From: kaigai@kaigai.gr.jp (Kohei KaiGai) Date: Thu, 21 Jan 2016 23:05:02 +0900 Subject: [refpolicy] [PATCH 1/1] Add mls support for some db classes In-Reply-To: <1452892893-5028-2-git-send-email-mike.palmiotto@crunchydata.com> References: <1452892893-5028-1-git-send-email-mike.palmiotto@crunchydata.com> <1452892893-5028-2-git-send-email-mike.palmiotto@crunchydata.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2016-01-16 6:21 GMT+09:00 Mike Palmiotto : > Mirror file/dir approach. > > db objects which do not contain other objects at multiple levels are analogous > to files: > db_procedure > db_language > db_column > db_tuple > db_blob > > db objects which are capable of holding objects at multiple levels are > analogous to dirs: > db_database > db_schema > db_table > db_sequence > db_view > db_sequence and db_view also have no capability to contain another objects. It may look like a view contain columns/tuples, however, it actually comes from another tables. View is just an alias to tables, used to rewrite query. So, I think these two class have analogy of files, rather than directories. > policy/mls | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/policy/mls b/policy/mls > index 06e5106..c7c6fd5 100644 > --- a/policy/mls > +++ b/policy/mls > @@ -763,8 +763,9 @@ mlsconstrain context contains > # > > # make sure these database classes are "single level" > -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } > +mlsconstrain { db_procedure db_language db_column db_blob } { create relabelto } > ( l2 eq h2 ); > + > mlsconstrain { db_tuple } { insert relabelto } > ( l2 eq h2 ); > > @@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select } > ( t1 == mlsdbread ) or > ( t2 == mlstrustedobject )); > > -# the "single level" file "write" ops > +# the "single level" database "write" ops > mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } > (( l1 eq l2 ) or > (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or > -- > 1.8.3.1 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- KaiGai Kohei