Difference between revisions of "MLSStatements"

From SELinux Wiki
Jump to: navigation, search
Line 1: Line 1:
 
= MLS Statements =
 
= MLS Statements =
The optional MLS policy extension adds an additional security context component that consists of the following highlighted entries:  
+
The optional MLS policy extension adds an additional security context component that consists of the following entries:  
 
<pre>
 
<pre>
 
user:role:type:sensitivity[:category,...]- sensitivity [:category,...]
 
user:role:type:sensitivity[:category,...]- sensitivity [:category,...]
 
</pre>
 
</pre>
  
These consist of a mandatory hierarchical sensitivity and optional non-hierarchical category's. The combination of the two comprise a level or security level as shown in Table 1. Depending on the circumstances, there can be one level defined or a range as shown in Table 1.  
+
These consist of a mandatory hierarchical [[#sensitivity | sensitivity]] and optional non-hierarchical [[#category | category]]'s. The combination of the two comprise a [[#level | level]] or security level as shown in Table 1. Depending on the circumstances, there can be one level defined or a [[#MLS range Definition | range]] as shown in Table 1.  
  
 +
''Table 1: Level, Label, Category or Compartment - this table shows the meanings depending on the context being discussed.''
 
{|border="1"
 
{|border="1"
 
|<center>'''Security Level (or Level)'''</center>
 
|<center>'''Security Level (or Level)'''</center>
Line 15: Line 16:
  
 
|-
 
|-
| sensitivity [: category, ... ]
+
| <tt><center>sensitivity [: category, ... ]</center></tt>
 +
 
 +
<center>also known as:</center>
 +
 
 +
<center>'''Sensitivity Label'''</center>
 +
 
 +
<center>Consisting of a classification and compartment.</center>
  
 
|-
 
|-
Line 26: Line 33:
  
 
|-
 
|-
| sensitivity [: category, ... ]
+
| <tt><center>sensitivity [: category, ... ]</center></tt>
 
| <center>-</center>
 
| <center>-</center>
| sensitivity [: category, ... ]
+
| <tt><center>sensitivity [: category, ... ]</center></tt>
  
 
|-
 
|-
Line 43: Line 50:
  
 
|-
 
|-
|<center>SystemLow</center>
+
|<tt><center>SystemLow</center></tt>
 
|  
 
|  
|<center>SystemHigh</center>
+
|<tt><center>SystemHigh</center></tt>
  
 
|-
 
|-
|<center>This is the lowest level or classification for the system (for SELinux this is generally 's0', note that there are no categories).</center>
+
|<center>This is the lowest level or classification for the system (for SELinux this is generally '<tt>s0</tt>', note that there are no categories).</center>
 
|  
 
|  
|<center>This is the highest level or classification for the system (for SELinux this is generally 's15:c0,c255', although note that they will be the highest set by the policy).</center>
+
|<center>This is the highest level or classification for the system (for SELinux this is generally '<tt>s15:c0,c255</tt>', although note that they will be the highest set by the policy).</center>
  
 
|}
 
|}
<center>'''Table 1: Sensitivity and Category = Security Level - '''''this table shows the meanings depending on the context being discussed.''</center>
 
  
  
To make the security levels more meaningful, it is possible to use the setransd daemon to translate these to human readable formats. The semanage command will allow this mapping to be defined as discussed in the ./setrans.conf file section.  
+
To make the security levels more meaningful, it is possible to use the setransd daemon to translate these to human readable formats. The '''semanage'''(8) command will allow this mapping to be defined as discussed in the [[PolicyConfigurationFiles#setrans.conf_File | setrans.conf]] file section.  
  
 
+
== sensitivity ==
== sensitivity Statement ==
+
 
The sensitivity statement defines the MLS policy sensitivity identifies and optional alias identifiers.
 
The sensitivity statement defines the MLS policy sensitivity identifies and optional alias identifiers.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
sensitivity identifier;
+
sensitivity sens_id [alias sensitivityalias_id ...];
</pre>
+
'''Or'''
+
<pre>
+
<nowiki>sensitivity sens_id alias alias_id [ alias_id ];</nowiki>
+
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|sensitivity
+
{| border="1"
|The sensitivity keyword.
+
| sensitivity
 +
| The sensitivity keyword.
  
 
|-
 
|-
|sens_id
+
| sens_id
|The sensitivity identifier.
+
| The sensitivity identifier.
  
 
|-
 
|-
|alias
+
| alias
|The optional alias keyword.
+
| The optional alias keyword.
  
 
|-
 
|-
|alias_id
+
| sensitivityalias_id
|One or more alias identifiers in a space separated list.
+
| One or more sensitivity<tt>alias</tt> identifiers in a space separated list.
  
 
|}
 
|}
Line 92: Line 94:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 98: Line 101:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|}
 
|}
Line 117: Line 120:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># The MLS Reference Policy default is to assign 16 </nowiki>''sensitivity''
+
# The MLS Reference Policy default is to assign 16 sensitivity  
<nowiki># identifiers (s0 to s15):</nowiki>
+
# identifiers (s0 to s15):
 
+
 
sensitivity s0;
 
sensitivity s0;
 
....
 
....
 
sensitivity s15;
 
sensitivity s15;
  
<nowiki># The policy does not specify any </nowiki>''alias'' entries, however a valid  
+
# The policy does not specify any alias entries, however a valid  
<nowiki># example would be:</nowiki>
+
# example would be:
 
+
 
sensitivity s0 alias secret wellmaybe ornot;
 
sensitivity s0 alias secret wellmaybe ornot;
 
</pre>
 
</pre>
  
== MLS dominance Statement ==
+
== dominance ==
When more than one sensitivity Statement is defined within a policy, then a dominance statement is required to define the actual hierarchy between all sensitivities.
+
When more than one [[#sensitivity | sensitivity]] statemement is defined within a policy, then a dominance statement is required to define the actual hierarchy between all sensitivities.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
dominance { sens_id ... }
+
dominance { sensitivity_id ... }
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|dominance
+
{| border="1"
|The dominance keyword.
+
| dominance
 +
| The dominance keyword.
  
 
|-
 
|-
|sens_id
+
| sensitivity_id
|A space separated list of previously declared sensitivity identifiers (or alias) in the order lowest to highest. They are enclosed in braces ({}), and note that there is no terminating semi-colon (<nowiki>;</nowiki>).
+
| A space separated list of previously declared sensitivity or sensitivityalias identifiers in the order lowest to highest. They are enclosed in braces ({}), and note that there is no terminating semi-colon (<nowiki>;</nowiki>).
  
 
|}
 
|}
Line 151: Line 153:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 157: Line 160:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 176: Line 179:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># The MLS Reference Policy </nowiki>''dominance'' statement defines ''s0'' as the  
+
# The MLS Reference Policy dominance statement defines s0 as the  
<nowiki># lowest and </nowiki>''s15'' as the highest sensitivity level:
+
# lowest and s15 as the highest sensitivity level:
  
 
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
 
dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
 
</pre>
 
</pre>
  
== category Statement ==
+
== category ==
The category statement defines the MLS policy category identifiers<ref name="ftn8"><sup>SELinux use the term 'category' or 'categories' while some MLS systems and documentation use the term 'compartmen' or 'compartments', however they have the same meaning.</sup></ref> and optional alias identifiers.
+
The category statement defines the MLS policy category identifiers<ref name="ftn47"><sup>SELinux use the term 'category' or 'categories' while some MLS systems and documentation use the term 'compartment' or 'compartments', however they have the same meaning.</sup></ref> and optional alias identifiers.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
category cat_id;
+
category category_id [alias categoryalias_id ...];
</pre>
+
'''Or'''
+
<pre>
+
category cat_id alias alias_id;
+
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|category
+
{| border="1"
|The category keyword.
+
| category
 +
| The category keyword.
  
 
|-
 
|-
|cat_id
+
| category_id
|The category identifier.
+
| The category identifier.
  
 
|-
 
|-
|alias
+
| alias
|The optional alias keyword.
+
| The optional alias keyword.
  
 
|-
 
|-
|alias_id
+
| categoryalias_id
|One or more alias identifiers in a space separated list.
+
| One or more alias identifiers in a space separated list.
  
 
|}
 
|}
Line 215: Line 215:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 221: Line 222:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|}
 
|}
Line 240: Line 241:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># The MLS Reference Policy default is to assign 256 </nowiki>''category''  
+
# The MLS Reference Policy default is to assign 256 ''category''  
<nowiki># identifiers (c0 to c255):</nowiki>
+
# identifiers (c0 to c255):
 
+
 
category c0;
 
category c0;
 
...
 
...
 
category c255;
 
category c255;
 
+
</pre>
<nowiki># The policy does not specify any </nowiki>''alias'' entries, however a valid  
+
<pre>
<nowiki># example would be:</nowiki>
+
# The policy does not specify any alias entries, however a valid  
 
+
# example would be:
 +
<pre>
 
category c0 alias planning development benefits;
 
category c0 alias planning development benefits;
 
</pre>
 
</pre>
  
== level Statement ==
+
== level ==
 
The level statement enables the previously declared sensitivity and category identifiers to be combined into a Security Level.
 
The level statement enables the previously declared sensitivity and category identifiers to be combined into a Security Level.
  
Note there must only be one level statement for each sensitivity Statement.
+
Note there must only be one level statement for each [[#sensitivity | sensitivity]] statemement.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
 
<pre>
 
<pre>
<nowiki>level sens_id [ :category_id ];</nowiki>
+
level sensitivity_id [ :category_id ];
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|level
+
{| border="1"
|The level keyword.
+
| level
 +
| The level keyword.
  
 
|-
 
|-
|sens_id
+
| sensitivity_id
|A previously declared sensitivity identifier.
+
| A previously declared sensitivity or sensitivityalias identifier.
  
 
|-
 
|-
|category_id
+
| category_id
|An optional set of zero or more previously declared category identifiers that are preceded by a colon (:), that can be written as follows:
+
| An optional set of zero or more previously declared category or <tt>categoryalias</tt> identifiers that are preceded by a colon (:), that can be written as follows:* The period (.) separating two category identifiers means an inclusive set (e.g. c0.c16).
 
+
* The stop sign (.) separating two category identifiers means an inclusive set (e.g. c0.c16).
+
 
* The comma (,) separating two category identifiers means a non-contiguous list (e.g. c21,c36,c45).
 
* The comma (,) separating two category identifiers means a non-contiguous list (e.g. c21,c36,c45).
 
* Both separators may be used (e.g. c0.c16, c21,c36,c45).
 
* Both separators may be used (e.g. c0.c16, c21,c36,c45).
Line 286: Line 286:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 292: Line 293:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 311: Line 312:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># The MLS Reference Policy default is to assign each Security </nowiki>
+
# The MLS Reference Policy default is to assign each Security  
<nowiki># Level with the complete set of categories (i.e. the inclusive </nowiki>
+
# Level with the complete set of categories (i.e. the inclusive  
<nowiki># set from c0 to c255):</nowiki>
+
# set from c0 to c255):
  
 
level s0:c0.c255;
 
level s0:c0.c255;
Line 320: Line 321:
 
</pre>
 
</pre>
  
== range_transition Statement ==
+
== range_transition ==
 
The range_transition statement is primarily used by the init process or administration commands to ensure processes run with their correct MLS range (for example init would run at SystemHigh and needs to initialise / run other processes at their correct MLS range). The statement was enhanced in Policy version 21 to accept other object classes.
 
The range_transition statement is primarily used by the init process or administration commands to ensure processes run with their correct MLS range (for example init would run at SystemHigh and needs to initialise / run other processes at their correct MLS range). The statement was enhanced in Policy version 21 to accept other object classes.
  
 
'''The statement definition is '''(for pre-policy version 21)''':'''
 
'''The statement definition is '''(for pre-policy version 21)''':'''
 
<pre>
 
<pre>
range_transition source_domain target_exectype new_mls_range;
+
range_transition source_type target_type new_range;
 
</pre>
 
</pre>
 +
 
'''or (for policy version 21 and greater):'''
 
'''or (for policy version 21 and greater):'''
 
<pre>
 
<pre>
range_transition source_domain target_exectype : class new_mls_range;
+
range_transition source_type target_type : class new_range;
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
 
|range_transition
 
|The range_transition keyword.
 
  
|-
+
{| border="1"
|source_domain
+
| range_transition
|A source process domain (as only the process object class is supported).  
+
| The range_transition keyword.
  
 
|-
 
|-
|target_exectype
+
| source_type
|A target executable type or attribute. (i.e. an identifier for a file that has the execute permission set.
+
 
 +
target_type
 +
| One or more source / target type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).  
 +
 
 +
Entries can be excluded from the list by using the negative operator (-).
  
 
|-
 
|-
|class
+
| class
|The optional object class keyword (this allows policy versions 21 and greater to specify a class other than the default of process).
+
| The optional object class keyword (this allows policy versions 21 and greater to specify a class other than the default of process).
  
 
|-
 
|-
|new_mls_range
+
| new_range
|The new MLS range for the object class. The format of this field is described in the MLS range Definition section.
+
| The new MLS range for the object class. The format of this field is described in the [[#MLS range Definition | MLS range Definition]] section.
  
 
|}
 
|}
Line 357: Line 360:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 363: Line 367:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 382: Line 386:
 
'''Examples:'''
 
'''Examples:'''
 
<pre>
 
<pre>
<nowiki># A </nowiki>range_transition statement from the MLS Reference Policy  
+
# A range_transition statement from the MLS Reference Policy  
<nowiki># showing that a process anaconda_t can transition between </nowiki>
+
# showing that a process anaconda_t can transition between  
<nowiki># systemLow and systemHigh depending on calling applications</nowiki>
+
# systemLow and systemHigh depending on calling applications
<nowiki># level. </nowiki>
+
# level.  
  
range_transition anaconda_t init_script_file_type:process s0 - s15:c0.c255;
+
range_transition anaconda_t init_script_file_type:process s0-s15:c0.c255;
  
<nowiki># Two </nowiki>range_transition statements from the MLS Reference Policy  
+
# Two range_transition statements from the MLS Reference Policy  
<nowiki># showing that init will transition the audit and cups daemon </nowiki>
+
# showing that init will transition the audit and cups daemon  
<nowiki># to systemHigh (that is the lowest level they can run at). </nowiki>
+
# to systemHigh (that is the lowest level they can run at).  
  
 
range_transition initrc_t auditd_exec_t:process s15:c0.c255;
 
range_transition initrc_t auditd_exec_t:process s15:c0.c255;
Line 398: Line 402:
  
 
=== MLS range Definition ===
 
=== MLS range Definition ===
The MLS range is appended to a number of statements and defines the lowest and highest security levels. The range can also consist of a single level as discussed at the start of the MLS section.
+
The MLS range is appended to a number of statements and defines the lowest and highest security levels. The range can also consist of a single level as discussed at the start of the [[#MLS_Statements | MLS]] section.
  
 
'''The definition is:'''
 
'''The definition is:'''
 
<pre>
 
<pre>
low_level
+
low_level[ - high_level ]
</pre>
+
'''Or'''
+
<pre>
+
low_level - high_level
+
 
</pre>
 
</pre>
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|low_level
+
{| border="1"
|The processes lowest level identifier that has been previously declared by a level Statement.
+
| low_level
 +
| The processes lowest level identifier that has been previously declared by a [[#level | level]] statement.
  
 
If a high_level is not defined, then it is taken as the same as the low_level.
 
If a high_level is not defined, then it is taken as the same as the low_level.
  
 
|-
 
|-
|<nowiki>-</nowiki>
+
| -
|The optional hyphen (-) separator if a high_level is also being defined.
+
| The optional hyphen (-) separator if a high_level is also being defined.
  
 
|-
 
|-
|high_level
+
| high_level
|The processes highest level identifier that has been previously declared by a level Statement.  
+
| The processes highest level identifier that has been previously declared by a [[#level | level]] statement.  
  
 
|}
 
|}
  
 +
== mlsconstrain ==
 +
This is decribed in the [[ConstraintStatements#mlsconstrain | Constraints]] section.
  
== mlsconstrain Statement ==
+
== mlsvalidatetrans ==
The mlsconstrain statement allows further restriction on permissions for the specified object classes by using boolean expressions covering: source and target types, roles, users and security levels as described in the examples.  
+
This is decribed in the [[ConstraintStatements#mlsvalidatetrans | Constraints]] section.
  
'''The statement definition is:'''
 
<pre>
 
mlsconstrain class perm_set expression;
 
</pre>
 
  
'''Where:'''
 
{|border="1"
 
|mlsconstrain
 
|The mlsconstrain keyword.
 
  
 +
{| style="width: 100%;" border="0"
 
|-
 
|-
|class
+
| [[ConstraintStatements | '''Previous''']]
|One or more object classes. Multiple entries consist of a space separated list enclosed in braces {}.
+
| <center>[[NewUsers | '''Home''']]</center>
 
+
| <center>[[SIDStatements | '''Next''']]</center>
|-
+
|perm_set
+
|One or more permissions. Multiple entries consist of a space separated list enclosed in braces {}.
+
 
+
|-
+
|expression
+
|The boolean expression of the constraint that is defined as follows:
+
 
+
|-
+
|
+
|( expression : expression )
+
|-
+
|
+
| not expression
+
|-
+
|
+
| expression and expression
+
|-
+
|
+
| expression or expression
+
|-
+
|
+
| u1 op u2
+
|-
+
|
+
| r1 role_mls_op r2
+
|-
+
|
+
| t1 op t2
+
|-
+
|
+
| l1 role_mls_op l2
+
|-
+
|
+
| l1 role_mls_op h2
+
|-
+
|
+
| h1 role_mls_op l2
+
|-
+
|
+
| h1 role_mls_op h2
+
|-
+
|
+
| l1 role_mls_op h1
+
|-
+
|
+
| l2 role_mls_op h2
+
|-
+
|
+
| u1 op names
+
|-
+
|
+
| u2 op names
+
|-
+
|
+
| r1 op names
+
|-
+
|
+
| r2 op names
+
|-
+
|
+
| t1 op names
+
|-
+
|
+
| t2 op names
+
 
+
|-
+
!colspan="2" align="left"| Where:
+
    u1, r1, t1, l1, h1 = Source user, role, type, low level, high level
+
    u2, r2, t2, l2, h2 = Target user, role, type, low level, high level
+
and:
+
    op : == | !=
+
    role_mls_op : == | != | eq | dom | domby | incomp
+
    names : name | { name_list }
+
    name_list : name | name_list name
+
 
|}
 
|}
  
  
'''The statement is valid in:'''
+
----
{|border="1"
+
<references/>
|<center>'''Monolithic Policy'''</center>
+
|<center>'''Base Policy'''</center>
+
|<center>'''Module Policy'''</center>
+
  
|-
+
[[Category:Notebook]]
|<center>Yes</center>
+
|<center>Yes</center>
+
|<center>No</center>
+
 
+
|-
+
|<center>'''Conditional Policy (if) Statement'''</center>
+
|<center>'''optional Statement'''</center>
+
|<center>'''require Statement'''</center>
+
 
+
|-
+
|<center>No</center>
+
|<center>No</center>
+
|<center>No</center>
+
 
+
|}
+
 
+
 
+
'''Examples:'''
+
 
+
These examples have been taken from the Reference Policy source ../policy/mls constraints file (the mcs file supports the MCS constraints).
+
 
+
These are built into the policy at build time and add constraints to many of the object classes.
+
<pre>
+
<nowiki># The MLS Reference Policy </nowiki>mlsconstrain statement for searching
+
<nowiki># directories that comprises of multiple expressions. Only the</nowiki>
+
<nowiki># first two expressions are explained.</nowiki>
+
<nowiki>#</nowiki>
+
<nowiki># Expression 1 </nowiki>( l1 dom l2 ) reads as follows:
+
<nowiki># The </nowiki>dir object class search permission is allowed if the
+
<nowiki># </nowiki>source lowest security level is dominated by the targets
+
<nowiki># </nowiki>lowest security level.
+
<nowiki># </nowiki>OR
+
<nowiki># Expression 2 </nowiki>(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 ))
+
<nowiki># reads as follows:</nowiki>
+
<nowiki># If the source type is </nowiki>equal to a type associated to the
+
<nowiki># </nowiki>mlsfilereadtoclr attribute and the source highest security
+
<nowiki>#</nowiki> level is dominated by the targets lowest security level,
+
<nowiki># then </nowiki>search permission is allowed on the dir object class.
+
 
+
mlsconstrain dir search
+
(( l1 dom l2 ) or
+
(( t1 == mlsfilereadtoclr ) and ( h1 dom l2 )) or
+
( t1 == mlsfileread ) or
+
( t2 == mlstrustedobject ));
+
</pre>
+
 
+
== mlsvalidatetrans Statement ==
+
The mlsvalidatetrans is the MLS equivalent of the validatetrans statement and is only used for file related object classes where it is used to control the ability to change the objects security context.
+
 
+
'''The statement definition is:'''
+
<pre>
+
mlsvalidatetrans class expression;
+
</pre>
+
 
+
'''Where:'''
+
{|border="1"
+
|mlsvalidatetrans
+
|The mlsvalidatetrans keyword.
+
 
+
|-
+
|class
+
|One or more file type object classes. Multiple entries consist of a space separated list enclosed in braces {}.
+
 
+
|-
+
|expression
+
|The boolean expression of the constraint that is defined as follows:
+
 
+
|-
+
|
+
|( expression : expression )
+
|-
+
|
+
| not expression
+
|-
+
|
+
| expression and expression
+
|-
+
|
+
| expression or expression
+
|-
+
|
+
| u1 op u2
+
|-
+
|
+
| r1 role_mls_op r2
+
|-
+
|
+
| t1 op t2
+
|-
+
|
+
| l1 role_mls_op l2
+
|-
+
|
+
| l1 role_mls_op h2
+
|-
+
|
+
| h1 role_mls_op l2
+
|-
+
|
+
| h1 role_mls_op h2
+
|-
+
|
+
| l1 role_mls_op h1
+
|-
+
|
+
| l2 role_mls_op h2
+
|-
+
|
+
| u1 op names
+
|-
+
|
+
| u2 op names
+
|-
+
|
+
| r1 op names
+
|-
+
|
+
| r2 op names
+
|-
+
|
+
| t1 op names
+
|-
+
|
+
| t2 op names
+
|-
+
|
+
| u3 op names
+
|-
+
|
+
| r3 op names
+
|-
+
|
+
| t3 op names
+
|-
+
!colspan="2" align="left"|Where:
+
    u1, r1, t1, l1, h1 = Old user, role, type, low level, high level
+
    u2, r2, t2, l2, h2 = New user, role, type, low level, high level
+
    u3, r3, t3, l3, h3 = Process user, role, type, low level, high level
+
and:
+
    op : == | !=
+
    role_mls_op : == | != | eq | dom | domby | incomp
+
    names : name | { name_list }
+
    name_list : name | name_list name
+
|}
+
 
+
 
+
'''The statement is valid in:'''
+
{|border="1"
+
|<center>'''Monolithic Policy'''</center>
+
|<center>'''Base Policy'''</center>
+
|<center>'''Module Policy'''</center>
+
 
+
|-
+
|<center>Yes</center>
+
|<center>Yes</center>
+
|<center>No</center>
+
 
+
|-
+
|<center>'''Conditional Policy (if) Statement'''</center>
+
|<center>'''optional Statement'''</center>
+
|<center>'''require Statement'''</center>
+
 
+
|-
+
|<center>No</center>
+
|<center>No</center>
+
|<center>No</center>
+
 
+
|}
+
 
+
 
+
'''Examples:'''
+
This example has been taken from the Reference Policy source ./policy/mls file.
+
<pre>
+
<nowiki># The MLS Reference Policy </nowiki>mlsvalidatetrans statement for
+
<nowiki># managing the file upgrade/downgrade rules that comprises of</nowiki>
+
<nowiki># multiple expressions. Only the first two expressions are </nowiki>
+
<nowiki># explained.</nowiki>
+
<nowiki>#</nowiki>
+
<nowiki># Expression 1: </nowiki>( l1 eq l2 ) reads as follows:
+
<nowiki># For a </nowiki>file related object to change security context, its
+
<nowiki># current (</nowiki>old) low security level must be equal to the new
+
<nowiki># objects low security level.</nowiki>
+
<nowiki>#</nowiki>
+
<nowiki># The second part of the expression:</nowiki>
+
<nowiki># </nowiki>or (( t3 == mlsfileupgrade ) and ( l1 domby l2 )) reads as
+
<nowiki># follows:</nowiki>
+
<nowiki># </nowiki>or the process type must equal a type associated to the
+
<nowiki># </nowiki>mlsfileupgrade attribute and its current (old) low security
+
<nowiki># </nowiki>level must be dominated by the new objects low security level.
+
<nowiki># </nowiki>
+
 
+
mlsvalidatetrans { dir file lnk_file chr_file blk_file sock_file fifo_file }
+
((( l1 eq l2 ) or
+
(( t3 == mlsfileupgrade ) and ( l1 domby l2 )) or
+
(( t3 == mlsfiledowngrade ) and ( l1 dom l2 )) or
+
(( t3 == mlsfiledowngrade ) and ( l1 incomp l2 ))) and (( h1 eq h2 ) or
+
(( t3 == mlsfileupgrade ) and ( h1 domby h2 )) or
+
(( t3 == mlsfiledowngrade ) and ( h1 dom h2 )) or
+
(( t3 == mlsfiledowngrade ) and ( h1 incomp h2 ))));
+
</pre>
+

Revision as of 15:50, 13 December 2014

MLS Statements

The optional MLS policy extension adds an additional security context component that consists of the following entries:

user:role:type:sensitivity[:category,...]- sensitivity [:category,...]

These consist of a mandatory hierarchical sensitivity and optional non-hierarchical category's. The combination of the two comprise a level or security level as shown in Table 1. Depending on the circumstances, there can be one level defined or a range as shown in Table 1.

Table 1: Level, Label, Category or Compartment - this table shows the meanings depending on the context being discussed.

Security Level (or Level)
Consisting of a sensitivity and zero or more category entries:
Note that SELinux uses level, sensitivity and category in the language statements, however when discussing these the following terms can also be used: labels, classifications, and compartments.
sensitivity [: category, ... ]
also known as:
Sensitivity Label
Consisting of a classification and compartment.
Range
Low
High
sensitivity [: category, ... ]
-
sensitivity [: category, ... ]
For a process or subject this is the current level or sensitivity
For a process or subject this is the Clearance
For an object this is the current level or sensitivity
For an object this is the maximum range
(for SELinux polyinstantiated directories)
SystemLow
SystemHigh
This is the lowest level or classification for the system (for SELinux this is generally 's0', note that there are no categories).
This is the highest level or classification for the system (for SELinux this is generally 's15:c0,c255', although note that they will be the highest set by the policy).


To make the security levels more meaningful, it is possible to use the setransd daemon to translate these to human readable formats. The semanage(8) command will allow this mapping to be defined as discussed in the setrans.conf file section.

sensitivity

The sensitivity statement defines the MLS policy sensitivity identifies and optional alias identifiers.

The statement definition is:

sensitivity sens_id [alias sensitivityalias_id ...];

Where:

sensitivity The sensitivity keyword.
sens_id The sensitivity identifier.
alias The optional alias keyword.
sensitivityalias_id One or more sensitivityalias identifiers in a space separated list.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
Yes


Examples:

# The MLS Reference Policy default is to assign 16 sensitivity 
# identifiers (s0 to s15):
sensitivity s0;
....
sensitivity s15;

# The policy does not specify any alias entries, however a valid 
# example would be:
sensitivity s0 alias secret wellmaybe ornot;

dominance

When more than one sensitivity statemement is defined within a policy, then a dominance statement is required to define the actual hierarchy between all sensitivities.

The statement definition is:

dominance { sensitivity_id ... }

Where:

dominance The dominance keyword.
sensitivity_id A space separated list of previously declared sensitivity or sensitivityalias identifiers in the order lowest to highest. They are enclosed in braces ({}), and note that there is no terminating semi-colon (;).


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# The MLS Reference Policy dominance statement defines s0 as the 
# lowest and s15 as the highest sensitivity level:

dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }

category

The category statement defines the MLS policy category identifiers[1] and optional alias identifiers.

The statement definition is:

category category_id [alias categoryalias_id ...];

Where:

category The category keyword.
category_id The category identifier.
alias The optional alias keyword.
categoryalias_id One or more alias identifiers in a space separated list.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
Yes


Examples:

# The MLS Reference Policy default is to assign 256 ''category'' 
# identifiers (c0 to c255):
category c0;
...
category c255;
# The policy does not specify any alias entries, however a valid 
# example would be:
<pre>
category c0 alias planning development benefits;

level

The level statement enables the previously declared sensitivity and category identifiers to be combined into a Security Level.

Note there must only be one level statement for each sensitivity statemement.

The statement definition is:

level sensitivity_id [ :category_id ];

Where:

level The level keyword.
sensitivity_id A previously declared sensitivity or sensitivityalias identifier.
category_id An optional set of zero or more previously declared category or categoryalias identifiers that are preceded by a colon (:), that can be written as follows:* The period (.) separating two category identifiers means an inclusive set (e.g. c0.c16).
  • The comma (,) separating two category identifiers means a non-contiguous list (e.g. c21,c36,c45).
  • Both separators may be used (e.g. c0.c16, c21,c36,c45).



The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Examples:

# The MLS Reference Policy default is to assign each Security 
# Level with the complete set of categories (i.e. the inclusive 
# set from c0 to c255):

level s0:c0.c255;
...
level s15:c0.c255;

range_transition

The range_transition statement is primarily used by the init process or administration commands to ensure processes run with their correct MLS range (for example init would run at SystemHigh and needs to initialise / run other processes at their correct MLS range). The statement was enhanced in Policy version 21 to accept other object classes.

The statement definition is (for pre-policy version 21):

range_transition source_type target_type new_range;

or (for policy version 21 and greater):

range_transition source_type target_type : class new_range;

Where:

range_transition The range_transition keyword.
source_type

target_type

One or more source / target type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces ({}).

Entries can be excluded from the list by using the negative operator (-).

class The optional object class keyword (this allows policy versions 21 and greater to specify a class other than the default of process).
new_range The new MLS range for the object class. The format of this field is described in the MLS range Definition section.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
Yes
if Statement
optional Statement
require Statement
No
Yes
No


Examples:

# A range_transition statement from the MLS Reference Policy 
# showing that a process anaconda_t can transition between 
# systemLow and systemHigh depending on calling applications
# level. 

range_transition anaconda_t init_script_file_type:process s0-s15:c0.c255;

# Two range_transition statements from the MLS Reference Policy 
# showing that init will transition the audit and cups daemon 
# to systemHigh (that is the lowest level they can run at). 

range_transition initrc_t auditd_exec_t:process s15:c0.c255;
range_transition initrc_t cupsd_exec_t:process s15:c0.c255;

MLS range Definition

The MLS range is appended to a number of statements and defines the lowest and highest security levels. The range can also consist of a single level as discussed at the start of the MLS section.

The definition is:

low_level[ - high_level ]

Where:

low_level The processes lowest level identifier that has been previously declared by a level statement.

If a high_level is not defined, then it is taken as the same as the low_level.

- The optional hyphen (-) separator if a high_level is also being defined.
high_level The processes highest level identifier that has been previously declared by a level statement.

mlsconstrain

This is decribed in the Constraints section.

mlsvalidatetrans

This is decribed in the Constraints section.


Previous
Home
Next



  1. SELinux use the term 'category' or 'categories' while some MLS systems and documentation use the term 'compartment' or 'compartments', however they have the same meaning.