Commit Graph

39 Commits

Author SHA1 Message Date
Chris PeBenito
65da822c1b Remove unused translate permission in context userspace class.
mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
2018-10-13 13:39:18 -04:00
Richard Haines
437e48ac53 refpolicy: Update for kernel sctp support
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-21 14:14:37 -04:00
Chad Hanson
5a4f511ff4 Fix implementation of MLS file relabel attributes
This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below.

Signed-off-by: Chad Hanson <dahchanson@gmail.com>
2017-12-12 20:07:57 -05:00
Jason Zaman
09ae441706 mls mcs: Add constraints for key class
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
2017-11-04 14:00:56 -04:00
cgzones
d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00
Lukas Vrabec
d4964ae808 Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
Example of denial:
type=AVC msg=audit(1461664028.583:784): avc:  denied  { relabelto } for
pid=14322 comm="yum" name="libvirt" dev="dm-0" ino=670147
scontext=root:system_r:rpm_t:s0
tcontext=system_u:object_r:virt_cache_t:s0-s15:c0.c1023 tclass=dir
2016-07-27 18:32:24 -04:00
qqo
aedd5c314d Adds attribute mlstrustedsocket, along with the interface.
Sample AVC:
 type=AVC msg=audit(1459979143.990:219): avc:  denied  { sendto } for  pid=1935
 comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
 tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0

This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html
2016-04-12 19:28:13 +03:00
Mike Palmiotto
b68d45324b Add mls support for some db classes
Mirror file/dir approach.

db objects which do not contain other objects at multiple levels are analogous
to files:
	db_sequence
	db_view
	db_procedure
	db_language
	db_tuple
	db_blob

db objects which are capable of holding objects at multiple levels are
analogous to dirs:
	db_database
	db_schema
	db_table
	db_column
2016-01-28 15:34:03 -05:00
Stephen Smalley
58b3029576 Update netlink socket classes.
Define new netlink socket security classes introduced by kernel commit
223ae516404a7a65f09e79a1c0291521c233336e.

Note that this does not remove the long-since obsolete
netlink_firewall_socket and netlink_ip6_fw_socket classes
from refpolicy in case they are still needed for legacy
distribution policies.

Add the new socket classes to socket_class_set.
Update ubac and mls constraints for the new socket classes.
Add allow rules for a few specific known cases (netutils, iptables,
netlabel, ifconfig, udev) in core policy that require access.
Further refinement for the contrib tree will be needed.  Any allow
rule previously written on :netlink_socket may need to be rewritten or
duplicated for one of the more specific classes.  For now, we retain the
existing :netlink_socket rules for compatibility on older kernels.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-22 08:29:03 -04:00
Chris PeBenito
cfd890ea58 Add MLS constraints for x_pointer and x_keyboard. 2013-08-26 08:30:05 -04:00
Chris PeBenito
c5114fef5e SEPostgresql changes from Kohei KaiGai.
* fix bugs in MLS/MCS
* add connection pooling server support
* foreign data wrapper support
* Add temporary objects support
* redefinition of use permission onto system objects
2012-05-18 09:28:18 -04:00
Harry Ciao
4c365f4a6a l1 domby l2 for contains MLS constraint
As identified by Stephan Smalley, the current MLS constraint for the
contains permission of the context class should consider the current
level of a user along with the clearance level so that mls_systemlow
is no longer considered contained in mls_systemhigh.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-02-16 10:00:11 -05:00
KaiGai Kohei
82c32d5cf4 New database object classes
The attached patch adds a few database object classes, as follows:

* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html

In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.

Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.

* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createview.html

* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html

* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.

In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
  http://developer.postgresql.org/pgdocs/postgres/sql-do.html

P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

 policy/flask/access_vectors           |   29 ++++++++
 policy/flask/security_classes         |    6 ++
 policy/mcs                            |   16 ++++-
 policy/mls                            |   58 ++++++++++++++-
 policy/modules/kernel/kernel.if       |    8 ++
 policy/modules/services/postgresql.if |  125 +++++++++++++++++++++++++++++++--
 policy/modules/services/postgresql.te |  116 +++++++++++++++++++++++++++++-
 7 files changed, 342 insertions(+), 16 deletions(-)
2011-01-14 10:02:50 -05:00
Chris PeBenito
3b72786090 Add trusted object condition to unix socket connectto/sendto, to fix label translation. 2010-04-29 11:29:39 -04:00
Chris PeBenito
4af2b3fb98 Add back missing s0 on network_port(). 2010-03-08 07:59:56 -05:00
Chris PeBenito
16fd1fd814 trunk: MLS constraints for the x_selection class, from Eamon Walsh. 2009-06-05 13:36:19 +00:00
Chris PeBenito
350ed89156 se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
    db_database:{getattr}
    db_table:{getattr lock}
    db_column:{getattr}
    db_procedure:{drop getattr setattr}
    db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
  impossible to refer read-only table with foreign-key constraint.
  (FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
  on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
  It should allow them on sepgsql_trusted_proc_exec_t.
  I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
  such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
  sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
  procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
  but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
2009-05-07 12:35:32 +00:00
Chris PeBenito
e1a70f1dde trunk: add MLS constrains for ingress/egress permissions from Paul Moore.
Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls.  Based on
the following post to the SELinux Reference Policy mailing list:

 * http://oss.tresys.com/pipermail/refpolicy/2009-February/000579.html
2009-03-02 15:16:49 +00:00
Chris PeBenito
466e22a8ba trunk: Add db_procedure install permission from KaiGai Kohei. 2009-01-23 19:49:36 +00:00
Chris PeBenito
4a475507be trunk: remove stale pax class comments as that class was removed. 2008-09-22 19:06:34 +00:00
Chris PeBenito
6a824f630d trunk: update mls constraints for x_application_data. 2008-09-05 14:27:01 +00:00
Chris PeBenito
d923d54c08 trunk: X application data class from Eamon Walsh and Ted Toth. 2008-05-06 14:37:05 +00:00
Chris PeBenito
2c12b471ad trunk: add core xselinux support. 2008-04-01 20:23:23 +00:00
Chris PeBenito
936f286c16 trunk: add mls constraints to dbus. 2008-01-03 20:37:25 +00:00
Chris PeBenito
d62c0881e2 Update MLS constraints from LSPP evaluated policy. 2007-08-24 14:14:29 +00:00
Chris PeBenito
9760cbec2d trunk: Database userspace object manager classes from KaiGai Kohei. 2007-08-09 13:15:07 +00:00
Chris PeBenito
1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
Chris PeBenito
b50f2ee48d It was just pointed out to me that the raw IP socket class is missing from the
recvfrom MLS constraint.

Signed-off-by: Paul Moore
2007-03-09 14:45:19 +00:00
Chris PeBenito
d31d3c159e This modifies the mls constraint for polmatch in the association class.
Specifically:

- polmatch need no longer make an exception for unlabeled_t
  since a flow will now always match SPD rules with no contexts (per
  the IPSec leak fix patch upstreamed a few weeks back), as
  opposed to needing polmatch access to unlabeled_t.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-11-16 13:38:14 +00:00
Chris PeBenito
c6a60bb28d On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
> Here is the policy changes needed for the context contains security
> checking in PAM and cron.
2006-11-14 13:38:52 +00:00
Chris PeBenito
f497b8df50 Christopher J. PeBenito wrote:
> We could add another 'or' on the above constraint:
> 
> or ( (t2 == mlsfilewrite_in_range) and (l1 dom l2) and (h1 domby h2) )
> 
> I believe that would be the constraint you were looking for.  I don't
> like the name of that attribute, but I couldn't come up with a better
> one off the top of my head. :)
> 

Attached is a patch which I've tested against selinux-policy-2.4.2-1
that implements this additional constraint.  The name is still a bit
forced, but it works.

-matt <mra at hp dot com>
2006-11-01 15:42:22 +00:00
Chris PeBenito
a8671ae5b2 enhanced setransd support from darrel goeddel 2006-10-20 14:44:23 +00:00
Chris PeBenito
130f8a4aa5 merge netlabel stuff from labeled-networking branch 2006-10-17 16:58:17 +00:00
Chris PeBenito
e070dd2df0 - Move range transitions to modules.
- Make number of MLS sensitivities, and number of MLS and MCS
  categories configurable as build options.
2006-10-04 17:25:34 +00:00
Chris PeBenito
a9e03b3752 * add a macro for generating category declarations
* fix userdom_search_all_users_home_content() to use search_dir_perms;
* change ssh daemon macro to use userdom_search_all_users_home_dirs() instead of _home_content()
2006-09-21 15:48:15 +00:00
Chris PeBenito
cf7af137c0 add mls fd constraints 2006-09-15 19:05:03 +00:00
Chris PeBenito
9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00
Chris PeBenito
a5e2133bc8 patch from dan Wed, 23 Aug 2006 14:03:49 -0400 2006-08-29 02:41:00 +00:00
Chris PeBenito
17de1b790b remove extra level of directory 2006-07-12 20:32:27 +00:00