From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 28 Jan 2016 15:43:01 -0500
Subject: [refpolicy] [PATCH v2 1/1] Add mls support for some db classes
In-Reply-To: <1453926096-25051-1-git-send-email-mike.palmiotto@crunchydata.com>
References: <1453926096-25051-1-git-send-email-mike.palmiotto@crunchydata.com>
Message-ID: <56AA7D55.8050607@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/27/2016 3:21 PM, Mike Palmiotto wrote:
> Mirror file/dir approach.
> 
> db objects which do not contain other objects at multiple levels are analogous
> to files:
> 	db_sequence
> 	db_view
> 	db_procedure
> 	db_language
> 	db_tuple
> 	db_blob
> 
> db objects which are capable of holding objects at multiple levels are
> analogous to dirs:
> 	db_database
> 	db_schema
> 	db_table
> 	db_column

Merged.



> ---
>  policy/mls | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/mls b/policy/mls
> index 06e5106..70ed808 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -763,13 +763,14 @@ mlsconstrain context contains
>  #
>  
>  # make sure these database classes are "single level"
> -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }
> +mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto }
>  	( l2 eq h2 );
> +
>  mlsconstrain { db_tuple } { insert relabelto }
>  	( l2 eq h2 );
>  
>  # new database labels must be dominated by the relabeling subjects clearance
> -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }
> +mlsconstrain { db_database db_schema db_table db_column } { relabelto }
>  	( h1 dom h2 );
>  
>  # the database "read" ops (note the check is dominance of the low level)
> @@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select }
>  	 ( t1 == mlsdbread ) or
>  	 ( t2 == mlstrustedobject ));
>  
> -# the "single level" file "write" ops
> +# the "single level" database "write" ops
>  mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
>  	(( l1 eq l2 ) or
>  	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com