unknown setting in policy. For most Linux distributions, this will default to allow and therefore avoid breaking userspace but will fail open. For kernels < 2.6.33 (i.e. the dynamic class/perm discovery support), the presence of a class in policy with the same number but a different name than the kernel class will cause the policy load to fail entirely. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 15:31:00 +00:00
class obsolete_netlink_ip6fw_socket
class netlink_dnrt_socket
2005-08-22 14:13:19 +00:00
class dbus # userspace
class nscd # userspace
# IPSec association
class association
# Updated Netlink class for KOBJECT_UEVENT family.
class netlink_kobject_uevent_socket
2006-05-04 20:40:49 +00:00
class appletalk_socket
2006-05-19 17:45:46 +00:00
class packet
2006-06-21 21:02:49 +00:00
# Kernel access key retention
class key
class context # userspace
2007-02-26 15:39:59 +00:00
class dccp_socket
class memprotect
class db_database # userspace
class db_table # userspace
class db_procedure # userspace
class db_column # userspace
class db_tuple # userspace
class db_blob # userspace
class db_exception # userspace
class db_datatype # userspace
# network peer labels
class peer
# Capabilities >= 32
class capability2
2008-04-01 20:23:23 +00:00
# More SE-X Windows stuff
class x_resource # userspace
class x_event # userspace
class x_synthetic_event # userspace
class x_application_data # userspace
2008-04-01 20:23:23 +00:00
# kernel services that need to override task security, e.g. cachefiles
2016-12-06 12:28:10 +00:00
class kernel_service
class tun_socket
class binder
# Updated netlink classes for more recent netlink protocols.
class netlink_iscsi_socket
class netlink_fib_lookup_socket
class netlink_connector_socket
class netlink_netfilter_socket
class netlink_generic_socket
class netlink_scsitransport_socket
class netlink_rdma_socket
class netlink_crypto_socket
# Still More SE-X Windows stuff
class x_pointer # userspace
class x_keyboard # userspace
# Infiniband
class infiniband_pkey
class infiniband_endport
New database object classes The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
# More Database stuff
class db_schema # userspace
class db_view # userspace
class db_sequence # userspace
class db_language # userspace
2015-10-20 15:29:11 +00:00
class service # userspace
# Capability checks when on a non-init user namespace
class cap_userns
class cap2_userns
# New socket classes introduced by extended_socket_class policy capability.
# These two were previously mapped to rawip_socket.
class sctp_socket
class icmp_socket
# These were previously mapped to socket.
class ax25_socket
class ipx_socket
class netrom_socket
class atmpvc_socket
class x25_socket
class rose_socket
class decnet_socket
class atmsvc_socket
class rds_socket
class irda_socket
class pppox_socket
class llc_socket
class can_socket
class tipc_socket
class bluetooth_socket
class iucv_socket
class rxrpc_socket
class isdn_socket
class phonet_socket
class ieee802154_socket
class caif_socket
class alg_socket
class nfc_socket
class vsock_socket
class kcm_socket
class qipcrtr_socket
class smc_socket
class process2
class bpf
class xdp_socket
class perf_event
class lockdown
# FLASK