From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9CA9558973 for ; Sat, 30 Jan 2016 17:21:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1ABF621C077; Sat, 30 Jan 2016 17:21:29 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3B77221C06F for ; Sat, 30 Jan 2016 17:21:28 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 74FD6340CF6 for ; Sat, 30 Jan 2016 17:21:27 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 132931067 for ; Sat, 30 Jan 2016 17:21:19 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1454174217.1f34c6dfe967939b8d7afa2ec9ed57c57de5c5f7.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/mls X-VCS-Directories: policy/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 1f34c6dfe967939b8d7afa2ec9ed57c57de5c5f7 X-VCS-Branch: master Date: Sat, 30 Jan 2016 17:21:19 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d2d5f703-076f-4c42-8b9b-57aaf02b44a4 X-Archives-Hash: 948a1ab812aef1132b12554678930a5a commit: 1f34c6dfe967939b8d7afa2ec9ed57c57de5c5f7 Author: Mike Palmiotto crunchydata com> AuthorDate: Wed Jan 27 20:21:36 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Jan 30 17:16:57 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f34c6df Add mls support for some db classes Mirror file/dir approach. db objects which do not contain other objects at multiple levels are analogous to files: db_sequence db_view db_procedure db_language db_tuple db_blob db objects which are capable of holding objects at multiple levels are analogous to dirs: db_database db_schema db_table db_column policy/mls | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/policy/mls b/policy/mls index 06e5106..70ed808 100644 --- a/policy/mls +++ b/policy/mls @@ -763,13 +763,14 @@ mlsconstrain context contains # # make sure these database classes are "single level" -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } +mlsconstrain { db_sequence db_view db_procedure db_language db_blob } { create relabelto } ( l2 eq h2 ); + mlsconstrain { db_tuple } { insert relabelto } ( l2 eq h2 ); # new database labels must be dominated by the relabeling subjects clearance -mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } +mlsconstrain { db_database db_schema db_table db_column } { relabelto } ( h1 dom h2 ); # the database "read" ops (note the check is dominance of the low level) @@ -833,7 +834,7 @@ mlsconstrain { db_tuple } { use select } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -# the "single level" file "write" ops +# the "single level" database "write" ops mlsconstrain { db_database } { create drop setattr relabelfrom install_module load_module set_param } (( l1 eq l2 ) or (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or