1 Multi-Level Security Labeling Statements 2 ======================================== 3 4 Because there are many options for MLS labeling, the examples show a limited selection of statements, however there is a simple policy that will build shown in the [`levelrange`](cil_mls_labeling_statements.md#levelrange) section. 5 6 sensitivity 7 ----------- 8 9 Declare a sensitivity identifier in the current namespace. Multiple [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) statements in the policy will form an ordered list. 10 11 **Statement definition:** 12 13 (sensitivity sensitivity_id) 14 15 **Where:** 16 17 <table> 18 <colgroup> 19 <col width="25%" /> 20 <col width="75%" /> 21 </colgroup> 22 <tbody> 23 <tr class="odd"> 24 <td align="left"><p><code>sensitivity</code></p></td> 25 <td align="left"><p>The <code>sensitivity</code> keyword.</p></td> 26 </tr> 27 <tr class="even"> 28 <td align="left"><p><code>sensitivity_id</code></p></td> 29 <td align="left"><p>The <code>sensitivity</code> identifier.</p></td> 30 </tr> 31 </tbody> 32 </table> 33 34 **Example:** 35 36 This example declares three [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifiers: 37 38 (sensitivity s0) 39 (sensitivity s1) 40 (sensitivity s2) 41 42 sensitivityalias 43 ---------------- 44 45 Declares a sensitivity alias identifier in the current namespace. See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement for an example that associates the [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier. 46 47 **Statement definition:** 48 49 (sensitivityalias sensitivityalias_id) 50 51 **Where:** 52 53 <table> 54 <colgroup> 55 <col width="25%" /> 56 <col width="75%" /> 57 </colgroup> 58 <tbody> 59 <tr class="odd"> 60 <td align="left"><p><code>sensitivityalias</code></p></td> 61 <td align="left"><p>The <code>sensitivityalias</code> keyword.</p></td> 62 </tr> 63 <tr class="even"> 64 <td align="left"><p><code>sensitivityalias_id</code></p></td> 65 <td align="left"><p>The <code>sensitivityalias</code> identifier.</p></td> 66 </tr> 67 </tbody> 68 </table> 69 70 **Example:** 71 72 See the [`sensitivityaliasactual`](cil_mls_labeling_statements.md#sensitivityaliasactual) statement. 73 74 sensitivityaliasactual 75 ---------------------- 76 77 Associates a previously declared [`sensitivityalias`](cil_mls_labeling_statements.md#sensitivityalias) identifier to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier. 78 79 **Statement definition:** 80 81 (sensitivityaliasactual sensitivityalias_id sensitivity_id) 82 83 **Where:** 84 85 <table> 86 <colgroup> 87 <col width="29%" /> 88 <col width="70%" /> 89 </colgroup> 90 <tbody> 91 <tr class="odd"> 92 <td align="left"><p><code>sensitivityaliasactual</code></p></td> 93 <td align="left"><p>The <code>sensitivityaliasactual</code> keyword.</p></td> 94 </tr> 95 <tr class="even"> 96 <td align="left"><p><code>sensitivityalias_id</code></p></td> 97 <td align="left"><p>A single previously declared <code>sensitivityalias</code> identifier.</p></td> 98 </tr> 99 <tr class="odd"> 100 <td align="left"><p><code>sensitivity_id</code></p></td> 101 <td align="left"><p>A single previously declared <code>sensitivity</code> identifier.</p></td> 102 </tr> 103 </tbody> 104 </table> 105 106 **Example:** 107 108 This example will associate sensitivity `s0` with two sensitivity alias's: 109 110 (sensitivity s0) 111 (sensitivityalias unclassified) 112 (sensitivityalias SystemLow) 113 (sensitivityaliasactual unclassified s0) 114 (sensitivityaliasactual SystemLow s0) 115 116 sensitivityorder 117 ---------------- 118 119 Define the sensitivity order - lowest to highest. Multiple [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements in the policy will form an ordered list. 120 121 **Statement definition:** 122 123 (sensitivityorder (sensitivity_id ...)) 124 125 **Where:** 126 127 <table> 128 <colgroup> 129 <col width="25%" /> 130 <col width="75%" /> 131 </colgroup> 132 <tbody> 133 <tr class="odd"> 134 <td align="left"><p><code>sensitivityorder</code></p></td> 135 <td align="left"><p>The <code>sensitivityorder</code> keyword.</p></td> 136 </tr> 137 <tr class="even"> 138 <td align="left"><p><code>sensitivity_id</code></p></td> 139 <td align="left"><p>One or more previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifiers..</p></td> 140 </tr> 141 </tbody> 142 </table> 143 144 **Example:** 145 146 This example shows two [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statements that when compiled will form an ordered list. Note however that the second [`sensitivityorder`](cil_mls_labeling_statements.md#sensitivityorder) statement starts with `s2` so that the ordered list can be built. 147 148 (sensitivity s0) 149 (sensitivityalias s0 SystemLow) 150 (sensitivity s1) 151 (sensitivity s2) 152 (sensitivityorder (SystemLow s1 s2)) 153 154 (sensitivity s3) 155 (sensitivity s4) 156 (sensitivityalias s4 SystemHigh) 157 (sensitivityorder (s2 s3 SystemHigh)) 158 159 category 160 -------- 161 162 Declare a category identifier in the current namespace. Multiple category statements declared in the policy will form an ordered list. 163 164 **Statement definition:** 165 166 (category category_id) 167 168 **Where:** 169 170 <table> 171 <colgroup> 172 <col width="25%" /> 173 <col width="75%" /> 174 </colgroup> 175 <tbody> 176 <tr class="odd"> 177 <td align="left"><p><code>category</code></p></td> 178 <td align="left"><p>The <code>category</code> keyword.</p></td> 179 </tr> 180 <tr class="even"> 181 <td align="left"><p><code>category_id</code></p></td> 182 <td align="left"><p>The <code>category</code> identifier.</p></td> 183 </tr> 184 </tbody> 185 </table> 186 187 **Example:** 188 189 This example declares a three [`category`](cil_mls_labeling_statements.md#category) identifiers: 190 191 (category c0) 192 (category c1) 193 (category c2) 194 195 categoryalias 196 ------------- 197 198 Declares a category alias identifier in the current namespace. See the [`categoryaliasactual`](cil_mls_labeling_statements.md#categoryaliasactual) statement for an example that associates the [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier. 199 200 **Statement definition:** 201 202 (categoryalias categoryalias_id) 203 204 **Where:** 205 206 <table> 207 <colgroup> 208 <col width="25%" /> 209 <col width="75%" /> 210 </colgroup> 211 <tbody> 212 <tr class="odd"> 213 <td align="left"><p><code>categoryalias</code></p></td> 214 <td align="left"><p>The <code>categoryalias</code> keyword.</p></td> 215 </tr> 216 <tr class="even"> 217 <td align="left"><p><code>categoryalias_id</code></p></td> 218 <td align="left"><p>The <code>categoryalias</code> identifier.</p></td> 219 </tr> 220 </tbody> 221 </table> 222 223 categoryaliasactual 224 ------------------- 225 226 Associates a previously declared [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) identifier to a previously declared [`category`](cil_mls_labeling_statements.md#category) identifier. 227 228 **Statement definition:** 229 230 (categoryaliasactual categoryalias_id category_id) 231 232 **Where:** 233 234 <table> 235 <colgroup> 236 <col width="25%" /> 237 <col width="75%" /> 238 </colgroup> 239 <tbody> 240 <tr class="odd"> 241 <td align="left"><p><code>categoryaliasactual</code></p></td> 242 <td align="left"><p>The <code>categoryaliasactual</code> keyword.</p></td> 243 </tr> 244 <tr class="even"> 245 <td align="left"><p><code>categoryalias_id</code></p></td> 246 <td align="left"><p>A single previously declared <code>categoryalias</code> identifier.</p></td> 247 </tr> 248 <tr class="odd"> 249 <td align="left"><p><code>category_id</code></p></td> 250 <td align="left"><p>A single previously declared <code>category</code> identifier.</p></td> 251 </tr> 252 </tbody> 253 </table> 254 255 **Example:** 256 257 Declares a category `c0`, a category alias of `documents`, and then associates them: 258 259 (category c0) 260 (categoryalias documents) 261 (categoryaliasactual documents c0) 262 263 categoryorder 264 ------------- 265 266 Define the category order. Multiple [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements declared in the policy will form an ordered list. Note that this statement orders the categories to allow validation of category ranges. 267 268 **Statement definition:** 269 270 (categoryorder (category_id ...)) 271 272 **Where:** 273 274 <table> 275 <colgroup> 276 <col width="25%" /> 277 <col width="75%" /> 278 </colgroup> 279 <tbody> 280 <tr class="odd"> 281 <td align="left"><p><code>categoryorder</code></p></td> 282 <td align="left"><p>The <code>categoryorder</code> keyword.</p></td> 283 </tr> 284 <tr class="even"> 285 <td align="left"><p><code>category_id</code></p></td> 286 <td align="left"><p>One or more previously declared <code>category</code> or <code>categoryalias</code> identifiers.</p></td> 287 </tr> 288 </tbody> 289 </table> 290 291 **Example:** 292 293 This example orders one category alias and nine categories: 294 295 (categoryorder (documents c1 c2 c3 c4 c5 c6 c7 c8 c9) 296 297 categoryset 298 ----------- 299 300 Declare an identifier for a set of contiguous or non-contiguous categories in the current namespace. 301 302 Notes: 303 304 - Category expressions are allowed in [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory), [`level`](cil_mls_labeling_statements.md#level), and [`levelrange`](cil_mls_labeling_statements.md#levelrange) statements. 305 306 - Category sets are not allowed in [`categoryorder`](cil_mls_labeling_statements.md#categoryorder) statements. 307 308 **Statement definition:** 309 310 (categoryset categoryset_id (category_id ... | expr ...)) 311 312 **Where:** 313 314 <table> 315 <colgroup> 316 <col width="25%" /> 317 <col width="75%" /> 318 </colgroup> 319 <tbody> 320 <tr class="odd"> 321 <td align="left"><p><code>categoryset</code></p></td> 322 <td align="left"><p>The <code>categoryset</code> keyword.</p></td> 323 </tr> 324 <tr class="even"> 325 <td align="left"><p><code>categoryset_id</code></p></td> 326 <td align="left"><p>The <code>categoryset</code> identifier.</p></td> 327 </tr> 328 <tr class="odd"> 329 <td align="left"><p><code>category_id</code></p></td> 330 <td align="left"><p>Zero or more previously declared <code>category</code> or <code>categoryalias</code> identifiers.</p> 331 <p>Note that there must be at least one <code>category_id</code> identifier or <code>expr</code> parameter declared.</p></td> 332 </tr> 333 <tr class="even"> 334 <td align="left"><p><code>expr</code></p></td> 335 <td align="left"><p>Zero or more <code>expr</code>'s, the valid operators and syntax are:</p> 336 <p><code> (and (category_id ...) (category_id ...))</code></p> 337 <p><code> (or (category_id ...) (category_id ...))</code></p> 338 <p><code> (xor (category_id ...) (category_id ...))</code></p> 339 <p><code> (not (category_id ...))</code></p> 340 <p><code> (range category_id category_id)</code></p> 341 <p><code> (all)</code></p></td> 342 </tr> 343 </tbody> 344 </table> 345 346 **Examples:** 347 348 These examples show a selection of [`categoryset`](cil_mls_labeling_statements.md#categoryset) statements: 349 350 ; Declare categories with two alias's: 351 (category c0) 352 (categoryalias documents) 353 (categoryaliasactual documents c0) 354 (category c1) 355 (category c2) 356 (category c3) 357 (category c4) 358 (categoryalias spreadsheets) 359 (categoryaliasactual spreadsheets c4) 360 361 ; Set the order to determine ranges: 362 (categoryorder (c0 c1 c2 c3 spreadsheets)) 363 364 (categoryset catrange_1 (range c2 c3)) 365 366 ; Two methods to associate all categories: 367 (categoryset all_cats (range c0 c4)) 368 (categoryset all_cats1 (all)) 369 370 (categoryset catset_1 (documents c1)) 371 (categoryset catset_2 (c2 c3)) 372 (categoryset catset_3 (c4)) 373 374 (categoryset just_c0 (xor (c1 c2) (documents c1 c2))) 375 376 sensitivitycategory 377 ------------------- 378 379 Associate a [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) identifier with one or more [category](#category)'s. Multiple definitions for the same [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) form an ordered list of categories for that sensitivity. This statement is required before a [`level`](cil_mls_labeling_statements.md#level) identifier can be declared. 380 381 **Statement definition:** 382 383 (sensitivitycategory sensitivity_id categoryset_id) 384 385 **Where:** 386 387 <table> 388 <colgroup> 389 <col width="25%" /> 390 <col width="75%" /> 391 </colgroup> 392 <tbody> 393 <tr class="odd"> 394 <td align="left"><p><code>sensitivitycategory</code></p></td> 395 <td align="left"><p>The <code>sensitivitycategory</code> keyword.</p></td> 396 </tr> 397 <tr class="even"> 398 <td align="left"><p><code>sensitivity_id</code></p></td> 399 <td align="left"><p>A single previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifier.</p></td> 400 </tr> 401 <tr class="odd"> 402 <td align="left"><p><code>categoryset_id</code></p></td> 403 <td align="left"><p>A single previously declared <code>categoryset</code> (named or anonymous), or a list of <code>category</code> and/or <code>categoryalias</code> identifiers. The examples show each variation.</p></td> 404 </tr> 405 </tbody> 406 </table> 407 408 **Examples:** 409 410 These [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s: 411 412 (sensitivitycategory s0 catrange_1) 413 (sensitivitycategory s0 catset_1) 414 (sensitivitycategory s0 catset_3) 415 (sensitivitycategory s0 (all)) 416 (sensitivitycategory unclassified (range documents c2)) 417 418 level 419 ----- 420 421 Declare a [`level`](cil_mls_labeling_statements.md#level) identifier in the current namespace and associate it to a previously declared [`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and zero or more categories. Note that if categories are required, then before this statement can be resolved the [`sensitivitycategory`](cil_mls_labeling_statements.md#sensitivitycategory) statement must be used to associate categories with the sensitivity. 422 423 **Statement definition:** 424 425 level level_id (sensitivity_id [categoryset_id]) 426 427 **Where:** 428 429 <table> 430 <colgroup> 431 <col width="25%" /> 432 <col width="75%" /> 433 </colgroup> 434 <tbody> 435 <tr class="odd"> 436 <td align="left"><p><code>level</code></p></td> 437 <td align="left"><p>The <code>level</code> keyword.</p></td> 438 </tr> 439 <tr class="even"> 440 <td align="left"><p><code>level_id</code></p></td> 441 <td align="left"><p>The <code>level</code> identifier.</p></td> 442 </tr> 443 <tr class="odd"> 444 <td align="left"><p><code>sensitivity_id</code></p></td> 445 <td align="left"><p>A single previously declared <code>sensitivity</code> or <code>sensitivityalias</code> identifier.</p></td> 446 </tr> 447 <tr class="even"> 448 <td align="left"><p><code>categoryset_id</code></p></td> 449 <td align="left"><p>A single previously declared <code>categoryset</code> (named or anonymous), or a list of <code>category</code> and/or <code>categoryalias</code> identifiers. The examples show each variation.</p></td> 450 </tr> 451 </tbody> 452 </table> 453 454 **Examples:** 455 456 These [`level`](cil_mls_labeling_statements.md#level) examples use a selection of [`category`](cil_mls_labeling_statements.md#category), [`categoryalias`](cil_mls_labeling_statements.md#categoryalias) and [`categoryset`](cil_mls_labeling_statements.md#categoryset)'s: 457 458 (level systemLow (s0)) 459 (level level_1 (s0)) 460 (level level_2 (s0 (catrange_1))) 461 (level level_3 (s0 (all_cats))) 462 (level level_4 (unclassified (c2 c3 c4))) 463 464 levelrange 465 ---------- 466 467 Declare a level range identifier in the current namespace and associate a current and clearance level. 468 469 **Statement definition:** 470 471 (levelrange levelrange_id (low_level_id high_level_id)) 472 473 **Where:** 474 475 <table> 476 <colgroup> 477 <col width="25%" /> 478 <col width="75%" /> 479 </colgroup> 480 <tbody> 481 <tr class="odd"> 482 <td align="left"><p><code>levelrange</code></p></td> 483 <td align="left"><p>The <code>levelrange</code> keyword.</p></td> 484 </tr> 485 <tr class="even"> 486 <td align="left"><p><code>levelrange_id</code></p></td> 487 <td align="left"><p>The <code>levelrange</code> identifier.</p></td> 488 </tr> 489 <tr class="odd"> 490 <td align="left"><p><code>low_level_id</code></p></td> 491 <td align="left"><p>The current level specified by a previously declared <code>level</code> identifier. This may be formed by named or anonymous components as discussed in the <code>level</code> section and shown in the examples.</p></td> 492 </tr> 493 <tr class="even"> 494 <td align="left"><p><code>high_level_id</code></p></td> 495 <td align="left"><p>The clearance or high level specified by a previously declared <code>level</code> identifier. This may be formed by named or anonymous components as discussed in the <code>level</code> section and shown in the examples.</p></td> 496 </tr> 497 </tbody> 498 </table> 499 500 **Examples:** 501 502 This example policy shows [`levelrange`](cil_mls_labeling_statements.md#levelrange) statement and all the other MLS labeling statements discussed in this section and will compile as a standalone policy: 503 504 (handleunknown allow) 505 (mls true) 506 507 ; There must be least one set of SID statements in a policy: 508 (sid kernel) 509 (sidorder (kernel)) 510 (sidcontext kernel unconfined.context_1) 511 512 (sensitivitycategory s0 (c4 c2 c3 c1 c0 c3)) 513 514 (category c0) 515 (categoryalias documents) 516 (categoryaliasactual documents c0) 517 (category c1) 518 (category c2) 519 (category c3) 520 (category c4) 521 (categoryalias spreadsheets) 522 (categoryaliasactual spreadsheets c4) 523 524 (categoryorder (c0 c1 c2 c3 spreadsheets)) 525 526 (categoryset catrange_1 (range c2 c3)) 527 (categoryset all_cats (range c0 c4)) 528 (categoryset all_cats1 (all)) 529 530 (categoryset catset_1 (documents c1)) 531 (categoryset catset_2 (c2 c3)) 532 (categoryset catset_3 (c4)) 533 534 (categoryset just_c0 (xor (c1 c2) (documents c1 c2))) 535 536 (sensitivity s0) 537 (sensitivityalias unclassified) 538 (sensitivityaliasactual unclassified s0) 539 540 (sensitivityorder (s0)) 541 (sensitivitycategory s0 (c0)) 542 543 (sensitivitycategory s0 catrange_1) 544 (sensitivitycategory s0 catset_1) 545 (sensitivitycategory s0 catset_3) 546 (sensitivitycategory s0 (all)) 547 (sensitivitycategory s0 (range documents c2)) 548 549 (level systemLow (s0)) 550 (level level_1 (s0)) 551 (level level_2 (s0 (catrange_1))) 552 (level level_3 (s0 (all_cats))) 553 (level level_4 (unclassified (c2 c3 c4))) 554 555 (levelrange levelrange_2 (level_2 level_2)) 556 (levelrange levelrange_1 ((s0) level_2)) 557 (levelrange low_low (systemLow systemLow)) 558 559 (context context_2 (unconfined.user object_r unconfined.object (level_1 level_3))) 560 561 ; Define object_r role. This must be assigned in CIL. 562 (role object_r) 563 564 (block unconfined 565 (user user) 566 (role role) 567 (type process) 568 (type object) 569 (userrange user (systemLow systemLow)) 570 (userlevel user systemLow) 571 (userrole user role) 572 (userrole user object_r) 573 (roletype role process) 574 (roletype role object) 575 (roletype object_r object) 576 577 (class file (open execute read write)) 578 579 ; There must be least one allow rule in a policy: 580 (allow process self (file (read))) 581 582 (context context_1 (user object_r object low_low)) 583 ) ; End unconfined namespace 584 585 rangetransition 586 --------------- 587 588 Allows an objects level to transition to a different level. Generally used to ensure processes run with their correct MLS range, for example `init` would run at `SystemHigh` and needs to initialise / run other processes at their correct MLS range. 589 590 **Statement definition:** 591 592 (rangetransition source_id target_id class_id new_range_id) 593 594 **Where:** 595 596 <table> 597 <colgroup> 598 <col width="25%" /> 599 <col width="75%" /> 600 </colgroup> 601 <tbody> 602 <tr class="odd"> 603 <td align="left"><p><code>rangetransition</code></p></td> 604 <td align="left"><p>The <code>rangetransition</code> keyword.</p></td> 605 </tr> 606 <tr class="even"> 607 <td align="left"><p><code>source_type_id</code></p></td> 608 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 609 </tr> 610 <tr class="odd"> 611 <td align="left"><p><code>target_type_id</code></p></td> 612 <td align="left"><p>A single previously declared <code>type</code>, <code>typealias</code> or <code>typeattribute</code> identifier.</p></td> 613 </tr> 614 <tr class="even"> 615 <td align="left"><p><code>class_id</code></p></td> 616 <td align="left"><p>A single previously declared <code>class</code> or <code>classmap</code> identifier.</p></td> 617 </tr> 618 <tr class="odd"> 619 <td align="left"><p><code>new_range_id</code></p></td> 620 <td align="left"><p>The new MLS range for the object class that is a previously declared <code>levelrange</code> identifier. This entry may also be defined as an anonymous or named <code>level</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code> or <code>categoryset</code> identifier.</p></td> 621 </tr> 622 </tbody> 623 </table> 624 625 **Examples:** 626 627 This rule will transition the range of `sshd.exec` to `s0 - s1:c0.c3` on execution from the `init.process`: 628 629 (sensitivity s0) 630 (sensitivity s1) 631 (sensitivityorder s0 s1) 632 (category c0) 633 ... 634 (level systemlow (s0) 635 (level systemhigh (s1 (c0 c1 c2))) 636 (levelrange low_high (systemlow systemhigh)) 637 638 (rangetransition init.process sshd.exec process low_high) 639
