selinux-policy/policy/mcs

ifdef(`enable_mcs',`
#
# Define sensitivities 
#
# MCS is single-sensitivity.

gen_sens(1)

#
# Define the categories
#
# Generate declarations

gen_cats(mcs_num_cats)

#
# Each MCS level specifies a sensitivity and zero or more categories which may
# be associated with that sensitivity.
#

gen_levels(1,mcs_num_cats)

#
# Define the MCS policy
#
# mlsconstrain class_set perm_set expression ;
#
# mlsvalidatetrans class_set expression ;
#
# expression : ( expression )
#	     | not expression
#	     | expression and expression
#	     | expression or expression
#	     | u1 op u2
#	     | r1 role_mls_op r2
#	     | t1 op t2
#	     | l1 role_mls_op l2
#	     | l1 role_mls_op h2
#	     | h1 role_mls_op l2
#	     | h1 role_mls_op h2
#	     | l1 role_mls_op h1
#	     | l2 role_mls_op h2
#	     | u1 op names
#	     | u2 op names
#	     | r1 op names
#	     | r2 op names
#	     | t1 op names
#	     | t2 op names
#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
#
# op : == | !=
# role_mls_op : == | != | eq | dom | domby | incomp
#
# names : name | { name_list }
# name_list : name | name_list name
#

#
# MCS policy for the file classes
#
# Constrain file access so that the high range of the process dominates
# the high range of the file.  We use the high range of the process so
# that processes can always simply run at s0.
#
# Note:
#  - getattr on dirs/files is not constrained.
#  - /proc/pid operations are not constrained.

mlsconstrain file { read ioctl lock execute execute_no_trans }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));

mlsconstrain file { write setattr append unlink link rename }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));

mlsconstrain dir { search read ioctl lock }
	(( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));

mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
	(( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));

# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
	( h1 dom h2 );

mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain process { transition dyntransition }
	(( h1 dom h2 ) or ( t1 == mcssetcats ));

mlsconstrain process { ptrace }
	(( h1 dom h2) or ( t1 == mcsptraceall ));

mlsconstrain process { sigkill sigstop }
	(( h1 dom h2 ) or ( t1 == mcskillall ));

mlsconstrain process { signal }
	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));

#
# MCS policy for SELinux-enabled databases
#

# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

mlsconstrain { db_tuple } { insert relabelto }
	(( h1 dom h2 ) and ( l2 eq h2 ));

# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
	( h1 dom h2 );

mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
	( h1 dom h2 );

mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
	( h1 dom h2 );

mlsconstrain db_tuple { relabelfrom select update delete use }
	( h1 dom h2 );

mlsconstrain db_procedure { drop getattr setattr execute install }
	( h1 dom h2 );

mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
	( h1 dom h2 );

') dnl end enable_mcs