From: mike.palmiotto@crunchydata.com (Mike Palmiotto)
Date: Wed, 27 Jan 2016 15:21:36 -0500
Subject: [refpolicy] [PATCH v2 1/1] Add mls support for some db classes
Message-ID: <1453926096-25051-1-git-send-email-mike.palmiotto@crunchydata.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Mirror file/dir approach.

db objects which do not contain other objects at multiple levels are analogous
to files:
	db_sequence
	db_view
	db_procedure
	db_language
	db_tuple
	db_blob

db objects which are capable of holding objects at multiple levels are
analogous to dirs:
	db_database
	db_schema
	db_table
	db_column
---
 policy/mls | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/policy/mls b/policy/mls
index 06e5106..70ed808 100644
--- a/policy/mls
+++ b/policy/mls
@@ -763,13 +763,14 @@ mlsconstrain context contains
 #
 
 # make sure these database classes are "single level"
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
+mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
 	( l2 eq h2 );
+
 mlsconstrain { db_tuple } { insert relabelto }
 	( l2 eq h2 );
 
 # new database labels must be dominated by the relabeling subjects clearance
-mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
+mlsconstrain { db_database db_schema db_table db_column } { relabelto }
 	( h1 dom h2 );
 
 # the database "read" ops (note the check is dominance of the low level)
@@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
 	 ( t1 == mlsdbread ) or
 	 ( t2 == mlstrustedobject ));
 
-# the "single level" file "write" ops
+# the "single level" database "write" ops
 mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
 	(( l1 eq l2 ) or
 	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
-- 
1.8.3.1