ifdef(`enable_mcs',` # # Define sensitivities # # MCS is single-sensitivity. gen_sens(1) # # Define the categories # # Generate declarations gen_cats(mcs_num_cats) # # Each MCS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # gen_levels(1,mcs_num_cats) # # Define the MCS policy # # mlsconstrain class_set perm_set expression ; # # mlsvalidatetrans class_set expression ; # # expression : ( expression ) # | not expression # | expression and expression # | expression or expression # | u1 op u2 # | r1 role_mls_op r2 # | t1 op t2 # | l1 role_mls_op l2 # | l1 role_mls_op h2 # | h1 role_mls_op l2 # | h1 role_mls_op h2 # | l1 role_mls_op h1 # | l2 role_mls_op h2 # | u1 op names # | u2 op names # | r1 op names # | r2 op names # | t1 op names # | t2 op names # | u3 op names (NOTE: this is only available for mlsvalidatetrans) # | r3 op names (NOTE: this is only available for mlsvalidatetrans) # | t3 op names (NOTE: this is only available for mlsvalidatetrans) # # op : == | != # role_mls_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } # name_list : name | name_list name # # # MCS policy for the file classes # # Constrain file access so that the high range of the process dominates # the high range of the file. We use the high range of the process so # that processes can always simply run at s0. # # Note: # - getattr on dirs/files is not constrained. mlsconstrain dir_file_class_set { open read ioctl lock write setattr append create unlink link rename relabelfrom relabelto } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain file { execute execute_no_trans } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain dir { search add_name remove_name rmdir } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain { file lnk_file fifo_file } { create relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); # # MCS policy for process classes # mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal getsession getattr getsched setsched getrlimit setrlimit getpgid setpgid getcap setcap share setexec setfscreate setcurrent setsockcreate } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # # MCS policy for socket classes # mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain stream_socket_class_set { listen accept } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain unix_stream_socket connectto (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain unix_dgram_socket sendto (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # # MCS policy for key class # mlsconstrain key { create link read search setattr view write } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # # MCS policy for SysV IPC # mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain msg { send receive } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain msgq enqueue (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain shm lock (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); # # MCS policy for context class # mlsconstrain context contains ((( h1 dom h2 ) and ( l1 domby l2 )) or ( t1 != mcs_constrained_type )); # # MCS policy for network classes # # The node recvfrom/sendto ops, the recvfrom permission is a "write" operation # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or (( t1 != mcs_constrained_type ) and ( t2 != mcs_constrained_type ))); # The netif ingress/egress ops, the ingress permission is a "write" operation # because the subject in this particular case is the remote domain which is # writing data out the network interface which is acting as the object mlsconstrain { netif } { egress ingress } (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); # # MCS policy for SELinux-enabled databases # # Any database object must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); mlsconstrain { db_tuple } { insert relabelto } ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_schema { drop getattr setattr relabelfrom search } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_column { drop getattr setattr relabelfrom select update insert } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_tuple { relabelfrom select update delete use } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_view { drop getattr setattr relabelfrom expand } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install entrypoint } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_language { drop getattr setattr relabelfrom execute } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); ') dnl end enable_mcs