ifdef(`enable_mcs',` # # Define sensitivities # # MCS is single-sensitivity. gen_sens(1) # # Define the categories # # Generate declarations gen_cats(mcs_num_cats) # # Each MCS level specifies a sensitivity and zero or more categories which may # be associated with that sensitivity. # gen_levels(1,mcs_num_cats) # # Define the MCS policy # # mlsconstrain class_set perm_set expression ; # # mlsvalidatetrans class_set expression ; # # expression : ( expression ) # | not expression # | expression and expression # | expression or expression # | u1 op u2 # | r1 role_mls_op r2 # | t1 op t2 # | l1 role_mls_op l2 # | l1 role_mls_op h2 # | h1 role_mls_op l2 # | h1 role_mls_op h2 # | l1 role_mls_op h1 # | l2 role_mls_op h2 # | u1 op names # | u2 op names # | r1 op names # | r2 op names # | t1 op names # | t2 op names # | u3 op names (NOTE: this is only available for mlsvalidatetrans) # | r3 op names (NOTE: this is only available for mlsvalidatetrans) # | t3 op names (NOTE: this is only available for mlsvalidatetrans) # # op : == | != # role_mls_op : == | != | eq | dom | domby | incomp # # names : name | { name_list } # name_list : name | name_list name # # # MCS policy for the file classes # # Constrain file access so that the high range of the process dominates # the high range of the file. We use the high range of the process so # that processes can always simply run at s0. # # Note: # - getattr on dirs/files is not constrained. # - /proc/pid operations are not constrained. mlsconstrain file { read ioctl lock execute execute_no_trans } (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); mlsconstrain file { write setattr append unlink link rename } (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); mlsconstrain dir { search read ioctl lock } (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain )); mlsconstrain dir { write setattr append unlink link rename add_name remove_name } (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain )); # New filesystem object labels must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain file { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); # new file labels must be dominated by the relabeling subject clearance mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom } ( h1 dom h2 ); mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain process { transition dyntransition } (( h1 dom h2 ) or ( t1 == mcssetcats )); mlsconstrain process { ptrace } (( h1 dom h2) or ( t1 == mcsptraceall )); mlsconstrain process { signal sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); # # MCS policy for SELinux-enabled databases # # Any database object must be dominated by the relabeling subject # clearance, also the objects are single-level. mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); mlsconstrain { db_tuple } { insert relabelto } (( h1 dom h2 ) and ( l2 eq h2 )); # Access control for any database objects based on MCS rules. mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } ( h1 dom h2 ); mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } ( h1 dom h2 ); mlsconstrain db_tuple { relabelfrom select update delete use } ( h1 dom h2 ); mlsconstrain db_procedure { drop getattr setattr execute install } ( h1 dom h2 ); mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } ( h1 dom h2 ); ') dnl end enable_mcs