diff --git a/Changelog b/Changelog index 677f0c4..549274c 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Database userspace object manager classes from KaiGai Kohei. - Add third-party interface for Apache CGI. - Add getserv and shmemserv nscd permissions. - Add debian apcupsd binary location, from Stefan Schulze Frielinghaus. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 5f68fcc..3150be6 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -80,6 +80,20 @@ common ipc } # +# Define a common prefix for userspace database object access vectors. +# + +common database +{ + create + drop + getattr + setattr + relabelfrom + relabelto +} + +# # Define the access vectors. # # class class_name [ inherits common_name ] { permission_name ... } @@ -655,3 +669,60 @@ class memprotect { mmap_zero } + +class db_database +inherits database +{ + access + install_module + load_module + get_param + set_param +} + +class db_table +inherits database +{ + use + select + update + insert + delete + lock +} + +class db_procedure +inherits database +{ + execute + entrypoint +} + +class db_column +inherits database +{ + use + select + update + insert +} + +class db_tuple +{ + relabelfrom + relabelto + use + select + update + insert + delete +} + +class db_blob +inherits database +{ + read + write + import + export +} diff --git a/policy/flask/security_classes b/policy/flask/security_classes index c681855..1a3ff7b 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -99,4 +99,11 @@ class dccp_socket class memprotect +class db_database # userspace +class db_table # userspace +class db_procedure # userspace +class db_column # userspace +class db_tuple # userspace +class db_blob # userspace + # FLASK diff --git a/policy/mcs b/policy/mcs index aeb24bd..99d66c2 100644 --- a/policy/mcs +++ b/policy/mcs @@ -98,4 +98,35 @@ mlsconstrain process { ptrace } mlsconstrain process { sigkill sigstop } (( h1 dom h2 ) or ( t1 == mcskillall )); +# +# MCS policy for SELinux-enabled databases +# + +# Any database object must be dominated by the relabeling subject +# clearance, also the objects are single-level. +mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + +mlsconstrain { db_tuple } { insert relabelto } + (( h1 dom h2 ) and ( l2 eq h2 )); + +# Access control for any database objects based on MCS rules. +mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param } + ( h1 dom h2 ); + +mlsconstrain db_table { drop setattr relabelfrom select update insert delete use } + ( h1 dom h2 ); + +mlsconstrain db_column { drop setattr relabelfrom select update insert use } + ( h1 dom h2 ); + +mlsconstrain db_tuple { relabelfrom select update delete use } + ( h1 dom h2 ); + +mlsconstrain db_procedure { execute } + ( h1 dom h2 ); + +mlsconstrain db_blob { drop setattr relabelfrom read write } + ( h1 dom h2 ); + ') dnl end enable_mcs diff --git a/policy/mls b/policy/mls index 16bd1df..3ce227b 100644 --- a/policy/mls +++ b/policy/mls @@ -600,4 +600,96 @@ mlsconstrain context translate mlsconstrain context contains ( h1 dom h2 ); +# +# MLS policy for database classes +# + +# make sure these database classes are "single level" +mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } + ( l2 eq h2 ); +mlsconstrain { db_tuple } { insert relabelto } + ( l2 eq h2 ); + +# new database labels must be dominated by the relabeling subjects clearance +mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto } + ( h1 dom h2 ); + +# the database "read" ops (note the check is dominance of the low level) +mlsconstrain { db_database } { getattr access get_param } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_table db_column } { getattr use select } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_procedure } { getattr execute } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_blob } { getattr read } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_tuple } { use select } + (( l1 dom l2 ) or + (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or + ( t1 == mlsdbread ) or + ( t2 == mlstrustedobject )); + +# the "single level" file "write" ops +mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete lock } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_column } { create drop setattr relabelfrom update insert } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_blob } { create drop setattr relabelfrom write import export } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + +mlsconstrain { db_tuple } { relabelfrom update insert delete } + (( l1 eq l2 ) or + (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or + (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or + ( t1 == mlsdbwrite ) or + ( t2 == mlstrustedobject )); + +# the database upgrade/downgrade rule +mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob } + ((( l1 eq l2 ) or + (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or + (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or + (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and + (( l1 eq h2 ) or + (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or + (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or + (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 )))); + ') dnl end enable_mls diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index 769ef1f..6606745 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -491,3 +491,79 @@ interface(`mls_context_translate_all_levels',` typeattribute $1 mlstranslate; ') + +######################################## +## +## Make specified domain MLS trusted +## for reading from databases at any level. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_db_read_all_levels',` + gen_require(` + attribute mlsdbread; + ') + + typeattribute $1 mlsdbread; +') + +######################################## +## +## Make specified domain MLS trusted +## for writing to databases at any level. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_db_write_all_levels',` + gen_require(` + attribute mlsdbwrite; + ') + + typeattribute $1 mlsdbwrite; +') + +######################################## +## +## Make specified domain MLS trusted +## for raising the level of databases. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_db_upgrade',` + gen_require(` + attribute mlsdbupgrade; + ') + + typeattribute $1 mlsdbupgrade; +') + +######################################## +## +## Make specified domain MLS trusted +## for lowering the level of databases. +## +## +## +## Domain allowed access. +## +## +# +interface(`mls_db_downgrade',` + gen_require(` + attribute mlsdbdowngrade; + ') + + typeattribute $1 mlsdbdowngrade; +') diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index bd5f393..da0d2a0 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,5 +1,5 @@ -policy_module(mls,1.5.0) +policy_module(mls,1.5.1) ######################################## # @@ -43,6 +43,14 @@ attribute mlsxwinreadcolormap; attribute mlsxwinwritecolormap; attribute mlsxwinwritexinput; +attribute mlsdbread; +attribute mlsdbreadtoclr; +attribute mlsdbwrite; +attribute mlsdbwritetoclr; +attribute mlsdbwriteinrange; +attribute mlsdbupgrade; +attribute mlsdbdowngrade; + attribute mlstrustedobject; attribute privrangetrans;