selinux-refpolicy/policy/mls
Chris PeBenito 9b45c60308 This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.

NOTE: When an inbound packet is not using an IPSec SA, a check is performed
between the socket label and the unlabeled sid (SYSTEM_HIGH MLS label). For
MLS purposes however, the target of the check should be the MLS label taken
from the node sid (or secmark in the new secmark world). This would present
a severe performance overhead (to make a new sid based on the unlabeled sid
with the MLS taken from the node sid or secmark and then using this sid as
the target). Pending reconciliation of the netlabel, ipsec and iptables contexts,
I have chosen to currently make an exception for unlabeled_t SAs if TE policy
allowed it. A similar problem exists for the outbound case and it has been similarly
handled in the policy below (by making an exception for unlabeled_t).

I am submitting the below limited patch pending a comprehensive patch from
Joy Latten at IBM (latten@austin.ibm.com).

I am not sure if I needed to manually do a "make tolib" in the flask subdir
and submit the results as well. Please let me know if I needed to.

Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
2006-09-01 17:06:53 +00:00

679 lines
20 KiB
Plaintext

ifdef(`enable_mls',`
#
# Define sensitivities
#
# Each sensitivity has a name and zero or more aliases.
#
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
sensitivity s7;
sensitivity s8;
sensitivity s9;
sensitivity s10;
sensitivity s11;
sensitivity s12;
sensitivity s13;
sensitivity s14;
sensitivity s15;
#
# Define the ordering of the sensitivity levels (least to greatest)
#
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
#
# Define the categories
#
# Each category has a name and zero or more aliases.
#
category c0; category c1; category c2; category c3;
category c4; category c5; category c6; category c7;
category c8; category c9; category c10; category c11;
category c12; category c13; category c14; category c15;
category c16; category c17; category c18; category c19;
category c20; category c21; category c22; category c23;
category c24; category c25; category c26; category c27;
category c28; category c29; category c30; category c31;
category c32; category c33; category c34; category c35;
category c36; category c37; category c38; category c39;
category c40; category c41; category c42; category c43;
category c44; category c45; category c46; category c47;
category c48; category c49; category c50; category c51;
category c52; category c53; category c54; category c55;
category c56; category c57; category c58; category c59;
category c60; category c61; category c62; category c63;
category c64; category c65; category c66; category c67;
category c68; category c69; category c70; category c71;
category c72; category c73; category c74; category c75;
category c76; category c77; category c78; category c79;
category c80; category c81; category c82; category c83;
category c84; category c85; category c86; category c87;
category c88; category c89; category c90; category c91;
category c92; category c93; category c94; category c95;
category c96; category c97; category c98; category c99;
category c100; category c101; category c102; category c103;
category c104; category c105; category c106; category c107;
category c108; category c109; category c110; category c111;
category c112; category c113; category c114; category c115;
category c116; category c117; category c118; category c119;
category c120; category c121; category c122; category c123;
category c124; category c125; category c126; category c127;
category c128; category c129; category c130; category c131;
category c132; category c133; category c134; category c135;
category c136; category c137; category c138; category c139;
category c140; category c141; category c142; category c143;
category c144; category c145; category c146; category c147;
category c148; category c149; category c150; category c151;
category c152; category c153; category c154; category c155;
category c156; category c157; category c158; category c159;
category c160; category c161; category c162; category c163;
category c164; category c165; category c166; category c167;
category c168; category c169; category c170; category c171;
category c172; category c173; category c174; category c175;
category c176; category c177; category c178; category c179;
category c180; category c181; category c182; category c183;
category c184; category c185; category c186; category c187;
category c188; category c189; category c190; category c191;
category c192; category c193; category c194; category c195;
category c196; category c197; category c198; category c199;
category c200; category c201; category c202; category c203;
category c204; category c205; category c206; category c207;
category c208; category c209; category c210; category c211;
category c212; category c213; category c214; category c215;
category c216; category c217; category c218; category c219;
category c220; category c221; category c222; category c223;
category c224; category c225; category c226; category c227;
category c228; category c229; category c230; category c231;
category c232; category c233; category c234; category c235;
category c236; category c237; category c238; category c239;
category c240; category c241; category c242; category c243;
category c244; category c245; category c246; category c247;
category c248; category c249; category c250; category c251;
category c252; category c253; category c254; category c255;
#
# Each MLS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#
level s0:c0.c255;
level s1:c0.c255;
level s2:c0.c255;
level s3:c0.c255;
level s4:c0.c255;
level s5:c0.c255;
level s6:c0.c255;
level s7:c0.c255;
level s8:c0.c255;
level s9:c0.c255;
level s10:c0.c255;
level s11:c0.c255;
level s12:c0.c255;
level s13:c0.c255;
level s14:c0.c255;
level s15:c0.c255;
#
# Define the MLS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
# | not expression
# | expression and expression
# | expression or expression
# | u1 op u2
# | r1 role_mls_op r2
# | t1 op t2
# | l1 role_mls_op l2
# | l1 role_mls_op h2
# | h1 role_mls_op l2
# | h1 role_mls_op h2
# | l1 role_mls_op h1
# | l2 role_mls_op h2
# | u1 op names
# | u2 op names
# | r1 op names
# | r2 op names
# | t1 op names
# | t2 op names
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#
#
# MLS policy for the file classes
#
# make sure these file classes are "single level"
mlsconstrain { file lnk_file fifo_file } { create relabelto }
( l2 eq h2 );
# new file labels must be dominated by the relabeling subjects clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
( h1 dom h2 );
# the file "read" ops (note the check is dominance of the low level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
mlsconstrain dir search
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ) or
( t2 == mlstrustedobject ));
# the "single level" file "write" ops
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
mlsconstrain dir { add_name remove_name reparent rmdir }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# { dir file lnk_file chr_file blk_file sock_file fifo_file } { ioctl lock swapon quotaon }
#
# { file chr_file } { execute_no_trans entrypoint execmod }
# the file upgrade/downgrade rule
mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
((( l1 eq l2 ) or
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( h1 eq h2 ) or
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
# create can also require the upgrade/downgrade checks if the creating process
# has used setfscreate (note that both the high and low level of the object
# default to the process sensitivity level)
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
((( l1 eq l2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom l2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and
(( l1 eq h2 ) or
(( t1 == mlsfileupgrade ) and ( l1 domby h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 dom h2 )) or
(( t1 == mlsfiledowngrade ) and ( l1 incomp h2 ))));
#
# MLS policy for the filesystem class
#
# new filesystem labels must be dominated by the relabeling subjects clearance
mlsconstrain filesystem relabelto
( h1 dom h2 );
# the filesystem "read" ops (implicit single level)
mlsconstrain filesystem { getattr quotaget }
(( l1 dom l2 ) or
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsfileread ));
# all the filesystem "write" ops (implicit single level)
mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ));
# these access vectors have no MLS restrictions
# filesystem { transition associate }
#
# MLS policy for the socket classes
#
# new socket labels must be dominated by the relabeling subjects clearance
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
# the socket "read" ops (note the check is dominance of the low level)
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_read
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
# the socket "write" ops
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { write setattr relabelfrom connect setopt shutdown }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
# { tcp_socket udp_socket rawip_socket } node_bind
#
# { tcp_socket unix_stream_socket } { connectto newconn acceptfrom }
#
# tcp_socket name_connect
#
# { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_xfrm_socket netlink_audit_socket netlink_ip6fw_socket } nlmsg_write
#
# netlink_audit_socket { nlmsg_relay nlmsg_readpriv }
#
# netlink_kobject_uevent_socket *
#
#
# MLS policy for the ipc classes
#
# the ipc "read" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { getattr read unix_read }
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
mlsconstrain msg receive
(( l1 dom l2 ) or
(( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsipcread ));
# the ipc "write" ops (implicit single level)
mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msgq enqueue
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain shm lock
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
mlsconstrain msg send
(( l1 eq l2 ) or
(( t1 == mlsipcwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsipcwrite ));
# these access vectors have no MLS restrictions
# { ipc sem msgq shm } associate
#
# MLS policy for the fd class
#
# these access vectors have no MLS restrictions
# fd use
#
# MLS policy for the network object classes
#
# the netif/node "read" ops (implicit single level socket doing the read)
# (note the check is dominance of the low level)
mlsconstrain { node netif } { tcp_recv udp_recv rawip_recv }
(( l1 dom l2 ) or ( t1 == mlsnetrecvall ));
# the netif/node "write" ops (implicit single level socket doing the write)
mlsconstrain { netif node } { tcp_send udp_send rawip_send }
(( l1 dom l2 ) and ( l1 domby h2 ));
# these access vectors have no MLS restrictions
# node enforce_dest
#
# MLS policy for the process class
#
# new process labels must be dominated by the relabeling subjects clearance
# and sensitivity level changes require privilege
mlsconstrain process transition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl ) or
(( t1 == privrangetrans ) and ( t2 == mlsrangetrans ))));
mlsconstrain process dyntransition
(( h1 dom h2 ) and
(( l1 eq l2 ) or ( t1 == mlsprocsetsl )));
# all the process "read" ops
mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
(( l1 dom l2 ) or
(( t1 == mlsprocreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsprocread ));
# all the process "write" ops (note the check is equality on the low level)
mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setexec setfscreate setcurrent ptrace share }
(( l1 eq l2 ) or
(( t1 == mlsprocwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsprocwrite ));
# these access vectors have no MLS restrictions
# process { fork sigchld signull noatsecure siginh setrlimit rlimitinh execmem execstack execheap }
#
# MLS policy for the security class
#
# these access vectors have no MLS restrictions
# security *
#
# MLS policy for the system class
#
# these access vectors have no MLS restrictions
# system *
#
# MLS policy for the capability class
#
# these access vectors have no MLS restrictions
# capability *
#
# MLS policy for the passwd class
#
# these access vectors have no MLS restrictions
# passwd *
#
# MLS policy for the drawable class
#
# the drawable "read" ops (implicit single level)
mlsconstrain drawable { getattr copy }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the drawable "write" ops (implicit single level)
mlsconstrain drawable { create destroy draw copy }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the gc class
#
# the gc "read" ops (implicit single level)
mlsconstrain gc getattr
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the gc "write" ops (implicit single level)
mlsconstrain gc { create free setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the window class
#
# the window "read" ops (implicit single level)
mlsconstrain window { listprop getattr enumerate mousemotion inputevent drawevent windowchangeevent windowchangerequest serverchangeevent extensionevent }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the window "write" ops (implicit single level)
mlsconstrain window { addchild create destroy chstack chproplist chprop setattr setfocus move chselection chparent ctrllife transparent clientcomevent }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ) or
( t2 == mlstrustedobject ));
# these access vectors have no MLS restrictions
# window { map unmap }
#
# MLS policy for the font class
#
# the font "read" ops (implicit single level)
mlsconstrain font { load getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinread ));
# the font "write" ops (implicit single level)
mlsconstrain font free
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
# these access vectors have no MLS restrictions
# font use
#
# MLS policy for the colormap class
#
# the colormap "read" ops (implicit single level)
mlsconstrain colormap { list read getattr }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadcolormap ) or
( t1 == mlsxwinread ));
# the colormap "write" ops (implicit single level)
mlsconstrain colormap { create free install uninstall store setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritecolormap ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the property class
#
# the property "read" ops (implicit single level)
mlsconstrain property { read }
(( l1 dom l2 ) or
(( t1 == mlsxwinreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsxwinreadproperty ) or
( t1 == mlsxwinread ));
# the property "write" ops (implicit single level)
mlsconstrain property { create free write }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwriteproperty ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the cursor class
#
# the cursor "write" ops (implicit single level)
mlsconstrain cursor { create createglyph free assign setattr }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xclient class
#
# the xclient "write" ops (implicit single level)
mlsconstrain xclient kill
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xinput class
#
# these access vectors have no MLS restrictions
# xinput ~{ relabelinput setattr }
# the xinput "write" ops (implicit single level)
mlsconstrain xinput { setattr relabelinput }
(( l1 eq l2 ) or
(( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsxwinwritexinput ) or
( t1 == mlsxwinwrite ));
#
# MLS policy for the xserver class
#
# these access vectors have no MLS restrictions
# xserver *
#
# MLS policy for the xextension class
#
# these access vectors have no MLS restrictions
# xextension { query use }
#
# MLS policy for the pax class
#
# these access vectors have no MLS restrictions
# pax { pageexec emutramp mprotect randmmap randexec segmexec }
#
# MLS policy for the dbus class
#
# these access vectors have no MLS restrictions
# dbus { acquire_svc send_msg }
#
# MLS policy for the nscd class
#
# these access vectors have no MLS restrictions
# nscd { getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost }
#
# MLS policy for the association class
#
mlsconstrain association { recvfrom }
((( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ) or
( t2 == unlabeled_t ));
mlsconstrain association { sendto }
((( l1 dom l2 ) and ( l1 domby h2 )) or
( t2 == unlabeled_t ));
mlsconstrain association { polmatch }
((( l1 dom l2 ) and ( h1 domby h2 )) or
( t2 == unlabeled_t ));
') dnl end enable_mls