Fedora/SE-PostgreSQL

Fedora/SE-PostgreSQL

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 1314 bytes --]

Hi,

A week ago, I submitted a review request of SE-PostgreSQL to
the Fedora project as follows:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522

The biggest issue is lack of definitions of new object classes
and access vectors related to database.
Rest of policies can be installed as a binary security policy module
packed within the RPM package, but these definitions and MLS/MCS rules
cannot be moduled.

The attached patch adds these definitions to the base policy.

I remember Chris said as follows at the past.
> Is the code on a path to being merged upstream?  I'm hesitant to apply
> class changes until the code is on a plan to be merged.

However, I would like you to consider it again.
I believe that spread of using secure applications, like SE-PostgreSQL,
can help promote SELinux more, and it's so worthful to make it more
uncomplicated to maintain.

In addition, the next release of PostgreSQL with new features (8.4) is
planed at the autumn 2008. It means that any SE-PostgreSQL users have to
replace the default selinux-policy package by the modified one for a year
and more, at least. I think it's a senseless work.

It may be a time the definitions of object classes related to database are
integrated into the base security policy.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: refpolicy-add-sepgsql-definitions.patch.patch --]
[-- Type: text/plain, Size: 9785 bytes --]

Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes	(revision 2385)
+++ refpolicy/policy/flask/security_classes	(working copy)
@@ -99,4 +99,12 @@
 
 class memprotect
 
+# SE-PostgreSQL relation
+class database			# userspace
+class table			# userspace
+class procedure			# userspace
+class column			# userspace
+class tuple			# userspace
+class blob			# userspace
+
 # FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors	(revision 2385)
+++ refpolicy/policy/flask/access_vectors	(working copy)
@@ -80,6 +80,20 @@
 }
 
 #
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -655,3 +669,61 @@
 {
 	mmap_zero
 }
+
+# definition for SE-PostgreSQL
+class database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param
+	set_param
+}
+
+class table
+inherits database
+{
+	use
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class procedure
+inherits database
+{
+	execute
+	entrypoint
+}
+
+class column
+inherits database
+{
+	use
+	select
+	update
+	insert
+}
+
+class tuple
+{
+	relabelfrom
+	relabelto
+	use
+	select
+	update
+	insert
+	delete
+}
+
+class blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
Index: refpolicy/policy/mcs
===================================================================
--- refpolicy/policy/mcs	(revision 2385)
+++ refpolicy/policy/mcs	(working copy)
@@ -98,4 +98,28 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+# MCS policy for SE-PostgreSQL
+#-------------------------------
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { database table procedure column blob } { create relabelto }
+	((h1 dom h2) and ( l1 domby h2 ) and ( l2 eq h2 ));
+mlsconstrain tuple { insert relabelto }
+	(( h1 dom h2 ) and ( l1 domby h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain database { drop setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+mlsconstrain table { drop setattr relabelfrom select update insert delete use }
+	( h1 dom h2 );
+mlsconstrain column { drop setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+mlsconstrain tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+mlsconstrain procedure { execute }
+	( h1 dom h2 );
+mlsconstrain blob { drop setattr relabelfrom read write }
+	( h1 dom h2 );
+
 ') dnl end enable_mcs
Index: refpolicy/policy/modules/kernel/mls.te
===================================================================
--- refpolicy/policy/modules/kernel/mls.te	(revision 2385)
+++ refpolicy/policy/modules/kernel/mls.te	(working copy)
@@ -43,6 +43,14 @@
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+attribute mlsdatabaseread;
+attribute mlsdatabasereadtoclr;
+attribute mlsdatabasewrite;
+attribute mlsdatabasewritetoclr;
+attribute mlsdatabasewriteinrange;
+attribute mlsdatabaseupgrade;
+attribute mlsdatabasedowngrade;
+
 attribute mlstrustedobject;
 
 attribute privrangetrans;
Index: refpolicy/policy/modules/kernel/mls.if
===================================================================
--- refpolicy/policy/modules/kernel/mls.if	(revision 2385)
+++ refpolicy/policy/modules/kernel/mls.if	(working copy)
@@ -406,6 +406,82 @@
 
 ########################################
 ## <summary>
+##      Make specified domain MLS trusted
+##      for reading from databases at higher levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_read_up',`
+	gen_require(`
+		attribute mlsdatabaseread;
+	')
+
+	typeattribute $1 mlsdatabaseread;
+')
+
+########################################
+## <summary>
+##       Make specified domain MLS trusted
+##       for writing to databases at lower levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_write_down',`
+	gen_require(`
+		attribute mlsdatabasewrite;
+	')
+
+	typeattribute $1 mlsdatabasewrite;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for raising the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_upgrade',`
+	gen_require(`
+		attribute mlsdatabaseupgrade;
+	')
+
+	typeattribute $1 mlsdatabaseupgrade;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_downgrade',`
+	gen_require(`
+		attribute mlsdatabasedowngrade;
+	')
+
+	typeattribute $1 mlsdatabasedowngrade;
+')
+
+########################################
+## <summary>
 ##	Make specified object MLS trusted.
 ## </summary>
 ## <desc>
Index: refpolicy/policy/mls
===================================================================
--- refpolicy/policy/mls	(revision 2385)
+++ refpolicy/policy/mls	(working copy)
@@ -600,4 +600,109 @@
 mlsconstrain context contains
 	( h1 dom h2 );
 
+#
+# MLS policy for the database related classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { database table procedure column blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subjects clearance
+mlsconstrain { database table procedure column tuple blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { database table procedure column blob } { getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { database } { access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { table column } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { procedure } { execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { blob } { read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { database table procedure column blob } { create drop setattr relabelfrom }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { database } { install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { table } { update insert delete lock }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { column } { update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { blob } { write import export }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { database table procedure column tuple blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdatabaseupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdatabaseupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( h1 incomp h2 ))));
+
 ') dnl end enable_mls

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

KaiGai Kohei wrote:
> A week ago, I submitted a review request of SE-PostgreSQL to
> the Fedora project as follows:
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
> 
> The biggest issue is lack of definitions of new object classes
> and access vectors related to database.
> Rest of policies can be installed as a binary security policy module
> packed within the RPM package, but these definitions and MLS/MCS rules
> cannot be moduled.
> 
> The attached patch adds these definitions to the base policy.

Don't neglect it please, although we got a bit heavy traffic in some days.

I want any comment, to make clear the direction of SE-PostgreSQL.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[Stephen Smalley]

On Wed, 2007-08-01 at 21:17 +0900, KaiGai Kohei wrote:
> Hi,
> 
> A week ago, I submitted a review request of SE-PostgreSQL to
> the Fedora project as follows:
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
> 
> The biggest issue is lack of definitions of new object classes
> and access vectors related to database.
> Rest of policies can be installed as a binary security policy module
> packed within the RPM package, but these definitions and MLS/MCS rules
> cannot be moduled.
> 
> The attached patch adds these definitions to the base policy.
> 
> I remember Chris said as follows at the past.
> > Is the code on a path to being merged upstream?  I'm hesitant to apply
> > class changes until the code is on a plan to be merged.
> 
> However, I would like you to consider it again.
> I believe that spread of using secure applications, like SE-PostgreSQL,
> can help promote SELinux more, and it's so worthful to make it more
> uncomplicated to maintain.
> 
> In addition, the next release of PostgreSQL with new features (8.4) is
> planed at the autumn 2008. It means that any SE-PostgreSQL users have to
> replace the default selinux-policy package by the modified one for a year
> and more, at least. I think it's a senseless work.
> 
> It may be a time the definitions of object classes related to database are
> integrated into the base security policy.

Likely a good idea as well to ensure that it does not collide with the X
object class rework.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

Stephen Smalley wrote:
> On Wed, 2007-08-01 at 21:17 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> A week ago, I submitted a review request of SE-PostgreSQL to
>> the Fedora project as follows:
>>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
>>
>> The biggest issue is lack of definitions of new object classes
>> and access vectors related to database.
>> Rest of policies can be installed as a binary security policy module
>> packed within the RPM package, but these definitions and MLS/MCS rules
>> cannot be moduled.
>>
>> The attached patch adds these definitions to the base policy.
>>
>> I remember Chris said as follows at the past.
>>> Is the code on a path to being merged upstream?  I'm hesitant to apply
>>> class changes until the code is on a plan to be merged.
>> However, I would like you to consider it again.
>> I believe that spread of using secure applications, like SE-PostgreSQL,
>> can help promote SELinux more, and it's so worthful to make it more
>> uncomplicated to maintain.
>>
>> In addition, the next release of PostgreSQL with new features (8.4) is
>> planed at the autumn 2008. It means that any SE-PostgreSQL users have to
>> replace the default selinux-policy package by the modified one for a year
>> and more, at least. I think it's a senseless work.
>>
>> It may be a time the definitions of object classes related to database are
>> integrated into the base security policy.
> 
> Likely a good idea as well to ensure that it does not collide with the X
> object class rework.

Future modification of object class number is not a matter, because SE-PostgreSQL
can also obtain them via /selinux/class on the kernel 2.6.23 or later.

Are you worried about that the reworked X object class uses same namespace
with what SE-PostgreSQL uses, like "database", "table" and so on?

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[Stephen Smalley]

On Tue, 2007-08-07 at 13:41 +0900, KaiGai Kohei wrote:
> Stephen Smalley wrote:
> > On Wed, 2007-08-01 at 21:17 +0900, KaiGai Kohei wrote:
> >> Hi,
> >>
> >> A week ago, I submitted a review request of SE-PostgreSQL to
> >> the Fedora project as follows:
> >>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
> >>
> >> The biggest issue is lack of definitions of new object classes
> >> and access vectors related to database.
> >> Rest of policies can be installed as a binary security policy module
> >> packed within the RPM package, but these definitions and MLS/MCS rules
> >> cannot be moduled.
> >>
> >> The attached patch adds these definitions to the base policy.
> >>
> >> I remember Chris said as follows at the past.
> >>> Is the code on a path to being merged upstream?  I'm hesitant to apply
> >>> class changes until the code is on a plan to be merged.
> >> However, I would like you to consider it again.
> >> I believe that spread of using secure applications, like SE-PostgreSQL,
> >> can help promote SELinux more, and it's so worthful to make it more
> >> uncomplicated to maintain.
> >>
> >> In addition, the next release of PostgreSQL with new features (8.4) is
> >> planed at the autumn 2008. It means that any SE-PostgreSQL users have to
> >> replace the default selinux-policy package by the modified one for a year
> >> and more, at least. I think it's a senseless work.
> >>
> >> It may be a time the definitions of object classes related to database are
> >> integrated into the base security policy.
> > 
> > Likely a good idea as well to ensure that it does not collide with the X
> > object class rework.
> 
> Future modification of object class number is not a matter, because SE-PostgreSQL
> can also obtain them via /selinux/class on the kernel 2.6.23 or later.

Yes, but IIUC, you are still encoding the fixed class/perm numbers into
SE-PostgreSQL when running on older kernels.  Which means that if we
take those values for the revamped X classes, we will break
SE-PostgreSQL on such systems.

> Are you worried about that the reworked X object class uses same namespace
> with what SE-PostgreSQL uses, like "database", "table" and so on?

No, although that brings up another point - I think Eamon intends to
prefix all of the X classes with "x" or "X" to "namespace" them, and you
may want to do likewise for PostgresQL (not clear whether they should
use a postgres-specific prefix or just a db_ prefix to foster re-use for
other database managers).

Regardless, I'd like to make it easier for people to use SE-PostgreSQL,
and until such a time as we can add classes in a module, getting the
definitions into the refpolicy is needed.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

Stephen Smalley wrote:
> On Tue, 2007-08-07 at 13:41 +0900, KaiGai Kohei wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2007-08-01 at 21:17 +0900, KaiGai Kohei wrote:
>>>> Hi,
>>>>
>>>> A week ago, I submitted a review request of SE-PostgreSQL to
>>>> the Fedora project as follows:
>>>>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
>>>>
>>>> The biggest issue is lack of definitions of new object classes
>>>> and access vectors related to database.
>>>> Rest of policies can be installed as a binary security policy module
>>>> packed within the RPM package, but these definitions and MLS/MCS rules
>>>> cannot be moduled.
>>>>
>>>> The attached patch adds these definitions to the base policy.
>>>>
>>>> I remember Chris said as follows at the past.
>>>>> Is the code on a path to being merged upstream?  I'm hesitant to apply
>>>>> class changes until the code is on a plan to be merged.
>>>> However, I would like you to consider it again.
>>>> I believe that spread of using secure applications, like SE-PostgreSQL,
>>>> can help promote SELinux more, and it's so worthful to make it more
>>>> uncomplicated to maintain.
>>>>
>>>> In addition, the next release of PostgreSQL with new features (8.4) is
>>>> planed at the autumn 2008. It means that any SE-PostgreSQL users have to
>>>> replace the default selinux-policy package by the modified one for a year
>>>> and more, at least. I think it's a senseless work.
>>>>
>>>> It may be a time the definitions of object classes related to database are
>>>> integrated into the base security policy.
>>> Likely a good idea as well to ensure that it does not collide with the X
>>> object class rework.
>> Future modification of object class number is not a matter, because SE-PostgreSQL
>> can also obtain them via /selinux/class on the kernel 2.6.23 or later.
> 
> Yes, but IIUC, you are still encoding the fixed class/perm numbers into
> SE-PostgreSQL when running on older kernels.  Which means that if we
> take those values for the revamped X classes, we will break
> SE-PostgreSQL on such systems.

When SE-PostgreSQL works on kernel 2.6.22 or earlier, it indeed applies
the fixed class/perm numbers. However, I put a dependency with a specific
version of security policy to avoid being replaced without updating
SE-PostgreSQL concurrently.

I can provide a package without fixed class/perm numbers support for the
rawhide. However, I think a package for Fedora 7, needs fixed ones, should
be provided for a while.

>> Are you worried about that the reworked X object class uses same namespace
>> with what SE-PostgreSQL uses, like "database", "table" and so on?
> 
> No, although that brings up another point - I think Eamon intends to
> prefix all of the X classes with "x" or "X" to "namespace" them, and you
> may want to do likewise for PostgresQL (not clear whether they should
> use a postgres-specific prefix or just a db_ prefix to foster re-use for
> other database managers).

The access control model of SE-PostgreSQL is generic for relational database
model, so I prefer "db_" prefix for the new object classes.
In addition, if someone worked for SE-MySQL, similar several difference object
classes, like "pg_table" and "my_table", would make a confusion.

> Regardless, I'd like to make it easier for people to use SE-PostgreSQL,
> and until such a time as we can add classes in a module, getting the
> definitions into the refpolicy is needed.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[Christopher J. PeBenito]

On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:
> Hi,
> 
> A week ago, I submitted a review request of SE-PostgreSQL to
> the Fedora project as follows:
>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
> 
> The biggest issue is lack of definitions of new object classes
> and access vectors related to database.
> Rest of policies can be installed as a binary security policy module
> packed within the RPM package, but these definitions and MLS/MCS rules
> cannot be moduled.
> 
> The attached patch adds these definitions to the base policy.
[...] 
> --- refpolicy/policy/flask/security_classes	(revision 2385)
> +++ refpolicy/policy/flask/security_classes	(working copy)
> @@ -99,4 +99,12 @@
>  
>  class memprotect
>  
> +# SE-PostgreSQL relation
> +class database			# userspace
> +class table			# userspace
> +class procedure			# userspace
> +class column			# userspace
> +class tuple			# userspace
> +class blob			# userspace
> +
>  # FLASK

I'm thinking that (with the exception of database) that the object
classes should probably be prefixed with "db", so you know they are
related.

Interface naming:

> +interface(`mls_database_read_up',`

mls_db_read_all_levels

> +interface(`mls_database_write_down',`

mls_db_write_all_levels

> +interface(`mls_database_upgrade',`

mls_db_upgrade

> +interface(`mls_database_downgrade',`

mls_db_downgrade

> +# the database upgrade/downgrade rule
> +mlsvalidatetrans { database table procedure column tuple blob }
> +	((( l1 eq l2 ) or
> +	  (( t3 == mlsdatabaseupgrade ) and ( l1 domby l2 )) or
> +	  (( t3 == mlsdatabasedowngrade ) and ( l1 dom l2 )) or
> +	  (( t3 == mlsdatabasedowngrade ) and ( l1 incomp l2 ))) and
> +	 (( l1 eq h2 ) or
> +	  (( t3 == mlsdatabaseupgrade ) and ( h1 domby h2 )) or
> +	  (( t3 == mlsdatabasedowngrade ) and ( h1 dom h2 )) or
> +	  (( t3 == mlsdatabasedowngrade ) and ( h1 incomp h2 ))));
> +
>  ') dnl end enable_mls
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:
>> Hi,
>>
>> A week ago, I submitted a review request of SE-PostgreSQL to
>> the Fedora project as follows:
>>   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
>>
>> The biggest issue is lack of definitions of new object classes
>> and access vectors related to database.
>> Rest of policies can be installed as a binary security policy module
>> packed within the RPM package, but these definitions and MLS/MCS rules
>> cannot be moduled.
>>
>> The attached patch adds these definitions to the base policy.
> [...] 
>> --- refpolicy/policy/flask/security_classes	(revision 2385)
>> +++ refpolicy/policy/flask/security_classes	(working copy)
>> @@ -99,4 +99,12 @@
>>  
>>  class memprotect
>>  
>> +# SE-PostgreSQL relation
>> +class database			# userspace
>> +class table			# userspace
>> +class procedure			# userspace
>> +class column			# userspace
>> +class tuple			# userspace
>> +class blob			# userspace
>> +
>>  # FLASK
> 
> I'm thinking that (with the exception of database) that the object
> classes should probably be prefixed with "db", so you know they are
> related.

Chris, Thanks for your comments.

As Stephen also pointed out, I'll add a prefix of "db_" for each classes.

I don't think the database class should be an exception.
The "db_database" will mean a database object managed by RDBMS working
with SELinux. The name may be a bit strange, but its meaning is clear.

> Interface naming:
> 
>> +interface(`mls_database_read_up',`
> 
> mls_db_read_all_levels
> 
>> +interface(`mls_database_write_down',`
> 
> mls_db_write_all_levels
> 
>> +interface(`mls_database_upgrade',`
> 
> mls_db_upgrade
> 
>> +interface(`mls_database_downgrade',`
> 
> mls_db_downgrade

OK, I'll rename these interfaces more simple.
Is it necessary to make the attribute names shorter?

Thanks,

>> +# the database upgrade/downgrade rule
>> +mlsvalidatetrans { database table procedure column tuple blob }
>> +	((( l1 eq l2 ) or
>> +	  (( t3 == mlsdatabaseupgrade ) and ( l1 domby l2 )) or
>> +	  (( t3 == mlsdatabasedowngrade ) and ( l1 dom l2 )) or
>> +	  (( t3 == mlsdatabasedowngrade ) and ( l1 incomp l2 ))) and
>> +	 (( l1 eq h2 ) or
>> +	  (( t3 == mlsdatabaseupgrade ) and ( h1 domby h2 )) or
>> +	  (( t3 == mlsdatabasedowngrade ) and ( h1 dom h2 )) or
>> +	  (( t3 == mlsdatabasedowngrade ) and ( h1 incomp h2 ))));
>> +
>>  ') dnl end enable_mls

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[Christopher J. PeBenito]

On Tue, 2007-08-07 at 22:51 +0900, KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:

> > Interface naming:
> > 
> >> +interface(`mls_database_read_up',`
> > 
> > mls_db_read_all_levels
> > 
> >> +interface(`mls_database_write_down',`
> > 
> > mls_db_write_all_levels
> > 
> >> +interface(`mls_database_upgrade',`
> > 
> > mls_db_upgrade
> > 
> >> +interface(`mls_database_downgrade',`
> > 
> > mls_db_downgrade
> 
> OK, I'll rename these interfaces more simple.
> Is it necessary to make the attribute names shorter?

Not strictly, but it probably would be a good idea.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]

The attached patch adds definitions of new classes and permissions,
and MLS/MCS rules.

Following items are differences from the first patch.

* add "db_" prefix for each object classes.
  e.g) "table" -> "db_table"
* interfaces in policy/modules/kernel/mls.if are renamed.
  - mls_database_read_up    -> mls_db_read_all_levels
  - mls_database_write_down -> mls_db_write_all_levels
  - mls_database_upgrade    -> mls_db_upgrade
  - mls_database_downgrade  -> mls_db_downgrade
* MLS attributes related to database are renamed
  - mlsdatabaseXXXXX -> mlsdbXXXXX

Any comment please,

Christopher J. PeBenito wrote:
> On Tue, 2007-08-07 at 22:51 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:
> 
>>> Interface naming:
>>>
>>>> +interface(`mls_database_read_up',`
>>> mls_db_read_all_levels
>>>
>>>> +interface(`mls_database_write_down',`
>>> mls_db_write_all_levels
>>>
>>>> +interface(`mls_database_upgrade',`
>>> mls_db_upgrade
>>>
>>>> +interface(`mls_database_downgrade',`
>>> mls_db_downgrade
>> OK, I'll rename these interfaces more simple.
>> Is it necessary to make the attribute names shorter?
> 
> Not strictly, but it probably would be a good idea.
> 


-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: refpolicy-add-sepgsql-definitions.v2.patch --]
[-- Type: text/plain, Size: 9250 bytes --]

Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes	(revision 2386)
+++ refpolicy/policy/flask/security_classes	(working copy)
@@ -99,4 +99,12 @@
 
 class memprotect
 
+# SE-PostgreSQL relation
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
 # FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors	(revision 2386)
+++ refpolicy/policy/flask/access_vectors	(working copy)
@@ -80,6 +80,20 @@
 }
 
 #
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -655,3 +669,61 @@
 {
 	mmap_zero
 }
+
+# definition for SE-PostgreSQL
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param
+	set_param
+}
+
+class db_table
+inherits database
+{
+	use
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+}
+
+class db_column
+inherits database
+{
+	use
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
Index: refpolicy/policy/mcs
===================================================================
--- refpolicy/policy/mcs	(revision 2386)
+++ refpolicy/policy/mcs	(working copy)
@@ -98,4 +98,28 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+# MCS policy for SE-PostgreSQL
+#-------------------------------
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	((h1 dom h2) and ( l2 eq h2 ));
+mlsconstrain { db_tuple } { insert relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+	( h1 dom h2 );
+mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+mlsconstrain db_tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+mlsconstrain db_procedure { execute }
+	( h1 dom h2 );
+mlsconstrain db_blob { drop setattr relabelfrom read write }
+	( h1 dom h2 );
+
 ') dnl end enable_mcs
Index: refpolicy/policy/modules/kernel/mls.te
===================================================================
--- refpolicy/policy/modules/kernel/mls.te	(revision 2386)
+++ refpolicy/policy/modules/kernel/mls.te	(working copy)
@@ -43,6 +43,14 @@
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+attribute mlsdbread;
+attribute mlsdbreadtoclr;
+attribute mlsdbwrite;
+attribute mlsdbwritetoclr;
+attribute mlsdbwriteinrange;
+attribute mlsdbupgrade;
+attribute mlsdbdowngrade;
+
 attribute mlstrustedobject;
 
 attribute privrangetrans;
Index: refpolicy/policy/modules/kernel/mls.if
===================================================================
--- refpolicy/policy/modules/kernel/mls.if	(revision 2386)
+++ refpolicy/policy/modules/kernel/mls.if	(working copy)
@@ -406,6 +406,82 @@
 
 ########################################
 ## <summary>
+##      Make specified domain MLS trusted
+##      for reading from databases at higher levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_read_all_levels',`
+	gen_require(`
+		attribute mlsdbread;
+	')
+
+	typeattribute $1 mlsdbread;
+')
+
+########################################
+## <summary>
+##       Make specified domain MLS trusted
+##       for writing to databases at lower levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_write_all_levels',`
+	gen_require(`
+		attribute mlsdbwrite;
+	')
+
+	typeattribute $1 mlsdbwrite;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for raising the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_upgrade',`
+	gen_require(`
+		attribute mlsdbupgrade;
+	')
+
+	typeattribute $1 mlsdbupgrade;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_downgrade',`
+	gen_require(`
+		attribute mlsdbdowngrade;
+	')
+
+	typeattribute $1 mlsdbdowngrade;
+')
+
+########################################
+## <summary>
 ##	Make specified object MLS trusted.
 ## </summary>
 ## <desc>
Index: refpolicy/policy/mls
===================================================================
--- refpolicy/policy/mls	(revision 2386)
+++ refpolicy/policy/mls	(working copy)
@@ -600,4 +600,96 @@
 mlsconstrain context contains
 	( h1 dom h2 );
 
+#
+# MLS policy for the database related classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { db_tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new database labels must be dominated by the relabeling subjects clearance
+mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { db_database } { getattr access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table db_column } { getattr use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { getattr execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { getattr read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete lock }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { create drop setattr relabelfrom write import export }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
+
 ') dnl end enable_mls

Re: Fedora/SE-PostgreSQL

[Joshua Brindle]

KaiGai Kohei wrote:
> The attached patch adds definitions of new classes and permissions,
> and MLS/MCS rules.
> 
> Following items are differences from the first patch.
> 
> * add "db_" prefix for each object classes.
>   e.g) "table" -> "db_table"
> * interfaces in policy/modules/kernel/mls.if are renamed.
>   - mls_database_read_up    -> mls_db_read_all_levels
>   - mls_database_write_down -> mls_db_write_all_levels
>   - mls_database_upgrade    -> mls_db_upgrade
>   - mls_database_downgrade  -> mls_db_downgrade
> * MLS attributes related to database are renamed
>   - mlsdatabaseXXXXX -> mlsdbXXXXX
> 
> Any comment please,
> 
> Christopher J. PeBenito wrote:
>> On Tue, 2007-08-07 at 22:51 +0900, KaiGai Kohei wrote:
>>> Christopher J. PeBenito wrote:
>>>> On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:
>>>> Interface naming:
>>>>
>>>>> +interface(`mls_database_read_up',`
>>>> mls_db_read_all_levels
>>>>
>>>>> +interface(`mls_database_write_down',`
>>>> mls_db_write_all_levels
>>>>
>>>>> +interface(`mls_database_upgrade',`
>>>> mls_db_upgrade
>>>>
>>>>> +interface(`mls_database_downgrade',`
>>>> mls_db_downgrade
>>> OK, I'll rename these interfaces more simple.
>>> Is it necessary to make the attribute names shorter?
>> Not strictly, but it probably would be a good idea.
>>
> 

These interface names seem kind of ambiguous, they could mean downgrade
the database files on disk or within an selinux aware database server.
They also have very low granularity, but I haven't decided if that
matters much.

It would be nice to have less ambiguous interface names though.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[Christopher J. PeBenito]

On Tue, 2007-08-07 at 21:12 -0400, Joshua Brindle wrote:
> KaiGai Kohei wrote:
> > The attached patch adds definitions of new classes and permissions,
> > and MLS/MCS rules.
> > 
> > Following items are differences from the first patch.
> > 
> > * add "db_" prefix for each object classes.
> >   e.g) "table" -> "db_table"
> > * interfaces in policy/modules/kernel/mls.if are renamed.
> >   - mls_database_read_up    -> mls_db_read_all_levels
> >   - mls_database_write_down -> mls_db_write_all_levels
> >   - mls_database_upgrade    -> mls_db_upgrade
> >   - mls_database_downgrade  -> mls_db_downgrade
> > * MLS attributes related to database are renamed
> >   - mlsdatabaseXXXXX -> mlsdbXXXXX
> > 
> > Any comment please,
> > 
> > Christopher J. PeBenito wrote:
> >> On Tue, 2007-08-07 at 22:51 +0900, KaiGai Kohei wrote:
> >>> Christopher J. PeBenito wrote:
> >>>> On Wed, 2007-08-01 at 08:17 -0400, KaiGai Kohei wrote:
> >>>> Interface naming:
> >>>>
> >>>>> +interface(`mls_database_read_up',`
> >>>> mls_db_read_all_levels
> >>>>
> >>>>> +interface(`mls_database_write_down',`
> >>>> mls_db_write_all_levels
> >>>>
> >>>>> +interface(`mls_database_upgrade',`
> >>>> mls_db_upgrade
> >>>>
> >>>>> +interface(`mls_database_downgrade',`
> >>>> mls_db_downgrade
> >>> OK, I'll rename these interfaces more simple.
> >>> Is it necessary to make the attribute names shorter?
> >> Not strictly, but it probably would be a good idea.
> >>
> > 
> 
> These interface names seem kind of ambiguous, they could mean downgrade
> the database files on disk or within an selinux aware database server.
> They also have very low granularity, but I haven't decided if that
> matters much.
> 
> It would be nice to have less ambiguous interface names though.

All of the mls interfaces are coarse, as they make mls exemptions.  If
it was talking about the files on disk, you would be using the mls file
downgrade interface.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

Christopher J. PeBenito wrote:
> On Tue, 2007-08-07 at 21:12 -0400, Joshua Brindle wrote:
>> KaiGai Kohei wrote:
>>> The attached patch adds definitions of new classes and permissions,
>>> and MLS/MCS rules.
>>>
>>> Following items are differences from the first patch.
>>>
>>> * add "db_" prefix for each object classes.
>>>   e.g) "table" -> "db_table"
>>> * interfaces in policy/modules/kernel/mls.if are renamed.
>>>   - mls_database_read_up    -> mls_db_read_all_levels
>>>   - mls_database_write_down -> mls_db_write_all_levels
>>>   - mls_database_upgrade    -> mls_db_upgrade
>>>   - mls_database_downgrade  -> mls_db_downgrade
>>> * MLS attributes related to database are renamed
>>>   - mlsdatabaseXXXXX -> mlsdbXXXXX

>> These interface names seem kind of ambiguous, they could mean downgrade
>> the database files on disk or within an selinux aware database server.
>> They also have very low granularity, but I haven't decided if that
>> matters much.
>>
>> It would be nice to have less ambiguous interface names though.
> 
> All of the mls interfaces are coarse, as they make mls exemptions.  If
> it was talking about the files on disk, you would be using the mls file
> downgrade interface.

I don't have any special opinion about its naming scheme.
(It is possible to update the patch again, if necessary.)

Is there any other opinion for the "db_" prefixed new object classes?
I just started to modify SE-PostgreSQL to use these prefixed ones.

-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora/SE-PostgreSQL

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 1007 bytes --]

KaiGai Kohei wrote:
> The attached patch adds definitions of new classes and permissions,
> and MLS/MCS rules.
> 
> Following items are differences from the first patch.
> 
> * add "db_" prefix for each object classes.
>   e.g) "table" -> "db_table"
> * interfaces in policy/modules/kernel/mls.if are renamed.
>   - mls_database_read_up    -> mls_db_read_all_levels
>   - mls_database_write_down -> mls_db_write_all_levels
>   - mls_database_upgrade    -> mls_db_upgrade
>   - mls_database_downgrade  -> mls_db_downgrade
> * MLS attributes related to database are renamed
>   - mlsdatabaseXXXXX -> mlsdbXXXXX

Oops, the following attributes were not renamed in the previous patch,

| +mlsconstrain { db_tuple } { use select }
| +       (( l1 dom l2 ) or
| +        (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
| +        ( t1 == mlsdatabaseread ) or
| +        ( t2 == mlstrustedobject ));

The attached one (v3) fixes them.
I want it to be applied.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: refpolicy-add-sepgsql-definitions.v3.patch --]
[-- Type: text/plain, Size: 9238 bytes --]

Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes	(revision 2386)
+++ refpolicy/policy/flask/security_classes	(working copy)
@@ -99,4 +99,12 @@
 
 class memprotect
 
+# SE-PostgreSQL relation
+class db_database		# userspace
+class db_table			# userspace
+class db_procedure		# userspace
+class db_column			# userspace
+class db_tuple			# userspace
+class db_blob			# userspace
+
 # FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors	(revision 2386)
+++ refpolicy/policy/flask/access_vectors	(working copy)
@@ -80,6 +80,20 @@
 }
 
 #
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -655,3 +669,61 @@
 {
 	mmap_zero
 }
+
+# definition for SE-PostgreSQL
+class db_database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param
+	set_param
+}
+
+class db_table
+inherits database
+{
+	use
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class db_procedure
+inherits database
+{
+	execute
+	entrypoint
+}
+
+class db_column
+inherits database
+{
+	use
+	select
+	update
+	insert
+}
+
+class db_tuple
+{
+	relabelfrom
+	relabelto
+	use
+	select
+	update
+	insert
+	delete
+}
+
+class db_blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
Index: refpolicy/policy/mcs
===================================================================
--- refpolicy/policy/mcs	(revision 2386)
+++ refpolicy/policy/mcs	(working copy)
@@ -98,4 +98,28 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+# MCS policy for SE-PostgreSQL
+#-------------------------------
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	((h1 dom h2) and ( l2 eq h2 ));
+mlsconstrain { db_tuple } { insert relabelto }
+	(( h1 dom h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
+	( h1 dom h2 );
+mlsconstrain db_column { drop setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+mlsconstrain db_tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+mlsconstrain db_procedure { execute }
+	( h1 dom h2 );
+mlsconstrain db_blob { drop setattr relabelfrom read write }
+	( h1 dom h2 );
+
 ') dnl end enable_mcs
Index: refpolicy/policy/modules/kernel/mls.te
===================================================================
--- refpolicy/policy/modules/kernel/mls.te	(revision 2386)
+++ refpolicy/policy/modules/kernel/mls.te	(working copy)
@@ -43,6 +43,14 @@
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+attribute mlsdbread;
+attribute mlsdbreadtoclr;
+attribute mlsdbwrite;
+attribute mlsdbwritetoclr;
+attribute mlsdbwriteinrange;
+attribute mlsdbupgrade;
+attribute mlsdbdowngrade;
+
 attribute mlstrustedobject;
 
 attribute privrangetrans;
Index: refpolicy/policy/modules/kernel/mls.if
===================================================================
--- refpolicy/policy/modules/kernel/mls.if	(revision 2386)
+++ refpolicy/policy/modules/kernel/mls.if	(working copy)
@@ -406,6 +406,82 @@
 
 ########################################
 ## <summary>
+##      Make specified domain MLS trusted
+##      for reading from databases at higher levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_read_all_levels',`
+	gen_require(`
+		attribute mlsdbread;
+	')
+
+	typeattribute $1 mlsdbread;
+')
+
+########################################
+## <summary>
+##       Make specified domain MLS trusted
+##       for writing to databases at lower levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_write_all_levels',`
+	gen_require(`
+		attribute mlsdbwrite;
+	')
+
+	typeattribute $1 mlsdbwrite;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for raising the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_upgrade',`
+	gen_require(`
+		attribute mlsdbupgrade;
+	')
+
+	typeattribute $1 mlsdbupgrade;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_db_downgrade',`
+	gen_require(`
+		attribute mlsdbdowngrade;
+	')
+
+	typeattribute $1 mlsdbdowngrade;
+')
+
+########################################
+## <summary>
 ##	Make specified object MLS trusted.
 ## </summary>
 ## <desc>
Index: refpolicy/policy/mls
===================================================================
--- refpolicy/policy/mls	(revision 2386)
+++ refpolicy/policy/mls	(working copy)
@@ -600,4 +600,96 @@
 mlsconstrain context contains
 	( h1 dom h2 );
 
+#
+# MLS policy for the database related classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { db_tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new database labels must be dominated by the relabeling subjects clearance
+mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { db_database } { getattr access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table db_column } { getattr use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_procedure } { getattr execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { getattr read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdbread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete lock }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_blob } { create drop setattr relabelfrom write import export }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { db_tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdbwrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
+
 ') dnl end enable_mls

Re: Fedora/SE-PostgreSQL

[Christopher J. PeBenito]

On Thu, 2007-08-09 at 20:16 +0900, KaiGai Kohei wrote:
> KaiGai Kohei wrote:
> > The attached patch adds definitions of new classes and permissions,
> > and MLS/MCS rules.

Merged.

> > Following items are differences from the first patch.
> > 
> > * add "db_" prefix for each object classes.
> >   e.g) "table" -> "db_table"
> > * interfaces in policy/modules/kernel/mls.if are renamed.
> >   - mls_database_read_up    -> mls_db_read_all_levels
> >   - mls_database_write_down -> mls_db_write_all_levels
> >   - mls_database_upgrade    -> mls_db_upgrade
> >   - mls_database_downgrade  -> mls_db_downgrade
> > * MLS attributes related to database are renamed
> >   - mlsdatabaseXXXXX -> mlsdbXXXXX
> 
> Oops, the following attributes were not renamed in the previous patch,
> 
> | +mlsconstrain { db_tuple } { use select }
> | +       (( l1 dom l2 ) or
> | +        (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
> | +        ( t1 == mlsdatabaseread ) or
> | +        ( t2 == mlstrustedobject ));
> 
> The attached one (v3) fixes them.
> I want it to be applied.
> 
> Thanks,
> plain text document attachment
> (refpolicy-add-sepgsql-definitions.v3.patch)
> Index: refpolicy/policy/flask/security_classes
> ===================================================================
> --- refpolicy/policy/flask/security_classes	(revision 2386)
> +++ refpolicy/policy/flask/security_classes	(working copy)
> @@ -99,4 +99,12 @@
>  
>  class memprotect
>  
> +# SE-PostgreSQL relation
> +class db_database		# userspace
> +class db_table			# userspace
> +class db_procedure		# userspace
> +class db_column			# userspace
> +class db_tuple			# userspace
> +class db_blob			# userspace
> +
>  # FLASK
> Index: refpolicy/policy/flask/access_vectors
> ===================================================================
> --- refpolicy/policy/flask/access_vectors	(revision 2386)
> +++ refpolicy/policy/flask/access_vectors	(working copy)
> @@ -80,6 +80,20 @@
>  }
>  
>  #
> +#  Define a common prefix for userspace database object access
> vectors.
> +#
> +
> +common database
> +{
> +	create
> +	drop
> +	getattr
> +	setattr
> +	relabelfrom
> +	relabelto
> +}
> +
> +#
>  # Define the access vectors.
>  #
>  # class class_name [ inherits common_name ] { permission_name ... }
> @@ -655,3 +669,61 @@
>  {
>  	mmap_zero
>  }
> +
> +# definition for SE-PostgreSQL
> +class db_database
> +inherits database
> +{
> +	access
> +	install_module
> +	load_module
> +	get_param
> +	set_param
> +}
> +
> +class db_table
> +inherits database
> +{
> +	use
> +	select
> +	update
> +	insert
> +	delete
> +	lock
> +}
> +
> +class db_procedure
> +inherits database
> +{
> +	execute
> +	entrypoint
> +}
> +
> +class db_column
> +inherits database
> +{
> +	use
> +	select
> +	update
> +	insert
> +}
> +
> +class db_tuple
> +{
> +	relabelfrom
> +	relabelto
> +	use
> +	select
> +	update
> +	insert
> +	delete
> +}
> +
> +class db_blob
> +inherits database
> +{
> +	read
> +	write
> +	import
> +	export
> +}
> Index: refpolicy/policy/mcs
> ===================================================================
> --- refpolicy/policy/mcs	(revision 2386)
> +++ refpolicy/policy/mcs	(working copy)
> @@ -98,4 +98,28 @@
>  mlsconstrain process { sigkill sigstop }
>  	(( h1 dom h2 ) or ( t1 == mcskillall ));
>  
> +# MCS policy for SE-PostgreSQL
> +#-------------------------------
> +
> +# Any database object must be dominated by the relabeling subject
> +# clearance, also the objects are single-level.
> +mlsconstrain { db_database db_table db_procedure db_column db_blob }
> { create relabelto }
> +	((h1 dom h2) and ( l2 eq h2 ));
> +mlsconstrain { db_tuple } { insert relabelto }
> +	(( h1 dom h2 ) and ( l2 eq h2 ));
> +
> +# Access control for any database objects based on MCS rules.
> +mlsconstrain db_database { drop setattr relabelfrom access
> install_module load_module get_param set_param }
> +	( h1 dom h2 );
> +mlsconstrain db_table { drop setattr relabelfrom select update insert
> delete use }
> +	( h1 dom h2 );
> +mlsconstrain db_column { drop setattr relabelfrom select update
> insert use }
> +	( h1 dom h2 );
> +mlsconstrain db_tuple { relabelfrom select update delete use }
> +	( h1 dom h2 );
> +mlsconstrain db_procedure { execute }
> +	( h1 dom h2 );
> +mlsconstrain db_blob { drop setattr relabelfrom read write }
> +	( h1 dom h2 );
> +
>  ') dnl end enable_mcs
> Index: refpolicy/policy/modules/kernel/mls.te
> ===================================================================
> --- refpolicy/policy/modules/kernel/mls.te	(revision 2386)
> +++ refpolicy/policy/modules/kernel/mls.te	(working copy)
> @@ -43,6 +43,14 @@
>  attribute mlsxwinwritecolormap;
>  attribute mlsxwinwritexinput;
>  
> +attribute mlsdbread;
> +attribute mlsdbreadtoclr;
> +attribute mlsdbwrite;
> +attribute mlsdbwritetoclr;
> +attribute mlsdbwriteinrange;
> +attribute mlsdbupgrade;
> +attribute mlsdbdowngrade;
> +
>  attribute mlstrustedobject;
>  
>  attribute privrangetrans;
> Index: refpolicy/policy/modules/kernel/mls.if
> ===================================================================
> --- refpolicy/policy/modules/kernel/mls.if	(revision 2386)
> +++ refpolicy/policy/modules/kernel/mls.if	(working copy)
> @@ -406,6 +406,82 @@
>  
>  ########################################
>  ## <summary>
> +##      Make specified domain MLS trusted
> +##      for reading from databases at higher levels.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mls_db_read_all_levels',`
> +	gen_require(`
> +		attribute mlsdbread;
> +	')
> +
> +	typeattribute $1 mlsdbread;
> +')
> +
> +########################################
> +## <summary>
> +##       Make specified domain MLS trusted
> +##       for writing to databases at lower levels.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mls_db_write_all_levels',`
> +	gen_require(`
> +		attribute mlsdbwrite;
> +	')
> +
> +	typeattribute $1 mlsdbwrite;
> +')
> +
> +########################################
> +## <summary>
> +##      Make specified domain MLS trusted
> +##      for raising the level of databases.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mls_db_upgrade',`
> +	gen_require(`
> +		attribute mlsdbupgrade;
> +	')
> +
> +	typeattribute $1 mlsdbupgrade;
> +')
> +
> +########################################
> +## <summary>
> +##      Make specified domain MLS trusted
> +##      for lowering the level of databases.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`mls_db_downgrade',`
> +	gen_require(`
> +		attribute mlsdbdowngrade;
> +	')
> +
> +	typeattribute $1 mlsdbdowngrade;
> +')
> +
> +########################################
> +## <summary>
>  ##	Make specified object MLS trusted.
>  ## </summary>
>  ## <desc>
> Index: refpolicy/policy/mls
> ===================================================================
> --- refpolicy/policy/mls	(revision 2386)
> +++ refpolicy/policy/mls	(working copy)
> @@ -600,4 +600,96 @@
>  mlsconstrain context contains
>  	( h1 dom h2 );
>  
> +#
> +# MLS policy for the database related classes
> +#
> +
> +# make sure these database classes are "single level"
> +mlsconstrain { db_database db_table db_procedure db_column db_blob }
> { create relabelto }
> +	( l2 eq h2 );
> +mlsconstrain { db_tuple } { insert relabelto }
> +	( l2 eq h2 );
> +
> +# new database labels must be dominated by the relabeling subjects
> clearance
> +mlsconstrain { db_database db_table db_procedure db_column db_tuple
> db_blob } { relabelto }
> +	( h1 dom h2 );
> +
> +# the database "read" ops (note the check is dominance of the low
> level)
> +mlsconstrain { db_database } { getattr access get_param }
> +	(( l1 dom l2 ) or
> +	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
> +	 ( t1 == mlsdbread ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_table db_column } { getattr use select }
> +	(( l1 dom l2 ) or
> +	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
> +	 ( t1 == mlsdbread ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_procedure } { getattr execute }
> +	(( l1 dom l2 ) or
> +	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
> +	 ( t1 == mlsdbread ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_blob } { getattr read }
> +	(( l1 dom l2 ) or
> +	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
> +	 ( t1 == mlsdbread ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_tuple } { use select }
> +	(( l1 dom l2 ) or
> +	 (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
> +	 ( t1 == mlsdbread ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +# the "single level" file "write" ops
> +mlsconstrain { db_database } { create drop setattr relabelfrom
> install_module load_module set_param }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> +	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 ))
> or
> +	 ( t1 == mlsdbwrite ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_table } { create drop setattr relabelfrom update
> insert delete lock }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> +	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 ))
> or
> +	 ( t1 == mlsdbwrite ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_column } { create drop setattr relabelfrom update
> insert }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> +	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 ))
> or
> +	 ( t1 == mlsdbwrite ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_blob } { create drop setattr relabelfrom write
> import export }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> +	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 ))
> or
> +	 ( t1 == mlsdbwrite ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +mlsconstrain { db_tuple } { relabelfrom update insert delete }
> +	(( l1 eq l2 ) or
> +	 (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 ))
> or
> +	 (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 ))
> or
> +	 ( t1 == mlsdbwrite ) or
> +	 ( t2 == mlstrustedobject ));
> +
> +# the database upgrade/downgrade rule
> +mlsvalidatetrans { db_database db_table db_procedure db_column
> db_tuple db_blob }
> +	((( l1 eq l2 ) or
> +	  (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or
> +	  (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or
> +	  (( t3 == mlsdbdowngrade ) and ( l1 incomp l2 ))) and
> +	 (( l1 eq h2 ) or
> +	  (( t3 == mlsdbupgrade ) and ( h1 domby h2 )) or
> +	  (( t3 == mlsdbdowngrade ) and ( h1 dom h2 )) or
> +	  (( t3 == mlsdbdowngrade ) and ( h1 incomp h2 ))));
> +
>  ') dnl end enable_mls
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.