| 1 |
commit: 1f34c6dfe967939b8d7afa2ec9ed57c57de5c5f7 |
| 2 |
Author: Mike Palmiotto <mike.palmiotto <AT> crunchydata <DOT> com> |
| 3 |
AuthorDate: Wed Jan 27 20:21:36 2016 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Jan 30 17:16:57 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34c6df |
| 7 |
|
| 8 |
Add mls support for some db classes |
| 9 |
|
| 10 |
Mirror file/dir approach. |
| 11 |
|
| 12 |
db objects which do not contain other objects at multiple levels are analogous |
| 13 |
to files: |
| 14 |
db_sequence |
| 15 |
db_view |
| 16 |
db_procedure |
| 17 |
db_language |
| 18 |
db_tuple |
| 19 |
db_blob |
| 20 |
|
| 21 |
db objects which are capable of holding objects at multiple levels are |
| 22 |
analogous to dirs: |
| 23 |
db_database |
| 24 |
db_schema |
| 25 |
db_table |
| 26 |
db_column |
| 27 |
|
| 28 |
policy/mls | 7 ++++--- |
| 29 |
1 file changed, 4 insertions(+), 3 deletions(-) |
| 30 |
|
| 31 |
diff --git a/policy/mls b/policy/mls |
| 32 |
index 06e5106..70ed808 100644 |
| 33 |
--- a/policy/mls |
| 34 |
+++ b/policy/mls |
| 35 |
@@ -763,13 +763,14 @@ mlsconstrain context contains |
| 36 |
# |
| 37 |
|
| 38 |
# make sure these database classes are "single level" |
| 39 |
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } |
| 40 |
+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto } |
| 41 |
( l2 eq h2 ); |
| 42 |
+ |
| 43 |
mlsconstrain { db_tuple } { insert relabelto } |
| 44 |
( l2 eq h2 ); |
| 45 |
|
| 46 |
# new database labels must be dominated by the relabeling subjects clearance |
| 47 |
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } |
| 48 |
+mlsconstrain { db_database db_schema db_table db_column } { relabelto } |
| 49 |
( h1 dom h2 ); |
| 50 |
|
| 51 |
# the database "read" ops (note the check is dominance of the low level) |
| 52 |
@@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select } |
| 53 |
( t1 == mlsdbread ) or |
| 54 |
( t2 == mlstrustedobject )); |
| 55 |
|
| 56 |
-# the "single level" file "write" ops |
| 57 |
+# the "single level" database "write" ops |
| 58 |
mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } |
| 59 |
(( l1 eq l2 ) or |
| 60 |
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or |
Archives