| 1 |
commit: e65914649a2dc3fae590c9df612c70b957a6ef5d |
| 2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
| 3 |
AuthorDate: Tue Nov 9 18:59:08 2021 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Nov 20 22:58:24 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6591464 |
| 7 |
|
| 8 |
mcs: only constrain mcs_constrained_type for db accesses |
| 9 |
|
| 10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
| 11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 12 |
|
| 13 |
policy/mcs | 24 ++++++++++++------------ |
| 14 |
1 file changed, 12 insertions(+), 12 deletions(-) |
| 15 |
|
| 16 |
diff --git a/policy/mcs b/policy/mcs |
| 17 |
index 023bd149..c9b7e83e 100644 |
| 18 |
--- a/policy/mcs |
| 19 |
+++ b/policy/mcs |
| 20 |
@@ -133,41 +133,41 @@ mlsconstrain context contains |
| 21 |
# Any database object must be dominated by the relabeling subject |
| 22 |
# clearance, also the objects are single-level. |
| 23 |
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } |
| 24 |
- (( h1 dom h2 ) and ( l2 eq h2 )); |
| 25 |
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); |
| 26 |
|
| 27 |
mlsconstrain { db_tuple } { insert relabelto } |
| 28 |
- (( h1 dom h2 ) and ( l2 eq h2 )); |
| 29 |
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type )); |
| 30 |
|
| 31 |
# Access control for any database objects based on MCS rules. |
| 32 |
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } |
| 33 |
- ( h1 dom h2 ); |
| 34 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 35 |
|
| 36 |
mlsconstrain db_schema { drop getattr setattr relabelfrom search } |
| 37 |
- ( h1 dom h2 ); |
| 38 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 39 |
|
| 40 |
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock } |
| 41 |
- ( h1 dom h2 ); |
| 42 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 43 |
|
| 44 |
mlsconstrain db_column { drop getattr setattr relabelfrom select update insert } |
| 45 |
- ( h1 dom h2 ); |
| 46 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 47 |
|
| 48 |
mlsconstrain db_tuple { relabelfrom select update delete use } |
| 49 |
- ( h1 dom h2 ); |
| 50 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 51 |
|
| 52 |
mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } |
| 53 |
- ( h1 dom h2 ); |
| 54 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 55 |
|
| 56 |
mlsconstrain db_view { drop getattr setattr relabelfrom expand } |
| 57 |
- ( h1 dom h2 ); |
| 58 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 59 |
|
| 60 |
mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install entrypoint } |
| 61 |
- ( h1 dom h2 ); |
| 62 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 63 |
|
| 64 |
mlsconstrain db_language { drop getattr setattr relabelfrom execute } |
| 65 |
- ( h1 dom h2 ); |
| 66 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 67 |
|
| 68 |
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } |
| 69 |
- ( h1 dom h2 ); |
| 70 |
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
| 71 |
|
| 72 |
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind |
| 73 |
(( h1 dom h2 ) or ( t1 != mcs_constrained_type )); |
Archives