RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add mls support for some db classes 

Mirror file/dir approach.

db objects which do not contain other objects at multiple levels are analogous
to files:
	db_sequence
	db_view
	db_procedure
	db_language
	db_tuple
	db_blob

db objects which are capable of holding objects at multiple levels are
analogous to dirs:
	db_database
	db_schema
	db_table
	db_column
This commit is contained in:
Mike Palmiotto 2016-01-27 15:21:36 -05:00 committed by Chris PeBenito
parent fc2040d1f8
commit b68d45324b
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
policy/mls
View File

@ -763,13 +763,14 @@ mlsconstrain context contains
# #
# make sure these database classes are "single level" # make sure these database classes are "single level"
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
( l2 eq h2 ); ( l2 eq h2 );
mlsconstrain { db_tuple } { insert relabelto } mlsconstrain { db_tuple } { insert relabelto }
( l2 eq h2 ); ( l2 eq h2 );
# new database labels must be dominated by the relabeling subjects clearance # new database labels must be dominated by the relabeling subjects clearance
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } mlsconstrain { db_database db_schema db_table db_column } { relabelto }
( h1 dom h2 ); ( h1 dom h2 );
# the database "read" ops (note the check is dominance of the low level) # the database "read" ops (note the check is dominance of the low level)
@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
( t1 == mlsdbread ) or ( t1 == mlsdbread ) or
( t2 == mlstrustedobject )); ( t2 == mlstrustedobject ));
# the "single level" file "write" ops # the "single level" database "write" ops
mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
(( l1 eq l2 ) or (( l1 eq l2 ) or
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or