From: mike.palmiotto@crunchydata.com (Mike Palmiotto)
Date: Fri, 15 Jan 2016 16:54:38 -0500
Subject: [refpolicy] [PATCH 1/1] Add mls support for some db classes
In-Reply-To: <1452892893-5028-2-git-send-email-mike.palmiotto@crunchydata.com>
References: <1452892893-5028-1-git-send-email-mike.palmiotto@crunchydata.com>
	<1452892893-5028-2-git-send-email-mike.palmiotto@crunchydata.com>
Message-ID: <CAMN686Hsc2PZ2D3==+STy6vowNoHZde3QC=GgA2os-oLCu8jMQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Jan 15, 2016 at 4:21 PM, Mike Palmiotto
<mike.palmiotto@crunchydata.com> wrote:
> Mirror file/dir approach.
>
> db objects which do not contain other objects at multiple levels are analogous
> to files:
>         db_procedure
>         db_language
>         db_column
>         db_tuple
>         db_blob
>
> db objects which are capable of holding objects at multiple levels are
> analogous to dirs:
>         db_database
>         db_schema
>         db_table
>         db_sequence
>         db_view

Figured this might be somewhat confusing so here is some more clarification.

As the constraint currently stands, we are unable to create/relabel
any object to a level range in Enforcing. By getting rid of the
"single level" constraint  (l2 eq h2) on certain database objects, we
allow the ability to create a table containing objects within the
range s0-s2:c1.c4, for example.

For objects such as db_tuple, this does not currently make much sense,
as a tuple will never contain objects with "multiple levels."

Feel free to provide feedback/questions. I have a patch queued up to
submit for pull-request when the time comes.

> ---
>  policy/mls | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/policy/mls b/policy/mls
> index 06e5106..c7c6fd5 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -763,8 +763,9 @@ mlsconstrain context contains
>  #
>
>  # make sure these database classes are "single level"
> -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
> +mlsconstrain { db_procedure db_language db_column db_blob } { create relabelto }
>         ( l2 eq h2 );
> +
>  mlsconstrain { db_tuple } { insert relabelto }
>         ( l2 eq h2 );
>
> @@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
>          ( t1 == mlsdbread ) or
>          ( t2 == mlstrustedobject ));
>
> -# the "single level" file "write" ops
> +# the "single level" database "write" ops
>  mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
>         (( l1 eq l2 ) or
>          (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> --
> 1.8.3.1
>

Thanks,
--Mike