[refpolicy] [RFC] Security policy reworks for SE-PostgreSQL

KaiGai Kohei kaigai at kaigai.gr.jp
Tue Mar 31 15:34:52 CDT 2009


> I am referring to things like:
> 
> mlsconstrain { db_tuple } { use select }
>     (( l1 dom l2 ) or
>      (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
>      ( t1 == mlsdbread ) or
>      ( t2 == mlstrustedobject ));

I noticed the db_xxx:{use} permission remained here. :-)

> where t1 == mlsdbread seems to imply an object is trusted to read 
> strictly dominating objects. Unless I am missing the meaning here, I 
> would call this a MAC override. I realize there is no concept of a TE 
> override, but MLS is part of MAC, no? And, this violates B&L rules. This 
> is something we would control with a Security Administrator "role". Or, 
> is this mlsdbread something that is impossible to give to a domain in a 
> DBMS policy?

It is different from my usage of terms.
Some of domains are allowed to access the tuple, and others are
disallowed as the result of access controls using the security
policy.

I understood the term of "MAC override" to express what actions
are allowed without any checks based on security policy, as if
root stuff can ignore DAC checks.

Thanks,
-- 
KaiGai Kohei <kaigai at kaigai.gr.jp>


More information about the refpolicy mailing list