From: mike.palmiotto@crunchydata.com (Mike Palmiotto) Date: Fri, 15 Jan 2016 16:21:33 -0500 Subject: [refpolicy] [PATCH 1/1] Add mls support for some db classes In-Reply-To: <1452892893-5028-1-git-send-email-mike.palmiotto@crunchydata.com> References: <1452892893-5028-1-git-send-email-mike.palmiotto@crunchydata.com> Message-ID: <1452892893-5028-2-git-send-email-mike.palmiotto@crunchydata.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Mirror file/dir approach. db objects which do not contain other objects at multiple levels are analogous to files: db_procedure db_language db_column db_tuple db_blob db objects which are capable of holding objects at multiple levels are analogous to dirs: db_database db_schema db_table db_sequence db_view --- policy/mls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/mls b/policy/mls index 06e5106..c7c6fd5 100644 --- a/policy/mls +++ b/policy/mls @@ -763,8 +763,9 @@ mlsconstrain context contains # # make sure these database classes are "single level" -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } +mlsconstrain { db_procedure db_language db_column db_blob } { create relabelto } ( l2 eq h2 ); + mlsconstrain { db_tuple } { insert relabelto } ( l2 eq h2 ); @@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -# the "single level" file "write" ops +# the "single level" database "write" ops mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } (( l1 eq l2 ) or (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -- 1.8.3.1