commit: e65914649a2dc3fae590c9df612c70b957a6ef5d
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 9 18:59:08 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6591464
mcs: only constrain mcs_constrained_type for db accesses
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/mcs | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/mcs b/policy/mcs
index 023bd149..c9b7e83e 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -133,41 +133,41 @@ mlsconstrain context contains
# Any database object must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure
db_language db_column db_blob } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type ));
mlsconstrain { db_tuple } { insert relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or ( t1 != mcs_constrained_type ));
# Access control for any database objects based on MCS rules.
mlsconstrain db_database { drop getattr setattr relabelfrom access
install_module load_module get_param set_param }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_schema { drop getattr setattr relabelfrom search }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert
delete lock }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_column { drop getattr setattr relabelfrom select update insert
}
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_tuple { relabelfrom select update delete use }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value
next_value set_value }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_view { drop getattr setattr relabelfrom expand }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install
entrypoint }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_language { drop getattr setattr relabelfrom execute }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import
export }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
